dcrat | c1326173150e4e4a62a637a5f483a0d8beb26801f2f6bd720ef456c7df42557d

Analysis

max time kernel
148s
max time network
151s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
03/11/2022, 13:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c1326173150e4e4a62a637a5f483a0d8beb26801f2f6bd720ef456c7df42557d.exe
Size

1.3MB
MD5

30d01e9d9108bc0bf1810fb5ce851585
SHA1

b663341df86b5f79e44d023c0e047f429e620db6
SHA256

c1326173150e4e4a62a637a5f483a0d8beb26801f2f6bd720ef456c7df42557d
SHA512

cc623af6c8d39f15ac29a4c02a7ab576646f83bd4989b272d647d2375b22e63ba67c8cd7946cabcf091a3441255d13cc2d24f8ba0426785071c8fd8a1589c537
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	4312	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	188	4312	schtasks.exe	70

DCRat payload 17 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001abee-281.dat	dcrat
behavioral1/files/0x000800000001abee-282.dat	dcrat
behavioral1/memory/2804-283-0x0000000000090000-0x00000000001A0000-memory.dmp	dcrat
behavioral1/files/0x000700000001ac2e-670.dat	dcrat
behavioral1/files/0x000700000001ac2e-668.dat	dcrat
behavioral1/files/0x000700000001ac2e-817.dat	dcrat
behavioral1/files/0x000700000001ac2e-820.dat	dcrat
behavioral1/files/0x000700000001ac2e-826.dat	dcrat
behavioral1/files/0x000700000001ac2e-832.dat	dcrat
behavioral1/files/0x000700000001ac2e-838.dat	dcrat
behavioral1/files/0x000700000001ac2e-843.dat	dcrat
behavioral1/files/0x000700000001ac2e-848.dat	dcrat
behavioral1/files/0x000700000001ac2e-854.dat	dcrat
behavioral1/files/0x000700000001ac2e-859.dat	dcrat
behavioral1/files/0x000700000001ac2e-864.dat	dcrat
behavioral1/files/0x000700000001ac2e-869.dat	dcrat
behavioral1/files/0x000700000001ac2e-874.dat	dcrat

Executes dropped EXE 14 IoCs

pid	Process
2804	DllCommonsvc.exe
636	cmd.exe
2436	cmd.exe
5036	cmd.exe
3172	cmd.exe
2300	cmd.exe
880	cmd.exe
1484	cmd.exe
4416	cmd.exe
1784	cmd.exe
432	cmd.exe
4840	cmd.exe
4872	cmd.exe
3976	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\5b884080fd4f94	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\es-ES\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\es-ES\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\f3b6ecef712a24	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SystemResources\Windows.UI.MiracastView\pris\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\SystemResources\Windows.UI.MiracastView\pris\088424020bedd6	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
324	schtasks.exe
4972	schtasks.exe
1648	schtasks.exe
1196	schtasks.exe
1184	schtasks.exe
308	schtasks.exe
4924	schtasks.exe
4800	schtasks.exe
380	schtasks.exe
544	schtasks.exe
4816	schtasks.exe
4460	schtasks.exe
3944	schtasks.exe
2288	schtasks.exe
4876	schtasks.exe
3844	schtasks.exe
400	schtasks.exe
1708	schtasks.exe
1600	schtasks.exe
4772	schtasks.exe
1452	schtasks.exe
4472	schtasks.exe
188	schtasks.exe
4928	schtasks.exe
4724	schtasks.exe
3676	schtasks.exe
4916	schtasks.exe
4476	schtasks.exe
1624	schtasks.exe
4340	schtasks.exe
4008	schtasks.exe
1192	schtasks.exe
1152	schtasks.exe
3992	schtasks.exe
3140	schtasks.exe
4932	schtasks.exe
4868	schtasks.exe
2796	schtasks.exe
4504	schtasks.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	c1326173150e4e4a62a637a5f483a0d8beb26801f2f6bd720ef456c7df42557d.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2804	DllCommonsvc.exe
2804	DllCommonsvc.exe
2804	DllCommonsvc.exe
2804	DllCommonsvc.exe
2804	DllCommonsvc.exe
2804	DllCommonsvc.exe
2804	DllCommonsvc.exe
2804	DllCommonsvc.exe
2804	DllCommonsvc.exe
2804	DllCommonsvc.exe
2804	DllCommonsvc.exe
228	powershell.exe
228	powershell.exe
216	powershell.exe
216	powershell.exe
3276	powershell.exe
3276	powershell.exe
2268	powershell.exe
2268	powershell.exe
1760	powershell.exe
1760	powershell.exe
2204	powershell.exe
2204	powershell.exe
216	powershell.exe
3276	powershell.exe
836	powershell.exe
836	powershell.exe
2084	powershell.exe
2084	powershell.exe
2916	powershell.exe
2916	powershell.exe
2628	powershell.exe
2628	powershell.exe
3804	powershell.exe
3804	powershell.exe
3492	powershell.exe
3492	powershell.exe
5012	powershell.exe
5012	powershell.exe
3544	powershell.exe
3544	powershell.exe
3276	powershell.exe
228	powershell.exe
216	powershell.exe
5012	powershell.exe
2268	powershell.exe
1760	powershell.exe
2204	powershell.exe
836	powershell.exe
2084	powershell.exe
2628	powershell.exe
2916	powershell.exe
228	powershell.exe
228	powershell.exe
3492	powershell.exe
3804	powershell.exe
5012	powershell.exe
1760	powershell.exe
3544	powershell.exe
2268	powershell.exe
2204	powershell.exe
836	powershell.exe
2084	powershell.exe
2916	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	DllCommonsvc.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	3276	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	3804	powershell.exe
Token: SeDebugPrivilege	3492	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	3544	powershell.exe
Token: SeIncreaseQuotaPrivilege	3276	powershell.exe
Token: SeSecurityPrivilege	3276	powershell.exe
Token: SeTakeOwnershipPrivilege	3276	powershell.exe
Token: SeLoadDriverPrivilege	3276	powershell.exe
Token: SeSystemProfilePrivilege	3276	powershell.exe
Token: SeSystemtimePrivilege	3276	powershell.exe
Token: SeProfSingleProcessPrivilege	3276	powershell.exe
Token: SeIncBasePriorityPrivilege	3276	powershell.exe
Token: SeCreatePagefilePrivilege	3276	powershell.exe
Token: SeBackupPrivilege	3276	powershell.exe
Token: SeRestorePrivilege	3276	powershell.exe
Token: SeShutdownPrivilege	3276	powershell.exe
Token: SeDebugPrivilege	3276	powershell.exe
Token: SeSystemEnvironmentPrivilege	3276	powershell.exe
Token: SeRemoteShutdownPrivilege	3276	powershell.exe
Token: SeUndockPrivilege	3276	powershell.exe
Token: SeManageVolumePrivilege	3276	powershell.exe
Token: 33	3276	powershell.exe
Token: 34	3276	powershell.exe
Token: 35	3276	powershell.exe
Token: 36	3276	powershell.exe
Token: SeIncreaseQuotaPrivilege	216	w32tm.exe
Token: SeSecurityPrivilege	216	w32tm.exe
Token: SeTakeOwnershipPrivilege	216	w32tm.exe
Token: SeLoadDriverPrivilege	216	w32tm.exe
Token: SeSystemProfilePrivilege	216	w32tm.exe
Token: SeSystemtimePrivilege	216	w32tm.exe
Token: SeProfSingleProcessPrivilege	216	w32tm.exe
Token: SeIncBasePriorityPrivilege	216	w32tm.exe
Token: SeCreatePagefilePrivilege	216	w32tm.exe
Token: SeBackupPrivilege	216	w32tm.exe
Token: SeRestorePrivilege	216	w32tm.exe
Token: SeShutdownPrivilege	216	w32tm.exe
Token: SeDebugPrivilege	216	w32tm.exe
Token: SeSystemEnvironmentPrivilege	216	w32tm.exe
Token: SeRemoteShutdownPrivilege	216	w32tm.exe
Token: SeUndockPrivilege	216	w32tm.exe
Token: SeManageVolumePrivilege	216	w32tm.exe
Token: 33	216	w32tm.exe
Token: 34	216	w32tm.exe
Token: 35	216	w32tm.exe
Token: 36	216	w32tm.exe
Token: SeIncreaseQuotaPrivilege	228	powershell.exe
Token: SeSecurityPrivilege	228	powershell.exe
Token: SeTakeOwnershipPrivilege	228	powershell.exe
Token: SeLoadDriverPrivilege	228	powershell.exe
Token: SeSystemProfilePrivilege	228	powershell.exe
Token: SeSystemtimePrivilege	228	powershell.exe
Token: SeProfSingleProcessPrivilege	228	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 1484	3048	c1326173150e4e4a62a637a5f483a0d8beb26801f2f6bd720ef456c7df42557d.exe	66
PID 3048 wrote to memory of 1484	3048	c1326173150e4e4a62a637a5f483a0d8beb26801f2f6bd720ef456c7df42557d.exe	66
PID 3048 wrote to memory of 1484	3048	c1326173150e4e4a62a637a5f483a0d8beb26801f2f6bd720ef456c7df42557d.exe	66
PID 1484 wrote to memory of 4592	1484	WScript.exe	67
PID 1484 wrote to memory of 4592	1484	WScript.exe	67
PID 1484 wrote to memory of 4592	1484	WScript.exe	67
PID 4592 wrote to memory of 2804	4592	cmd.exe	69
PID 4592 wrote to memory of 2804	4592	cmd.exe	69
PID 2804 wrote to memory of 216	2804	DllCommonsvc.exe	110
PID 2804 wrote to memory of 216	2804	DllCommonsvc.exe	110
PID 2804 wrote to memory of 228	2804	DllCommonsvc.exe	114
PID 2804 wrote to memory of 228	2804	DllCommonsvc.exe	114
PID 2804 wrote to memory of 3276	2804	DllCommonsvc.exe	112
PID 2804 wrote to memory of 3276	2804	DllCommonsvc.exe	112
PID 2804 wrote to memory of 2268	2804	DllCommonsvc.exe	115
PID 2804 wrote to memory of 2268	2804	DllCommonsvc.exe	115
PID 2804 wrote to memory of 2204	2804	DllCommonsvc.exe	116
PID 2804 wrote to memory of 2204	2804	DllCommonsvc.exe	116
PID 2804 wrote to memory of 1760	2804	DllCommonsvc.exe	117
PID 2804 wrote to memory of 1760	2804	DllCommonsvc.exe	117
PID 2804 wrote to memory of 836	2804	DllCommonsvc.exe	118
PID 2804 wrote to memory of 836	2804	DllCommonsvc.exe	118
PID 2804 wrote to memory of 2084	2804	DllCommonsvc.exe	121
PID 2804 wrote to memory of 2084	2804	DllCommonsvc.exe	121
PID 2804 wrote to memory of 2916	2804	DllCommonsvc.exe	123
PID 2804 wrote to memory of 2916	2804	DllCommonsvc.exe	123
PID 2804 wrote to memory of 2628	2804	DllCommonsvc.exe	124
PID 2804 wrote to memory of 2628	2804	DllCommonsvc.exe	124
PID 2804 wrote to memory of 3804	2804	DllCommonsvc.exe	125
PID 2804 wrote to memory of 3804	2804	DllCommonsvc.exe	125
PID 2804 wrote to memory of 3492	2804	DllCommonsvc.exe	129
PID 2804 wrote to memory of 3492	2804	DllCommonsvc.exe	129
PID 2804 wrote to memory of 5012	2804	DllCommonsvc.exe	132
PID 2804 wrote to memory of 5012	2804	DllCommonsvc.exe	132
PID 2804 wrote to memory of 3544	2804	DllCommonsvc.exe	133
PID 2804 wrote to memory of 3544	2804	DllCommonsvc.exe	133
PID 2804 wrote to memory of 3180	2804	DllCommonsvc.exe	139
PID 2804 wrote to memory of 3180	2804	DllCommonsvc.exe	139
PID 3180 wrote to memory of 60	3180	cmd.exe	141
PID 3180 wrote to memory of 60	3180	cmd.exe	141
PID 3180 wrote to memory of 636	3180	cmd.exe	143
PID 3180 wrote to memory of 636	3180	cmd.exe	143
PID 636 wrote to memory of 4504	636	cmd.exe	144
PID 636 wrote to memory of 4504	636	cmd.exe	144
PID 4504 wrote to memory of 3760	4504	cmd.exe	146
PID 4504 wrote to memory of 3760	4504	cmd.exe	146
PID 4504 wrote to memory of 2436	4504	cmd.exe	147
PID 4504 wrote to memory of 2436	4504	cmd.exe	147
PID 2288 wrote to memory of 216	2288	cmd.exe	150
PID 2288 wrote to memory of 216	2288	cmd.exe	150
PID 2288 wrote to memory of 5036	2288	cmd.exe	151
PID 2288 wrote to memory of 5036	2288	cmd.exe	151
PID 5036 wrote to memory of 3320	5036	cmd.exe	152
PID 5036 wrote to memory of 3320	5036	cmd.exe	152
PID 3320 wrote to memory of 220	3320	cmd.exe	154
PID 3320 wrote to memory of 220	3320	cmd.exe	154
PID 3320 wrote to memory of 3172	3320	cmd.exe	155
PID 3320 wrote to memory of 3172	3320	cmd.exe	155
PID 3172 wrote to memory of 3900	3172	cmd.exe	156
PID 3172 wrote to memory of 3900	3172	cmd.exe	156
PID 3900 wrote to memory of 4808	3900	cmd.exe	158
PID 3900 wrote to memory of 4808	3900	cmd.exe	158
PID 3900 wrote to memory of 2300	3900	cmd.exe	159
PID 3900 wrote to memory of 2300	3900	cmd.exe	159

C:\Users\Admin\AppData\Local\Temp\c1326173150e4e4a62a637a5f483a0d8beb26801f2f6bd720ef456c7df42557d.exe
"C:\Users\Admin\AppData\Local\Temp\c1326173150e4e4a62a637a5f483a0d8beb26801f2f6bd720ef456c7df42557d.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\es-ES\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemResources\Windows.UI.MiracastView\pris\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3544
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ugIVCfme7R.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3180
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:60
      - C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3760
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:220
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4808
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat"
        15⤵
        
        PID:4264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1704
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat"
        17⤵
        
        PID:2720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4444
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat"
        19⤵
        
        PID:4420
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1408
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o09MCfWrWU.bat"
        21⤵
        
        PID:1812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1884
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat"
        23⤵
        
        PID:3516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3384
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XC59y11ueh.bat"
        25⤵
        
        PID:4240
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:5084
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wxi7FenmH.bat"
        27⤵
        
        PID:3780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2928
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat"
        29⤵
        
        PID:2068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:3260
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat"
        31⤵
        
        PID:4344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\es-ES\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\odt\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Users\Default User\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\SystemResources\Windows.UI.MiracastView\pris\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.MiracastView\pris\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\SystemResources\Windows.UI.MiracastView\pris\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8bc4d58ff4d84bce04ccdc14ef854dd1

SHA1
1d3da26dfe9a1cfdc85d2cb9717d3af303c5d8bb

SHA256
d6f686891b5ab357fb796ad2459141917bdf6dea0dcb2565675d2e6c98b9897e

SHA512
11d1d1863163ac00827743a0375a77960999a038c8201f275faf1c1d4ab5a595a0ac82d287d37a76bab49727fcfa17220a86cdafd00779f01cd258a3902298fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
08a6ea5bce5a6f2703b085936cbbf687

SHA1
962f84a9dfa80e9f44cea81e0a1693bd9fcc2363

SHA256
5f39a07cd802667834a2c2d000e586e05412cf11beeecea25cbced685218d55f

SHA512
208ab4ba3e77d6432d7c7f04fbedf6c9feba260783893d8998168446f684e7e47a69a96680ae016656ae40cc4bd43f85971a77d36de150b0ad4bacc436eebfe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0bdfaa14d7814b541a77f4e97920dfd6

SHA1
c239720eee47db7f7136bb78e37c539b9e735c4c

SHA256
4c8946ef444ac60d731d674ad3d32a42edcd2a8d5fc984366f7c09eb24f5a272

SHA512
dfa795a1fd4fc852064cfdf93602899685bf9c13c7c326feca76fc7f97f92662342c52b79b447bcbc20cd55ea724742a499ad8da8e7770377a3e04ae52351608

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
04a89304d492de4f569589d24b100178

SHA1
8965bd61fb28f1aeaf9a81695088ceb8da5f92e9

SHA256
caa7598f6f3f9ee7748c79cfbc7d743f3fec48e5c46ab9c3442b2cd5d8ffa5e6

SHA512
32fabfe0b769a4dfb0fcfb9c3960e7fef660f2cdca461aadcb08afc4619ffd3aff41d7d575a05c143a39b6a7633535b43f50513a7767451386d788c164d80133

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
12906e1d79adae19cc190ec41cfc08c8

SHA1
d34540be80b19521d9959556771d6bb2683adafc

SHA256
5e45ddbcb455f3f4407f314b84d7f212bed64f34a221660f1326aa8f0978aa70

SHA512
495ef1a3d1918fb9cfbb5c8c33bf1ad4b5089b5f68cf0b39a18b9058f50a8c1ae2ecbb905a8d20b152960cfdba97d15f4ea30fb9e033416e34fec20b300a629d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fee59737e6a5b927474daaf31d016b36

SHA1
45022202c1e6778b21caf2cb540a21c5ccf740c3

SHA256
074d5b5d3f3e3caac27a0f484766d874371f618c8a003345fd66d5f43a5c1c28

SHA512
d809d4799a9f0be4dec49b7a8dc2a7aa9c179713f11b45e16bc095c2ee794ef67f105b78a18351cea15f8fcb277b8aac8bb199da8bf57b97093a0ba5fd9e3f47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
08de98a959768e7826449f7191650e80

SHA1
23552bd1dcec26250d9dd155dcbfaab4d6a5c8f0

SHA256
6ea7d9d22b454783ff22f3c3e903a1e7966c25448f3b5684f238ff13a7e38a61

SHA512
d6991e5e2c6f5b9eb3f489808a38590430dfdba29f7c300a85d5875d6280f03a41817d57b85335deb6399a2be7df54814191a16a887362cf1c340d400fd54993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b19d5040884c72ce327a99f37a3836de

SHA1
0736451da2923f8a46fa607765ad3e5e8ab881e8

SHA256
be64a1e2930f7abfbfb0cc2320720108a69645d7d0d9c445aa3a4929d051b2d9

SHA512
fcd31038459de556a896c5522670635825765643da70ef9237814703338efa76ce9bbdeb51c1e17542b7cdd33574be387170960d48f683a38c1c69fa87a48445

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b19d5040884c72ce327a99f37a3836de

SHA1
0736451da2923f8a46fa607765ad3e5e8ab881e8

SHA256
be64a1e2930f7abfbfb0cc2320720108a69645d7d0d9c445aa3a4929d051b2d9

SHA512
fcd31038459de556a896c5522670635825765643da70ef9237814703338efa76ce9bbdeb51c1e17542b7cdd33574be387170960d48f683a38c1c69fa87a48445

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b19d5040884c72ce327a99f37a3836de

SHA1
0736451da2923f8a46fa607765ad3e5e8ab881e8

SHA256
be64a1e2930f7abfbfb0cc2320720108a69645d7d0d9c445aa3a4929d051b2d9

SHA512
fcd31038459de556a896c5522670635825765643da70ef9237814703338efa76ce9bbdeb51c1e17542b7cdd33574be387170960d48f683a38c1c69fa87a48445

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b19d5040884c72ce327a99f37a3836de

SHA1
0736451da2923f8a46fa607765ad3e5e8ab881e8

SHA256
be64a1e2930f7abfbfb0cc2320720108a69645d7d0d9c445aa3a4929d051b2d9

SHA512
fcd31038459de556a896c5522670635825765643da70ef9237814703338efa76ce9bbdeb51c1e17542b7cdd33574be387170960d48f683a38c1c69fa87a48445

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
127e4b5994a2e258755c3f3a0ec49f84

SHA1
8fed323953e54fb35df68441b736a1ed38951e6d

SHA256
44d69d1a6b44f48e54da1a5392c71452c436382417df40ca9082cff5b063ed08

SHA512
9b87cd80bdc3567d34bab990ea2b902c3fedb0f512234b8539f7874ffb989d5cd2d9bfef8e5d3a05a3847a6b5641d685d22faecdf50abae3f3af92650612f22a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b90f96ea86feee5352ee5470ccb1ed6b

SHA1
e9cff3ddc7d50cfe38eb2e1df78cd2ecc229443b

SHA256
8076250b45a70671387f7313f769bd48b0189dd02397df0280daa674c41280bc

SHA512
735ce4e914eece541007a8bfc0b2633fdbcec666c2ca32bc9534b7c863645d33c2687f4134749eb604577904b850ebee269795e97879f1dcdbf93ed07d2132c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wxi7FenmH.bat

Filesize
190B

MD5
cb8fb4ca11c88d677dd466307b72cf9c

SHA1
f48202af164664c4883b1b4de74630959dd790eb

SHA256
8fd0baefaaa32ab648a44285fb0bc82c5744a14569c6a58c8fa053e7a20c71ad

SHA512
bf47818895d05146b5c533c4f944fdc80898380cad8b47c246bdace8933d9246664a2af10ac73c137aa2476df4ecde3afa7c94b6569d6bacc33efd0eba441e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat

Filesize
190B

MD5
c2b21a2f595ba1038d10aef996feae7e

SHA1
6a1be096b45f62dd7794f849691cb4b0227dfcd0

SHA256
e1662c7bdbb23d63eccb298a9c9fc9c784b562d8b85b4bd67eb2667f7af2b11f

SHA512
52f3c9e6642b6a2f7a7b3ff1e46c5ab7436f105b9b64c54c84778ab09ddb7c775db90874e10f790280ac1e0988811a4a92221957340357dd9f502df9ac235256

Download Submit
C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat

Filesize
190B

MD5
0d65142fb6e143e612017db2d06bba41

SHA1
4d1a7a3b942933fb920e1a02d2cc6e5836272bef

SHA256
4705ffea15a7710eb8e9dd05a2bbd87b67584d27fb9f35b07775f74f1a351e6b

SHA512
69464697d3f4cd883f7dac516720cf77b19985307259b56694da7372588247cec91bc769d0a28b9dcac513206316aa87691ffee29d6e6c299bee79dd1edd80b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat

Filesize
190B

MD5
6850fa02052fcad6449d5dac1767e592

SHA1
75092e669bc4c3b07ff7db8e960deb8139dc40cd

SHA256
f5339b19ab87066f899576c5bf1917f419e48394d2e0ec120df0729048b5bc77

SHA512
943ee0f28ca34f54409e18f489b2de5d25715f4fa8dc05644cc46560c6703ae1d07f168a649eac5dfb21d719e0abb9fc1ec080ec4de12885c39c34b0d776d0d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat

Filesize
190B

MD5
3d5f09182ea8763b8c2325b7b1ddef74

SHA1
3e3c24255d00e7b1dbbe81e5b7035b51d86e12c8

SHA256
6a323c809236cac110a983cc755d49a0f17854ec37871773b7bfab37427b85ef

SHA512
eab2e285b90e01ec51ad2c73d3700744d9b0b95a90afaa486ca3e58403a506a2893a78dfa20d7c07f90b441a3c6b9c8c03a6250460fd042a0f8bdef79cbac133

Download Submit
C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat

Filesize
190B

MD5
556e9a99472add29bc7cac11b73d78f1

SHA1
d8f3c4df59c83d9ed6bccc7da6df98c228bc4294

SHA256
660b2a96a7e4db79a426fec868907860800569bdcc962234b569df0dfe65163d

SHA512
f45018cd13bbf1c741d5f2ecdc9d1c538c116f54f420f7d6a138c4cf7f06bab25ee09e46e7f975ef72946fba7a2132d160e775cd30e33c42690a94d1f24acb52

Download Submit
C:\Users\Admin\AppData\Local\Temp\XC59y11ueh.bat

Filesize
190B

MD5
3e93b53055fdd5be0bc00588c40a0953

SHA1
87b3ea512c95d01ae96951696e18bd9c2fc8f5a6

SHA256
8feae8653a083127d84728dcc82e565325a5728a91e4d593a12e2c865fd86e67

SHA512
e3bd2f307555ed34b7c95c96a85ef79beef7aa0952c9dfe242600befb82c093c99171b7b20fea26c83af8830cf2f606d0b5fa191216603d9b3d60e1df23b009c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat

Filesize
190B

MD5
b84ac5554508019d02e1702c34e16cc1

SHA1
c11761fca81cfd3ca2d8b5e25902e5fb9f6c9b79

SHA256
c91ee3e7f6aea47a6b74f92aae665475be83ec828bd469f99def561c3259399b

SHA512
d25e9208c97873318d97328af3f634c68cbb9a7876fd3ad156b93385c7f2052a39dee91ecf968368b0db54c4aaf9c03f63a126869244a951a18a5333eac4e2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat

Filesize
190B

MD5
aeb16f8868b42c6b81aed6a2dacf1102

SHA1
d198456ee65d1d1e2d2ff6477f2e2a99f2f65bab

SHA256
1305880e885e9f28bbb2036cf61c7f6e502797168a3529a26783c1d4183eaea8

SHA512
36c5ddbc2584fc0108da6802f0b7ea731c0c829f1447f2619da67b85c268671f0e30e9f45468feeed4327fcbca398561bb70af5f714450acba15b9056807bcc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat

Filesize
190B

MD5
41b3a6521df98c15207c92f14e522580

SHA1
13352181ac7e29857dba22cdec70b037953cb35d

SHA256
62f8682742f77e78ee69e1c7a198bee202e199ef461f52666c0b39339f75e794

SHA512
efa552415335ed1153f8cc91e670390a5ece2410e2905c2153d2f77f93ed6c519d60afc4cee9c87520a990ac48a96ddb1587432c98482bdd9fbe086933b1f679

Download Submit
C:\Users\Admin\AppData\Local\Temp\o09MCfWrWU.bat

Filesize
190B

MD5
2c4001578a8dfa48121b092807d21a49

SHA1
a3eb1995658429affc558c949bde2b49553ef085

SHA256
25a5459e9f40877241327f3f4549ba86a8460204a022c2041a54069149cbe2b5

SHA512
a00001d60c054b7ba96d7a149cf4c0426d803ea0102b0f80cb50b7016c0d1b95ddd238acec43937e85089f3c82a583d81ee28d62cc20031816ad736e65672bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat

Filesize
190B

MD5
edf81159af0da956978b035db068abac

SHA1
adc4fa2f532d3ad04a4a997dea7746eb1d35be9f

SHA256
d0310752da5d8da9b14d5668e0039b61a4be5e799227793ec632c147baf45713

SHA512
99dc55c05ed5c8011162550f5af465c2c7248b6f17fc6d5ce1d3e524b42fb2a19faf908296d5daa8f510519091856463b86c63fb9b0997612ff35cd6a0173285

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugIVCfme7R.bat

Filesize
190B

MD5
70ead9f9d14a13125046b0baa3193470

SHA1
89d9bf9bed0cd75b5767021d293f9c9f07285a70

SHA256
eefdeb3464dfff5638e72b721251928c4890e3eacca97622bbf952831df4aa1f

SHA512
8ab801be8c20c9865d87d3c9f5764fe7a8cd5625ce881365bb96d9002d89ed80d4bea29f1c9714a939c94303928404e6557ae61eb14887d28b908744153866c5

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/228-355-0x000001E2CABD0000-0x000001E2CABF2000-memory.dmp

Filesize
136KB

Download
memory/636-689-0x0000000001270000-0x0000000001282000-memory.dmp

Filesize
72KB

Download
memory/1484-182-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/1484-183-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/2300-833-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

Filesize
72KB

Download
memory/2804-287-0x000000001AC00000-0x000000001AC0C000-memory.dmp

Filesize
48KB

Download
memory/2804-286-0x0000000002310000-0x000000000231C000-memory.dmp

Filesize
48KB

Download
memory/2804-285-0x0000000002300000-0x000000000230C000-memory.dmp

Filesize
48KB

Download
memory/2804-284-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/2804-283-0x0000000000090000-0x00000000001A0000-memory.dmp

Filesize
1.1MB

Download
memory/3048-163-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-150-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-118-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-119-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-120-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-122-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-123-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-125-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-126-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-180-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-179-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-178-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-177-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-176-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-127-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-175-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-128-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-174-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-173-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-172-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-171-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-170-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-169-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-167-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-168-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-166-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-165-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-164-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-117-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-162-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-161-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-160-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-159-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-158-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-129-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-156-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-157-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-130-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-155-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-154-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-131-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-153-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-132-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-133-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-152-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-135-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-151-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-134-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-149-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-136-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-148-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-147-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-145-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-146-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-144-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-143-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-137-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-142-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-141-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-138-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-140-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-139-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3172-827-0x0000000000F90000-0x0000000000FA2000-memory.dmp

Filesize
72KB

Download
memory/3276-370-0x00000206667B0000-0x0000020666826000-memory.dmp

Filesize
472KB

Download
memory/3976-875-0x0000000001600000-0x0000000001612000-memory.dmp

Filesize
72KB

Download
memory/4416-849-0x0000000000A70000-0x0000000000A82000-memory.dmp

Filesize
72KB

Download