dcrat | 1b40655bd0bcb99ccc658156accf448a15e35c19e20b8481adf96eeae6870ddb

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2023 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b40655bd0bcb99ccc658156accf448a15e35c19e20b8481adf96eeae6870ddb.exe
Size

1.3MB
MD5

0ae23448e2637632c1292abba3a826f2
SHA1

e2946194bb4905118bdea828e7756b9a3f94d64f
SHA256

1b40655bd0bcb99ccc658156accf448a15e35c19e20b8481adf96eeae6870ddb
SHA512

9a88523bee2fd8f0cef2bf313812b5840a9a19f607ac44dfbab9a77c0c54e4b2a224ff65ab8a225669ccd49a85143e770e7a46f15f3c064d79b887010608649e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	4940	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	4940	schtasks.exe

DCRat payload 17 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/3776-139-0x0000000000BE0000-0x0000000000CF0000-memory.dmp	dcrat
C:\Windows\Setup\State\cmd.exe	dcrat
C:\Windows\Setup\State\cmd.exe	dcrat
C:\Windows\Setup\State\cmd.exe	dcrat
C:\Windows\Setup\State\cmd.exe	dcrat
C:\Windows\Setup\State\cmd.exe	dcrat
C:\Windows\Setup\State\cmd.exe	dcrat
C:\Windows\Setup\State\cmd.exe	dcrat
C:\Windows\Setup\State\cmd.exe	dcrat
C:\Windows\Setup\State\cmd.exe	dcrat
C:\Windows\Setup\State\cmd.exe	dcrat
C:\Windows\Setup\State\cmd.exe	dcrat
C:\Windows\Setup\State\cmd.exe	dcrat
C:\Windows\Setup\State\cmd.exe	dcrat
C:\Windows\Setup\State\cmd.exe	dcrat

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.execmd.execmd.exeDllCommonsvc.execmd.execmd.execmd.execmd.execmd.exe1b40655bd0bcb99ccc658156accf448a15e35c19e20b8481adf96eeae6870ddb.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	1b40655bd0bcb99ccc658156accf448a15e35c19e20b8481adf96eeae6870ddb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 14 IoCs

Processes:

DllCommonsvc.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

pid	process
3776	DllCommonsvc.exe
4964	cmd.exe
456	cmd.exe
2856	cmd.exe
2600	cmd.exe
2824	cmd.exe
2076	cmd.exe
3892	cmd.exe
3568	cmd.exe
1912	cmd.exe
4296	cmd.exe
372	cmd.exe
2360	cmd.exe
4800	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 12 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files\Mozilla Firefox\browser\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\e1ef82546f0b02	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\browser\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6ccacd8608530f	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\Setup\State\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Windows\addins\dllhost.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\addins\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\addins\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\es-ES\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\es-ES\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Setup\State\cmd.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4196	schtasks.exe
2564	schtasks.exe
5104	schtasks.exe
3316	schtasks.exe
972	schtasks.exe
4688	schtasks.exe
1776	schtasks.exe
952	schtasks.exe
1940	schtasks.exe
1464	schtasks.exe
1960	schtasks.exe
3704	schtasks.exe
4652	schtasks.exe
1304	schtasks.exe
5044	schtasks.exe
1280	schtasks.exe
4628	schtasks.exe
1972	schtasks.exe
1252	schtasks.exe
4108	schtasks.exe
3412	schtasks.exe
1416	schtasks.exe
3732	schtasks.exe
3728	schtasks.exe
3672	schtasks.exe
3584	schtasks.exe
1448	schtasks.exe
1064	schtasks.exe
1052	schtasks.exe
4384	schtasks.exe
5000	schtasks.exe
612	schtasks.exe
4636	schtasks.exe
4740	schtasks.exe
1700	schtasks.exe
1632	schtasks.exe
4176	schtasks.exe
5080	schtasks.exe
1116	schtasks.exe

Modifies registry class 13 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe1b40655bd0bcb99ccc658156accf448a15e35c19e20b8481adf96eeae6870ddb.execmd.execmd.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	1b40655bd0bcb99ccc658156accf448a15e35c19e20b8481adf96eeae6870ddb.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execmd.execmd.execmd.execmd.execmd.exe

pid	process
3776	DllCommonsvc.exe
3776	DllCommonsvc.exe
3776	DllCommonsvc.exe
3776	DllCommonsvc.exe
3776	DllCommonsvc.exe
3776	DllCommonsvc.exe
3776	DllCommonsvc.exe
3776	DllCommonsvc.exe
3776	DllCommonsvc.exe
3776	DllCommonsvc.exe
3776	DllCommonsvc.exe
3776	DllCommonsvc.exe
3716	powershell.exe
3716	powershell.exe
4616	powershell.exe
4616	powershell.exe
216	powershell.exe
216	powershell.exe
5036	powershell.exe
5036	powershell.exe
3856	powershell.exe
3856	powershell.exe
2104	powershell.exe
2104	powershell.exe
4224	powershell.exe
4224	powershell.exe
2788	powershell.exe
2788	powershell.exe
1424	powershell.exe
1424	powershell.exe
3524	powershell.exe
3524	powershell.exe
684	powershell.exe
684	powershell.exe
3152	powershell.exe
3152	powershell.exe
3400	powershell.exe
3400	powershell.exe
3208	powershell.exe
3208	powershell.exe
4964	cmd.exe
4964	cmd.exe
4616	powershell.exe
4616	powershell.exe
3716	powershell.exe
3716	powershell.exe
216	powershell.exe
216	powershell.exe
5036	powershell.exe
5036	powershell.exe
4224	powershell.exe
3856	powershell.exe
2104	powershell.exe
2788	powershell.exe
1424	powershell.exe
684	powershell.exe
3524	powershell.exe
3152	powershell.exe
3400	powershell.exe
3208	powershell.exe
456	cmd.exe
2856	cmd.exe
2600	cmd.exe
2824	cmd.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	3776	DllCommonsvc.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	4224	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	4964	cmd.exe
Token: SeDebugPrivilege	3208	powershell.exe
Token: SeDebugPrivilege	456	cmd.exe
Token: SeDebugPrivilege	2856	cmd.exe
Token: SeDebugPrivilege	2600	cmd.exe
Token: SeDebugPrivilege	2824	cmd.exe
Token: SeDebugPrivilege	2076	cmd.exe
Token: SeDebugPrivilege	3892	cmd.exe
Token: SeDebugPrivilege	3568	cmd.exe
Token: SeDebugPrivilege	1912	cmd.exe
Token: SeDebugPrivilege	4296	cmd.exe
Token: SeDebugPrivilege	372	cmd.exe
Token: SeDebugPrivilege	2360	cmd.exe
Token: SeDebugPrivilege	4800	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1b40655bd0bcb99ccc658156accf448a15e35c19e20b8481adf96eeae6870ddb.exeWScript.execmd.exeDllCommonsvc.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3912 wrote to memory of 1572	3912	1b40655bd0bcb99ccc658156accf448a15e35c19e20b8481adf96eeae6870ddb.exe	WScript.exe
PID 3912 wrote to memory of 1572	3912	1b40655bd0bcb99ccc658156accf448a15e35c19e20b8481adf96eeae6870ddb.exe	WScript.exe
PID 3912 wrote to memory of 1572	3912	1b40655bd0bcb99ccc658156accf448a15e35c19e20b8481adf96eeae6870ddb.exe	WScript.exe
PID 1572 wrote to memory of 3428	1572	WScript.exe	cmd.exe
PID 1572 wrote to memory of 3428	1572	WScript.exe	cmd.exe
PID 1572 wrote to memory of 3428	1572	WScript.exe	cmd.exe
PID 3428 wrote to memory of 3776	3428	cmd.exe	DllCommonsvc.exe
PID 3428 wrote to memory of 3776	3428	cmd.exe	DllCommonsvc.exe
PID 3776 wrote to memory of 3716	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 3716	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 216	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 216	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 4616	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 4616	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 5036	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 5036	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 3856	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 3856	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 2104	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 2104	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 4224	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 4224	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 2788	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 2788	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 1424	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 1424	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 3524	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 3524	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 684	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 684	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 3400	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 3400	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 3152	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 3152	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 3208	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 3208	3776	DllCommonsvc.exe	powershell.exe
PID 3776 wrote to memory of 4964	3776	DllCommonsvc.exe	cmd.exe
PID 3776 wrote to memory of 4964	3776	DllCommonsvc.exe	cmd.exe
PID 4964 wrote to memory of 1060	4964	cmd.exe	cmd.exe
PID 4964 wrote to memory of 1060	4964	cmd.exe	cmd.exe
PID 1060 wrote to memory of 2440	1060	cmd.exe	w32tm.exe
PID 1060 wrote to memory of 2440	1060	cmd.exe	w32tm.exe
PID 1060 wrote to memory of 456	1060	cmd.exe	cmd.exe
PID 1060 wrote to memory of 456	1060	cmd.exe	cmd.exe
PID 456 wrote to memory of 2456	456	cmd.exe	cmd.exe
PID 456 wrote to memory of 2456	456	cmd.exe	cmd.exe
PID 2456 wrote to memory of 2484	2456	cmd.exe	w32tm.exe
PID 2456 wrote to memory of 2484	2456	cmd.exe	w32tm.exe
PID 2456 wrote to memory of 2856	2456	cmd.exe	cmd.exe
PID 2456 wrote to memory of 2856	2456	cmd.exe	cmd.exe
PID 2856 wrote to memory of 2628	2856	cmd.exe	cmd.exe
PID 2856 wrote to memory of 2628	2856	cmd.exe	cmd.exe
PID 2628 wrote to memory of 2648	2628	cmd.exe	w32tm.exe
PID 2628 wrote to memory of 2648	2628	cmd.exe	w32tm.exe
PID 2628 wrote to memory of 2600	2628	cmd.exe	cmd.exe
PID 2628 wrote to memory of 2600	2628	cmd.exe	cmd.exe
PID 2600 wrote to memory of 4396	2600	cmd.exe	cmd.exe
PID 2600 wrote to memory of 4396	2600	cmd.exe	cmd.exe
PID 4396 wrote to memory of 3592	4396	cmd.exe	w32tm.exe
PID 4396 wrote to memory of 3592	4396	cmd.exe	w32tm.exe
PID 4396 wrote to memory of 2824	4396	cmd.exe	cmd.exe
PID 4396 wrote to memory of 2824	4396	cmd.exe	cmd.exe
PID 2824 wrote to memory of 684	2824	cmd.exe	cmd.exe
PID 2824 wrote to memory of 684	2824	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1b40655bd0bcb99ccc658156accf448a15e35c19e20b8481adf96eeae6870ddb.exe
"C:\Users\Admin\AppData\Local\Temp\1b40655bd0bcb99ccc658156accf448a15e35c19e20b8481adf96eeae6870ddb.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3428
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\SppExtComObj.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Registry.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3208
    - - C:\Windows\Setup\State\cmd.exe
        
        "C:\Windows\Setup\State\cmd.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4964
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2440
        
        C:\Windows\Setup\State\cmd.exe
        
        "C:\Windows\Setup\State\cmd.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KVYyjDtEXm.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2484
        
        C:\Windows\Setup\State\cmd.exe
        
        "C:\Windows\Setup\State\cmd.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2648
        
        C:\Windows\Setup\State\cmd.exe
        
        "C:\Windows\Setup\State\cmd.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3592
        
        C:\Windows\Setup\State\cmd.exe
        
        "C:\Windows\Setup\State\cmd.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlraSVrJxn.bat"
        14⤵
        
        PID:684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:392
        
        C:\Windows\Setup\State\cmd.exe
        
        "C:\Windows\Setup\State\cmd.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat"
        16⤵
        
        PID:4688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1492
        
        C:\Windows\Setup\State\cmd.exe
        
        "C:\Windows\Setup\State\cmd.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KVYyjDtEXm.bat"
        18⤵
        
        PID:3604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4796
        
        C:\Windows\Setup\State\cmd.exe
        
        "C:\Windows\Setup\State\cmd.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat"
        20⤵
        
        PID:3200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2516
        
        C:\Windows\Setup\State\cmd.exe
        
        "C:\Windows\Setup\State\cmd.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db6xYfwFNB.bat"
        22⤵
        
        PID:1564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3580
        
        C:\Windows\Setup\State\cmd.exe
        
        "C:\Windows\Setup\State\cmd.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jef2EZNQSo.bat"
        24⤵
        
        PID:1004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3304
        
        C:\Windows\Setup\State\cmd.exe
        
        "C:\Windows\Setup\State\cmd.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"
        26⤵
        
        PID:1788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2224
        
        C:\Windows\Setup\State\cmd.exe
        
        "C:\Windows\Setup\State\cmd.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat"
        28⤵
        
        PID:4288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4400
        
        C:\Windows\Setup\State\cmd.exe
        
        "C:\Windows\Setup\State\cmd.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\addins\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\browser\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\browser\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Public\AccountPictures\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\Setup\State\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Setup\State\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\Setup\State\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat

Filesize
195B

MD5
2857ce683e21d41a6c203137751e2622

SHA1
ffe2422b4322ae7d9b6d76018e8d2f3b24fe6793

SHA256
26e033969cac3e8fc6316b082d30527e25abf852d56361fdb71440b50f90761b

SHA512
7d17bdd9a22e87ca46960266c359bd8cb01600a66920b76300507674ceeca2d4d30a5cd991abadb7ce61f0421261047d41a4dda5430754c104e501797e9faab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Db6xYfwFNB.bat

Filesize
195B

MD5
238919db507d88a99f23459d1ed4548e

SHA1
84787a333620ba2fcca0cf704a29c873d4c157ec

SHA256
9c7a1b211f41401fe861ea5be2f465f81637c8cfcd191f02a67e6d5fab51d2eb

SHA512
affc8b55ce12f65ce38f382b5bb3bf5b7e23b3f52bc67e1caebc2c77260ba1a1f383687ff426be2f8eaf7c1347ad3a156c18648c307531ae895d0cb43f6f6ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jef2EZNQSo.bat

Filesize
195B

MD5
20d1b3de7a752423d14bc99bde9a645b

SHA1
97608c99568ab8b9e2d295636bd0ca2dd899b0cc

SHA256
ebaad35ae9eeca5e107664dff0acc382ed1d6a39a879605e16d2fa25d87e9fbb

SHA512
0897ba9d77a1cf7613977152486bdf8ec39fc9df625bb2325773ab2ec9dcc7ced755ec9133e514df4467400f690e293b5f4f248bb99937dca761a6d91b820628

Download Submit
C:\Users\Admin\AppData\Local\Temp\KVYyjDtEXm.bat

Filesize
195B

MD5
68e56a701da2b64f200090c65e1c9945

SHA1
f1ed9275a8668ef27ab71acf7631920ce6332c92

SHA256
e299b0d897c5d34ce845a77f637f1a4ac5e8f6943909ff6441ad0b8012206dac

SHA512
7fd54d61a4229e2c28b6c83d2ec8e9dc960a9682073b57f999fa89968a53360322b40a703299d678f873c817f4b64c7720e649f5294cb777b865baa5bc7945f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KVYyjDtEXm.bat

Filesize
195B

MD5
68e56a701da2b64f200090c65e1c9945

SHA1
f1ed9275a8668ef27ab71acf7631920ce6332c92

SHA256
e299b0d897c5d34ce845a77f637f1a4ac5e8f6943909ff6441ad0b8012206dac

SHA512
7fd54d61a4229e2c28b6c83d2ec8e9dc960a9682073b57f999fa89968a53360322b40a703299d678f873c817f4b64c7720e649f5294cb777b865baa5bc7945f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat

Filesize
195B

MD5
db5b0278401a5213a2b21e64a3a68310

SHA1
9a19c42c44775e71c4ece202126eb680e17987c6

SHA256
0098d66e8cd987c04124658860045baa7e6c3604e315a34180024dcc3de27a71

SHA512
187dd757354ab134d90f29a55090af9f1cd2d5e50622f618c8624b32ad4cdcce008574d0024c82520373a1163e8075271becdf438cbff9a0a89c6820c40d03c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat

Filesize
195B

MD5
e9427e6bdfb14911ee3b3fe1661dffde

SHA1
5cdcd306ce81ab4522de5bea9f072f7ce837f033

SHA256
bac79bba58c3b0a202c4e2e1fe4c561b2cf9bea7ab8b217d08a275590bcfd44b

SHA512
b7dbe679b12f0f2c65db93cf177ade7df50475758aa3b753abea9d03cbcfae91915e86d8c54c139b705c2f6637276f2fa3f85e39864b6c95daa72c01459fd4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat

Filesize
195B

MD5
b6fc98686cb3c14f236588394a739a55

SHA1
74a3e316387300f1cf6863bda4d8a864f4639d47

SHA256
a1827c8ab9a82a1eca97d42546ed8a7ea0b56edea7fedbd719f4c571fa49d6d3

SHA512
70f5637468a509aba77d155cbab2b699785a15f9191ac0f591fda265aa0bbbf789545937d488dbb206aded05b8dc1519819d118ad1f05736bc4954eb76c32495

Download Submit
C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat

Filesize
195B

MD5
5adead9c265e554a2b0f6a3b28af48ad

SHA1
64823f86952ae1f1659393c7029e2ed65203fd4a

SHA256
c08db242088f080684d0a1586614c85991b0d3f140e307c0e13bb3e08c6f7f65

SHA512
eb2a771c5dcd5bb7a8e3882360380a38566bb06d23c3a38d70241da8b50ded18a4fba1812b06f9dcb1efba75c1a1515c2d972303afa8c02d3f777d8e47a6a114

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat

Filesize
195B

MD5
6346bc28372d9fbe0302a705cfcb1acd

SHA1
918299a33aa385a16e287e5a3f23b582b4e2a31e

SHA256
5a3c1375d3ad0131cdf109defcd4e9b0e459bc92e6642e0711b1e10e150ae666

SHA512
4679b145d064b1bc82f55ef3efc275ce28bb075b84d4c9fb763ee2a7cfaf34f37d7b3c19033204e8797607810d19c4a18db8f3ca80edbee53a2f020b82e479d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlraSVrJxn.bat

Filesize
195B

MD5
5e13608594f546a9af748efec67edf87

SHA1
7166ff154fb12676f5544e13e4b31a3ce716f346

SHA256
49c1adee65dd5755192d37fcdfd1caa85f9c9a0567adf31e5290872583cf72ab

SHA512
8e2cc72f5d5f8337e2165261e279c14f61ee0043c939c4649a3fa33f7eaeaa6850f051ca416f08bd4410183bb20e5ac1ce30a78be8214b20df35fab753ec090b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat

Filesize
195B

MD5
17f0590c01e10f74373edaea557ef642

SHA1
a5d78fc77fd91aab53a1817f420d3b5a282201f7

SHA256
4121e18a3286a43c565bdfaec4db1fc253fe855fc1164ba6a0dbab14f7b575ff

SHA512
f3bb64267c607f364d5491f4c19707e96de4ed5b5b707f4e0db7f2d3f1c1d72a79b61032458eb601c631fbffca2cbc8caf2b71cbb5108c09ba78359c1cb2a34c

Download Submit
C:\Windows\Setup\State\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Setup\State\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Setup\State\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Setup\State\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Setup\State\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Setup\State\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Setup\State\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Setup\State\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Setup\State\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Setup\State\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Setup\State\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Setup\State\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Setup\State\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Setup\State\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/216-170-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/216-180-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/216-142-0x0000000000000000-mapping.dmp

Download
memory/372-277-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/372-271-0x0000000000000000-mapping.dmp

Download
memory/372-273-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/392-234-0x0000000000000000-mapping.dmp

Download
memory/456-210-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/456-207-0x0000000000000000-mapping.dmp

Download
memory/456-214-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/684-198-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/684-232-0x0000000000000000-mapping.dmp

Download
memory/684-173-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/684-152-0x0000000000000000-mapping.dmp

Download
memory/1004-267-0x0000000000000000-mapping.dmp

Download
memory/1060-203-0x0000000000000000-mapping.dmp

Download
memory/1424-199-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/1424-149-0x0000000000000000-mapping.dmp

Download
memory/1424-165-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/1492-241-0x0000000000000000-mapping.dmp

Download
memory/1564-260-0x0000000000000000-mapping.dmp

Download
memory/1572-132-0x0000000000000000-mapping.dmp

Download
memory/1788-274-0x0000000000000000-mapping.dmp

Download
memory/1912-259-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/1912-263-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/1912-257-0x0000000000000000-mapping.dmp

Download
memory/2076-242-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/2076-236-0x0000000000000000-mapping.dmp

Download
memory/2076-238-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/2104-171-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/2104-146-0x0000000000000000-mapping.dmp

Download
memory/2104-181-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/2224-276-0x0000000000000000-mapping.dmp

Download
memory/2360-278-0x0000000000000000-mapping.dmp

Download
memory/2360-280-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/2360-284-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/2440-205-0x0000000000000000-mapping.dmp

Download
memory/2456-211-0x0000000000000000-mapping.dmp

Download
memory/2484-213-0x0000000000000000-mapping.dmp

Download
memory/2516-255-0x0000000000000000-mapping.dmp

Download
memory/2600-228-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/2600-222-0x0000000000000000-mapping.dmp

Download
memory/2600-224-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/2628-218-0x0000000000000000-mapping.dmp

Download
memory/2648-220-0x0000000000000000-mapping.dmp

Download
memory/2788-148-0x0000000000000000-mapping.dmp

Download
memory/2788-191-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/2788-172-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/2824-235-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/2824-231-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/2824-229-0x0000000000000000-mapping.dmp

Download
memory/2856-215-0x0000000000000000-mapping.dmp

Download
memory/2856-221-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/2856-217-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/3152-154-0x0000000000000000-mapping.dmp

Download
memory/3152-195-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/3152-167-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/3200-253-0x0000000000000000-mapping.dmp

Download
memory/3208-202-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/3208-174-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/3208-156-0x0000000000000000-mapping.dmp

Download
memory/3304-269-0x0000000000000000-mapping.dmp

Download
memory/3400-200-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/3400-153-0x0000000000000000-mapping.dmp

Download
memory/3400-168-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/3428-135-0x0000000000000000-mapping.dmp

Download
memory/3524-166-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/3524-194-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/3524-150-0x0000000000000000-mapping.dmp

Download
memory/3568-250-0x0000000000000000-mapping.dmp

Download
memory/3568-256-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/3568-252-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/3580-262-0x0000000000000000-mapping.dmp

Download
memory/3592-227-0x0000000000000000-mapping.dmp

Download
memory/3604-246-0x0000000000000000-mapping.dmp

Download
memory/3716-141-0x0000000000000000-mapping.dmp

Download
memory/3716-159-0x00000183A6B90000-0x00000183A6BB2000-memory.dmp

Filesize
136KB

Download
memory/3716-151-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/3716-182-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/3776-139-0x0000000000BE0000-0x0000000000CF0000-memory.dmp

Filesize
1.1MB

Download
memory/3776-136-0x0000000000000000-mapping.dmp

Download
memory/3776-164-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/3776-140-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/3856-160-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/3856-192-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/3856-145-0x0000000000000000-mapping.dmp

Download
memory/3892-245-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/3892-243-0x0000000000000000-mapping.dmp

Download
memory/3892-249-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/4224-163-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/4224-147-0x0000000000000000-mapping.dmp

Download
memory/4224-187-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/4288-281-0x0000000000000000-mapping.dmp

Download
memory/4296-266-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/4296-270-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/4296-264-0x0000000000000000-mapping.dmp

Download
memory/4396-225-0x0000000000000000-mapping.dmp

Download
memory/4400-283-0x0000000000000000-mapping.dmp

Download
memory/4616-175-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/4616-143-0x0000000000000000-mapping.dmp

Download
memory/4616-155-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/4688-239-0x0000000000000000-mapping.dmp

Download
memory/4796-248-0x0000000000000000-mapping.dmp

Download
memory/4800-285-0x0000000000000000-mapping.dmp

Download
memory/4800-287-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/4964-206-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/4964-158-0x0000000000000000-mapping.dmp

Download
memory/4964-169-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/5036-157-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/5036-189-0x00007FF91D2B0000-0x00007FF91DD71000-memory.dmp

Filesize
10.8MB

Download
memory/5036-144-0x0000000000000000-mapping.dmp

Download