dcrat | 805aff8901075736cb04f150982ee6708eeaf6ed8698d15f1a311b24b461e14c

Analysis

max time kernel
146s
max time network
144s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
31-10-2022 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

805aff8901075736cb04f150982ee6708eeaf6ed8698d15f1a311b24b461e14c.exe
Size

1.3MB
MD5

ccece2eca1c6a29fcc01979812598afe
SHA1

629cafe4359208bb36dea2e88ffc5665dc765a21
SHA256

805aff8901075736cb04f150982ee6708eeaf6ed8698d15f1a311b24b461e14c
SHA512

0d62b5f79fd1ad8a4013ea2e73d8e44ed22b4b536ff9cc48bb7d8a46bf810d65e19b2520cfc3dce9a5c6c91a4d1b00a637b0c42134b3bcf3f2436c3106145afb
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	420	4676	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	4676	schtasks.exe	70

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001abbf-284.dat	dcrat
behavioral1/files/0x000800000001abbf-285.dat	dcrat
behavioral1/memory/2272-286-0x0000000000920000-0x0000000000A30000-memory.dmp	dcrat
behavioral1/files/0x000600000001abca-343.dat	dcrat
behavioral1/files/0x000600000001abca-344.dat	dcrat
behavioral1/files/0x000600000001abca-789.dat	dcrat
behavioral1/files/0x000600000001abca-796.dat	dcrat
behavioral1/files/0x000600000001abca-801.dat	dcrat
behavioral1/files/0x000600000001abca-806.dat	dcrat
behavioral1/files/0x000600000001abca-812.dat	dcrat
behavioral1/files/0x000600000001abca-817.dat	dcrat
behavioral1/files/0x000600000001abca-822.dat	dcrat
behavioral1/files/0x000600000001abca-828.dat	dcrat
behavioral1/files/0x000600000001abca-834.dat	dcrat
behavioral1/files/0x000600000001abca-840.dat	dcrat
behavioral1/files/0x000600000001abca-846.dat	dcrat

Executes dropped EXE 13 IoCs

pid	Process
2272	DllCommonsvc.exe
4472	OfficeClickToRun.exe
2664	OfficeClickToRun.exe
4264	OfficeClickToRun.exe
4776	OfficeClickToRun.exe
1936	OfficeClickToRun.exe
3328	OfficeClickToRun.exe
1436	OfficeClickToRun.exe
3064	OfficeClickToRun.exe
4908	OfficeClickToRun.exe
712	OfficeClickToRun.exe
4408	OfficeClickToRun.exe
3496	OfficeClickToRun.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\fonts\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_~_8wekyb3d8bbwe\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\fonts\taskhostw.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\smss.exe	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Boot\Resources\de-DE\lsass.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4748	schtasks.exe
420	schtasks.exe
4696	schtasks.exe
4712	schtasks.exe
2644	schtasks.exe
3976	schtasks.exe
3196	schtasks.exe
2624	schtasks.exe
4668	schtasks.exe
4384	schtasks.exe
4736	schtasks.exe
4608	schtasks.exe
4300	schtasks.exe
2168	schtasks.exe
884	schtasks.exe
3488	schtasks.exe
4524	schtasks.exe
2100	schtasks.exe
3800	schtasks.exe
3740	schtasks.exe
4664	schtasks.exe
5064	schtasks.exe
4680	schtasks.exe
3084	schtasks.exe
1608	schtasks.exe
1676	schtasks.exe
1848	schtasks.exe
2440	schtasks.exe
1796	schtasks.exe
1904	schtasks.exe
2700	schtasks.exe
668	schtasks.exe
4952	schtasks.exe
2748	schtasks.exe
4584	schtasks.exe
4596	schtasks.exe
2248	schtasks.exe
1852	schtasks.exe
748	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	805aff8901075736cb04f150982ee6708eeaf6ed8698d15f1a311b24b461e14c.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2272	DllCommonsvc.exe
2272	DllCommonsvc.exe
2272	DllCommonsvc.exe
2272	DllCommonsvc.exe
2272	DllCommonsvc.exe
2272	DllCommonsvc.exe
2272	DllCommonsvc.exe
2272	DllCommonsvc.exe
2272	DllCommonsvc.exe
2272	DllCommonsvc.exe
2272	DllCommonsvc.exe
2272	DllCommonsvc.exe
2272	DllCommonsvc.exe
220	powershell.exe
220	powershell.exe
192	powershell.exe
192	powershell.exe
240	powershell.exe
240	powershell.exe
4940	powershell.exe
4940	powershell.exe
4740	powershell.exe
4740	powershell.exe
2736	powershell.exe
2736	powershell.exe
4396	powershell.exe
4396	powershell.exe
2852	powershell.exe
2852	powershell.exe
4396	powershell.exe
3804	powershell.exe
3804	powershell.exe
2632	powershell.exe
2632	powershell.exe
4868	powershell.exe
4868	powershell.exe
2332	powershell.exe
2332	powershell.exe
4336	powershell.exe
4336	powershell.exe
4512	powershell.exe
4512	powershell.exe
4396	powershell.exe
4472	OfficeClickToRun.exe
4472	OfficeClickToRun.exe
2632	powershell.exe
4868	powershell.exe
2332	powershell.exe
220	powershell.exe
192	powershell.exe
240	powershell.exe
2632	powershell.exe
4940	powershell.exe
4740	powershell.exe
4512	powershell.exe
4868	powershell.exe
2736	powershell.exe
2852	powershell.exe
3804	powershell.exe
2332	powershell.exe
4336	powershell.exe
220	powershell.exe
220	powershell.exe
240	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	DllCommonsvc.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	192	powershell.exe
Token: SeDebugPrivilege	240	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	3804	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	4472	OfficeClickToRun.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeIncreaseQuotaPrivilege	4396	powershell.exe
Token: SeSecurityPrivilege	4396	powershell.exe
Token: SeTakeOwnershipPrivilege	4396	powershell.exe
Token: SeLoadDriverPrivilege	4396	powershell.exe
Token: SeSystemProfilePrivilege	4396	powershell.exe
Token: SeSystemtimePrivilege	4396	powershell.exe
Token: SeProfSingleProcessPrivilege	4396	powershell.exe
Token: SeIncBasePriorityPrivilege	4396	powershell.exe
Token: SeCreatePagefilePrivilege	4396	powershell.exe
Token: SeBackupPrivilege	4396	powershell.exe
Token: SeRestorePrivilege	4396	powershell.exe
Token: SeShutdownPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeSystemEnvironmentPrivilege	4396	powershell.exe
Token: SeRemoteShutdownPrivilege	4396	powershell.exe
Token: SeUndockPrivilege	4396	powershell.exe
Token: SeManageVolumePrivilege	4396	powershell.exe
Token: 33	4396	powershell.exe
Token: 34	4396	powershell.exe
Token: 35	4396	powershell.exe
Token: 36	4396	powershell.exe
Token: SeIncreaseQuotaPrivilege	2632	powershell.exe
Token: SeSecurityPrivilege	2632	powershell.exe
Token: SeTakeOwnershipPrivilege	2632	powershell.exe
Token: SeLoadDriverPrivilege	2632	powershell.exe
Token: SeSystemProfilePrivilege	2632	powershell.exe
Token: SeSystemtimePrivilege	2632	powershell.exe
Token: SeProfSingleProcessPrivilege	2632	powershell.exe
Token: SeIncBasePriorityPrivilege	2632	powershell.exe
Token: SeCreatePagefilePrivilege	2632	powershell.exe
Token: SeBackupPrivilege	2632	powershell.exe
Token: SeRestorePrivilege	2632	powershell.exe
Token: SeShutdownPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeSystemEnvironmentPrivilege	2632	powershell.exe
Token: SeRemoteShutdownPrivilege	2632	powershell.exe
Token: SeUndockPrivilege	2632	powershell.exe
Token: SeManageVolumePrivilege	2632	powershell.exe
Token: 33	2632	powershell.exe
Token: 34	2632	powershell.exe
Token: 35	2632	powershell.exe
Token: 36	2632	powershell.exe
Token: SeIncreaseQuotaPrivilege	4868	powershell.exe
Token: SeSecurityPrivilege	4868	powershell.exe
Token: SeTakeOwnershipPrivilege	4868	powershell.exe
Token: SeLoadDriverPrivilege	4868	powershell.exe
Token: SeSystemProfilePrivilege	4868	powershell.exe
Token: SeSystemtimePrivilege	4868	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 5116	2172	805aff8901075736cb04f150982ee6708eeaf6ed8698d15f1a311b24b461e14c.exe	66
PID 2172 wrote to memory of 5116	2172	805aff8901075736cb04f150982ee6708eeaf6ed8698d15f1a311b24b461e14c.exe	66
PID 2172 wrote to memory of 5116	2172	805aff8901075736cb04f150982ee6708eeaf6ed8698d15f1a311b24b461e14c.exe	66
PID 5116 wrote to memory of 4172	5116	WScript.exe	67
PID 5116 wrote to memory of 4172	5116	WScript.exe	67
PID 5116 wrote to memory of 4172	5116	WScript.exe	67
PID 4172 wrote to memory of 2272	4172	cmd.exe	69
PID 4172 wrote to memory of 2272	4172	cmd.exe	69
PID 2272 wrote to memory of 192	2272	DllCommonsvc.exe	110
PID 2272 wrote to memory of 192	2272	DllCommonsvc.exe	110
PID 2272 wrote to memory of 220	2272	DllCommonsvc.exe	114
PID 2272 wrote to memory of 220	2272	DllCommonsvc.exe	114
PID 2272 wrote to memory of 240	2272	DllCommonsvc.exe	113
PID 2272 wrote to memory of 240	2272	DllCommonsvc.exe	113
PID 2272 wrote to memory of 4940	2272	DllCommonsvc.exe	115
PID 2272 wrote to memory of 4940	2272	DllCommonsvc.exe	115
PID 2272 wrote to memory of 4396	2272	DllCommonsvc.exe	116
PID 2272 wrote to memory of 4396	2272	DllCommonsvc.exe	116
PID 2272 wrote to memory of 2736	2272	DllCommonsvc.exe	119
PID 2272 wrote to memory of 2736	2272	DllCommonsvc.exe	119
PID 2272 wrote to memory of 4740	2272	DllCommonsvc.exe	118
PID 2272 wrote to memory of 4740	2272	DllCommonsvc.exe	118
PID 2272 wrote to memory of 4512	2272	DllCommonsvc.exe	122
PID 2272 wrote to memory of 4512	2272	DllCommonsvc.exe	122
PID 2272 wrote to memory of 2852	2272	DllCommonsvc.exe	123
PID 2272 wrote to memory of 2852	2272	DllCommonsvc.exe	123
PID 2272 wrote to memory of 3804	2272	DllCommonsvc.exe	124
PID 2272 wrote to memory of 3804	2272	DllCommonsvc.exe	124
PID 2272 wrote to memory of 2632	2272	DllCommonsvc.exe	127
PID 2272 wrote to memory of 2632	2272	DllCommonsvc.exe	127
PID 2272 wrote to memory of 4868	2272	DllCommonsvc.exe	125
PID 2272 wrote to memory of 4868	2272	DllCommonsvc.exe	125
PID 2272 wrote to memory of 2332	2272	DllCommonsvc.exe	132
PID 2272 wrote to memory of 2332	2272	DllCommonsvc.exe	132
PID 2272 wrote to memory of 4336	2272	DllCommonsvc.exe	133
PID 2272 wrote to memory of 4336	2272	DllCommonsvc.exe	133
PID 2272 wrote to memory of 4472	2272	DllCommonsvc.exe	136
PID 2272 wrote to memory of 4472	2272	DllCommonsvc.exe	136
PID 4472 wrote to memory of 4476	4472	OfficeClickToRun.exe	140
PID 4472 wrote to memory of 4476	4472	OfficeClickToRun.exe	140
PID 4476 wrote to memory of 4920	4476	cmd.exe	142
PID 4476 wrote to memory of 4920	4476	cmd.exe	142
PID 4476 wrote to memory of 2664	4476	cmd.exe	143
PID 4476 wrote to memory of 2664	4476	cmd.exe	143
PID 2664 wrote to memory of 2192	2664	OfficeClickToRun.exe	144
PID 2664 wrote to memory of 2192	2664	OfficeClickToRun.exe	144
PID 2192 wrote to memory of 1860	2192	cmd.exe	146
PID 2192 wrote to memory of 1860	2192	cmd.exe	146
PID 2192 wrote to memory of 4264	2192	cmd.exe	147
PID 2192 wrote to memory of 4264	2192	cmd.exe	147
PID 4264 wrote to memory of 1848	4264	OfficeClickToRun.exe	148
PID 4264 wrote to memory of 1848	4264	OfficeClickToRun.exe	148
PID 1848 wrote to memory of 1852	1848	cmd.exe	150
PID 1848 wrote to memory of 1852	1848	cmd.exe	150
PID 1848 wrote to memory of 4776	1848	cmd.exe	151
PID 1848 wrote to memory of 4776	1848	cmd.exe	151
PID 4776 wrote to memory of 2104	4776	OfficeClickToRun.exe	152
PID 4776 wrote to memory of 2104	4776	OfficeClickToRun.exe	152
PID 2104 wrote to memory of 4956	2104	cmd.exe	154
PID 2104 wrote to memory of 4956	2104	cmd.exe	154
PID 2104 wrote to memory of 1936	2104	cmd.exe	155
PID 2104 wrote to memory of 1936	2104	cmd.exe	155
PID 1936 wrote to memory of 3276	1936	OfficeClickToRun.exe	156
PID 1936 wrote to memory of 3276	1936	OfficeClickToRun.exe	156

C:\Users\Admin\AppData\Local\Temp\805aff8901075736cb04f150982ee6708eeaf6ed8698d15f1a311b24b461e14c.exe
"C:\Users\Admin\AppData\Local\Temp\805aff8901075736cb04f150982ee6708eeaf6ed8698d15f1a311b24b461e14c.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4172
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\ja-JP\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4336
    - - C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4472
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4920
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DC0SKfNvdG.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1860
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1852
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsMShxucCb.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4956
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat"
        14⤵
        
        PID:3276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1232
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsMShxucCb.bat"
        16⤵
        
        PID:2392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4268
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat"
        18⤵
        
        PID:4736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4940
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat"
        20⤵
        
        PID:3916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2140
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat"
        22⤵
        
        PID:5108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3192
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat"
        24⤵
        
        PID:4236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3384
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat"
        26⤵
        
        PID:3020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4816
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        27⤵
        Executes dropped EXE
        
        PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\odt\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Music\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\odt\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Videos\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\fonts\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\fonts\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\odt\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
06c42e5c6ac2b71598efa1e003905d26

SHA1
a5d00460afa13658b8f06b173362eeaf8b95d7ff

SHA256
3834246db880420bfff4d390050ba217e0c6a69743bfc0803f746fc822e6ffa1

SHA512
42d4c3c5dbba60cce1ae6bc127511680092032378b748791f437580228684f0828ba56a277c2b9aed635bd5e9f9909aa455cbde60959c5396b5c777bcedf569e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
344c10f5306252f4a86916587418ef49

SHA1
fd057d43a3e15e332872e178b09470e2be9d0c60

SHA256
0b8ba54d1960c24723ff13206ba9f40c5f17f7a6833db31b6e143cccf3f4a23e

SHA512
1ab0efd39b82a83803603d838f4356544ab28a618a18780a6c925c29345581fecc705b6664bce028c192d99e307dd385d264773b19e0b5b5751f2bbcbd2d38cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
615366b71938fa7b06eb3369082dfd4a

SHA1
9c6b96ce69468ca484c7a4e2eefe069dbac26aaf

SHA256
b60c19a4ff426a371f9cfa62d7d2ab126701b6e281f0306edcce96982a91045e

SHA512
a9af478775e3696ef34a23570bc5b63b6e2cdc5e35f13760db0232d84972240675363a04723fcf3f0f0243a7a02bac8a965fefc58a7fe73f191ad99070e28917

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
71241cb63397769f300f6a8045d6b04f

SHA1
e1854560548ddcd6e96ed919a7077a89b632ad6b

SHA256
4e2a352652262bbe86e17a8edf16e0b903fdd67f3ea4043156b25c45aa434c1d

SHA512
b8322cc252114dbfedb31c1af36566cd91b5c76fa62a65ca68f65aea1ab585629fb68d3381a8120824d6fca2eb56771478e8d7c15bb8e88b0cc54a4a089631b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e66ab7aba9e194e566a2ff05b876244

SHA1
72da61e2f4709b4f6dee9adb77c1b6b597b895a9

SHA256
1215fd17a0461b50394c38d497ccf1ce0dc43f3eed5e5e9cd8104966614a9f9c

SHA512
826826c0b00133ab688e551e33158310f7ddeaaa6b2a2e281807dc094e1fc5543736cd73e6cd7e02af0f0c04847bede66caa31104da8cba144ea9ded4ab9ad57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7c8f747efb2dad50de596bd41365dcc5

SHA1
16834c463e83171328b17112443cf76242f763d1

SHA256
6f3bc4ab4f153c8102d2db188efe123bc0e8ccf8cb4fdd2d59434ca14672978f

SHA512
397ca15f5ec8a2ac0b28348faabcebc51c4069a1e032c87150c82ca62c8d09a61ac56cd4ae831ab59c8452efb2eacd44cd8d913554f547e736729b9a3dab01ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7c8f747efb2dad50de596bd41365dcc5

SHA1
16834c463e83171328b17112443cf76242f763d1

SHA256
6f3bc4ab4f153c8102d2db188efe123bc0e8ccf8cb4fdd2d59434ca14672978f

SHA512
397ca15f5ec8a2ac0b28348faabcebc51c4069a1e032c87150c82ca62c8d09a61ac56cd4ae831ab59c8452efb2eacd44cd8d913554f547e736729b9a3dab01ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4789fea14e64563d32b046b94f2a6031

SHA1
c4d32360c48a634ceb1e75d7b3352550d11ffc5a

SHA256
e5e2bb15bfc99485ac37e2353db0a002ae5030d236aa592e967de7d5af92c6e8

SHA512
e5b355b564e51496b07c9953af7031b04fa511ba27a24c4af286db2fd65ab86b2a932baa56063b4b7a3e59d88e05fba5728d31245247d6b29481462362aba891

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4789fea14e64563d32b046b94f2a6031

SHA1
c4d32360c48a634ceb1e75d7b3352550d11ffc5a

SHA256
e5e2bb15bfc99485ac37e2353db0a002ae5030d236aa592e967de7d5af92c6e8

SHA512
e5b355b564e51496b07c9953af7031b04fa511ba27a24c4af286db2fd65ab86b2a932baa56063b4b7a3e59d88e05fba5728d31245247d6b29481462362aba891

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec9c066dc8a26c050a1f150b0f135842

SHA1
b0f20ed64350e45cfaed25a79349e83101f168fd

SHA256
5efc654198ce6ff96ba4d1fa97dd6268827ce544ab2df5365868a487bcb98d75

SHA512
c4f1407855567db08120b03aae02143536963f616e96a761af4b2fe9f9661aaefeae6ab6600b63912989bd672617ec3ebdd3bf551d3682c132959750122449ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
06d26a69afd65931913bce408c46ce5f

SHA1
9e84f5da3976713f2827f491420332c53a68e561

SHA256
5d7460334fc82c95888086ea17c2e08b08c3232644b7b81217828bb29db637bb

SHA512
c5daba63568c4b81eb6b934ff99d3b4fa6ec1f2283a70eb225bcaff13eb6a82a57d816bed1cb15a9340559bd1abb044577d61267188d7fe268c789353061ca1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat

Filesize
207B

MD5
3a5cbcf365e013455db71afd10c2b8b2

SHA1
59fbea8020eb966f7bd069ea799e30312ff639ae

SHA256
a7f3e093452aee71b154aa68cbb7cde841ca5afcf277c9377e01d0754ab6114d

SHA512
1bf6b4e9918be1020bef65a129d97a2b36ecadaee602547e3ba6c4c934fca3e3efe8eb3d35e41e4e13cc85f525ba15d9f8046b1dca9df2755a6a0b18448a0213

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC0SKfNvdG.bat

Filesize
207B

MD5
241e7887597b8e088f5e0a1fea0001fb

SHA1
faf4ab0a57ddc524b61c930772dfb9525e984151

SHA256
8643ab9cdc857275d698ad28ab70b61ca4387a11a7586f660d48af37f67f8b71

SHA512
c377a35649e27f6082174c6e0671e6c181f20cacf11afbba0ebbc612bc90b919996025e841130c33851be0dd8fdc7b89c5faf7a19e10f15f9bbe2541b7119add

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat

Filesize
207B

MD5
4a967106641fab798c52dbc2116df25b

SHA1
ff1c49b57b8efdd4aaf13fca39d50a6d8b161be8

SHA256
e492c028621f4a199d151f391fe4b4949555e29891c24db003a3a1de6e0a868a

SHA512
2af09d91900f46ef5b3865b296dbdd3acd63ccdf8a4fa0b27074597a4c5c83c4406997b95dea864151fdb3fc896804d4110cf029a62589c049ddbfe3e34a3caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat

Filesize
207B

MD5
d7d13dcfb07738312bc059a5aa40f60a

SHA1
b4c2d8a30e5fd9f0cba3e30f34ef1fa611fe8a4b

SHA256
ef8b6a50f7d8224f4401042d0d1d8bf6b8f561d4048630fa553ed1f1acab593b

SHA512
303bb483dea6200e0dc63127397312c5f1c4a5605725ce68ade84c60818dea3aa7bc913e7829528bd4852c114759227b3dc36ff83902febb2f3cdd918a45fee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat

Filesize
207B

MD5
eaf69f874359dde970242c5f2004c6c9

SHA1
5c09e1a1cbcc8656b3948659670134174f76a354

SHA256
d7b80e86c2b8c7e69ace125a44f424eb8e727f76bd41612e1a73354e008dfd96

SHA512
e6c5f001bc084458ba7420d43f0cdbf8d2444a6ee451726c0b7812800819de5696527091d757980c7f0e0e23fdeed6f048ad994d4ddf7d5b441f4b548557e79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsMShxucCb.bat

Filesize
207B

MD5
720007a6412b58bb14099d8407f00803

SHA1
5d76e2c7a52c7536db97a1e423a06c2e84939648

SHA256
59ec44c8318ecd1fb50f56ee76bf9e5458b8f10912f44a181c57d36805b89a8b

SHA512
77cb0c77e7c1b32b76a957e6e55af3e139fcdaf2832c344e2ad341b749a05dfc5fdd06f029306357ba4b01db7fbe86c6539d0b14a384bcbe9d2b1852809afa71

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsMShxucCb.bat

Filesize
207B

MD5
720007a6412b58bb14099d8407f00803

SHA1
5d76e2c7a52c7536db97a1e423a06c2e84939648

SHA256
59ec44c8318ecd1fb50f56ee76bf9e5458b8f10912f44a181c57d36805b89a8b

SHA512
77cb0c77e7c1b32b76a957e6e55af3e139fcdaf2832c344e2ad341b749a05dfc5fdd06f029306357ba4b01db7fbe86c6539d0b14a384bcbe9d2b1852809afa71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat

Filesize
207B

MD5
841abe8c32af78e756785bb678e16c86

SHA1
0f7ec42c6b26061bd11ee158bc9bf9650148fdd6

SHA256
77882fdabe6aafddfc0ff7517cca5afafd24954cf0da4360c2cf766fefbd25c0

SHA512
e54751fcd41d6230daaefa89cef7176b0b57a8d672c9cc58079510c69d1e97d82870d093ef72f1b0417785cfcfab3fd230f64105092c911c820ccd71bc4ea54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat

Filesize
207B

MD5
841abe8c32af78e756785bb678e16c86

SHA1
0f7ec42c6b26061bd11ee158bc9bf9650148fdd6

SHA256
77882fdabe6aafddfc0ff7517cca5afafd24954cf0da4360c2cf766fefbd25c0

SHA512
e54751fcd41d6230daaefa89cef7176b0b57a8d672c9cc58079510c69d1e97d82870d093ef72f1b0417785cfcfab3fd230f64105092c911c820ccd71bc4ea54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat

Filesize
207B

MD5
bdd23c0a9e3e88beeb3f825dac3e66d9

SHA1
3a93118e41e34bb86d605e6bae9c9ac0c8f8d1a5

SHA256
61e598ea1c428740b7c1bcd401f1399b191f4ea96a17b7b9ecf997e7611258fb

SHA512
0357ff3ab4fdcd259f5311532b2206d14528d1ce51b06e3873dc21c3c18408232001bd0cb9cdc46521fa7ade2b6b615cf162fd415a1c11e84c3df1330b825140

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat

Filesize
207B

MD5
2e75f44ea5824852c87d5b0b83e8c2c9

SHA1
c5c8b3ae4e7febbed85fed84d122cba600506132

SHA256
342544f0f0aba384c80d90362917de46811d4e0812c6d6e5b75c59a499d171df

SHA512
65514bbd9af2703bb06e2f16a252f5c222e4786bc887d8bd58007334f01ad1202815a289b2f465014c2748e6081ec00de7ff259e147d8506a7875bb98e8e42f1

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/712-835-0x0000000001110000-0x0000000001122000-memory.dmp

Filesize
72KB

Download
memory/1936-807-0x00000000007A0000-0x00000000007B2000-memory.dmp

Filesize
72KB

Download
memory/2172-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-180-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-182-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-183-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-122-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-177-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-125-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-175-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-174-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-173-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-172-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-161-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-158-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2172-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2272-288-0x0000000000F50000-0x0000000000F5C000-memory.dmp

Filesize
48KB

Download
memory/2272-286-0x0000000000920000-0x0000000000A30000-memory.dmp

Filesize
1.1MB

Download
memory/2272-289-0x00000000011E0000-0x00000000011EC000-memory.dmp

Filesize
48KB

Download
memory/2272-290-0x00000000011F0000-0x00000000011FC000-memory.dmp

Filesize
48KB

Download
memory/2272-287-0x0000000000F30000-0x0000000000F42000-memory.dmp

Filesize
72KB

Download
memory/2664-791-0x0000000000C00000-0x0000000000C12000-memory.dmp

Filesize
72KB

Download
memory/3064-823-0x0000000000B70000-0x0000000000B82000-memory.dmp

Filesize
72KB

Download
memory/4396-363-0x00000162F21C0000-0x00000162F21E2000-memory.dmp

Filesize
136KB

Download
memory/4396-367-0x00000162F23F0000-0x00000162F2466000-memory.dmp

Filesize
472KB

Download
memory/4408-841-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

Filesize
72KB

Download
memory/4472-368-0x000000001B0D0000-0x000000001B0E2000-memory.dmp

Filesize
72KB

Download
memory/4908-829-0x0000000000F80000-0x0000000000F92000-memory.dmp

Filesize
72KB

Download
memory/5116-186-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/5116-185-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download