dcrat | d231c72097d4ac8130ffbb623fba9d7b4dfab4891eacfbe75998eafdf0f8936e

Analysis

max time kernel
147s
max time network
144s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d231c72097d4ac8130ffbb623fba9d7b4dfab4891eacfbe75998eafdf0f8936e.exe
Size

1.3MB
MD5

6b6e4151d3dd97836d5931e67999e572
SHA1

7e66cff0433407fc3fca3a88b34db27d9ba5aaf9
SHA256

d231c72097d4ac8130ffbb623fba9d7b4dfab4891eacfbe75998eafdf0f8936e
SHA512

dce6a303eb07cff922171449836b27fdd66283a9fefe08926e7d2dead0a5f907f8e334135fe2d49388411ac662e24d46619a671fe34c11192ae6430d0d998190
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	496	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	160	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	96	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	4476	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	4476	schtasks.exe	70

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000900000001ac19-284.dat	dcrat
behavioral1/memory/4960-285-0x0000000000740000-0x0000000000850000-memory.dmp	dcrat
behavioral1/files/0x000900000001ac19-283.dat	dcrat
behavioral1/files/0x000600000001ac37-340.dat	dcrat
behavioral1/files/0x000600000001ac37-342.dat	dcrat
behavioral1/files/0x000600000001ac37-790.dat	dcrat
behavioral1/files/0x000600000001ac37-797.dat	dcrat
behavioral1/files/0x000600000001ac37-802.dat	dcrat
behavioral1/files/0x000600000001ac37-807.dat	dcrat
behavioral1/files/0x000600000001ac37-813.dat	dcrat
behavioral1/files/0x000600000001ac37-819.dat	dcrat
behavioral1/files/0x000600000001ac37-825.dat	dcrat
behavioral1/files/0x000600000001ac37-830.dat	dcrat
behavioral1/files/0x000600000001ac37-835.dat	dcrat
behavioral1/files/0x000600000001ac37-840.dat	dcrat
behavioral1/files/0x000600000001ac37-845.dat	dcrat

Executes dropped EXE 13 IoCs

pid	Process
4960	DllCommonsvc.exe
4116	sppsvc.exe
4348	sppsvc.exe
3300	sppsvc.exe
488	sppsvc.exe
652	sppsvc.exe
4828	sppsvc.exe
3920	sppsvc.exe
5064	sppsvc.exe
3312	sppsvc.exe
2620	sppsvc.exe
3892	sppsvc.exe
4764	sppsvc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\fontdrvhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5008	schtasks.exe
5032	schtasks.exe
228	schtasks.exe
96	schtasks.exe
4544	schtasks.exe
2324	schtasks.exe
780	schtasks.exe
4620	schtasks.exe
4352	schtasks.exe
4208	schtasks.exe
4608	schtasks.exe
556	schtasks.exe
324	schtasks.exe
4520	schtasks.exe
4472	schtasks.exe
1628	schtasks.exe
3976	schtasks.exe
3224	schtasks.exe
1332	schtasks.exe
1388	schtasks.exe
4536	schtasks.exe
1476	schtasks.exe
160	schtasks.exe
664	schtasks.exe
3156	schtasks.exe
4300	schtasks.exe
820	schtasks.exe
656	schtasks.exe
3228	schtasks.exe
1216	schtasks.exe
812	schtasks.exe
3700	schtasks.exe
4356	schtasks.exe
4480	schtasks.exe
744	schtasks.exe
3792	schtasks.exe
496	schtasks.exe
4916	schtasks.exe
4492	schtasks.exe
4420	schtasks.exe
4872	schtasks.exe
4268	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	d231c72097d4ac8130ffbb623fba9d7b4dfab4891eacfbe75998eafdf0f8936e.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
4960	DllCommonsvc.exe
2180	powershell.exe
2180	powershell.exe
2204	powershell.exe
2204	powershell.exe
1040	powershell.exe
1040	powershell.exe
584	powershell.exe
584	powershell.exe
2392	powershell.exe
2392	powershell.exe
2188	powershell.exe
2188	powershell.exe
2584	powershell.exe
2584	powershell.exe
2636	powershell.exe
2636	powershell.exe
2684	powershell.exe
2684	powershell.exe
2904	powershell.exe
2904	powershell.exe
3784	powershell.exe
3784	powershell.exe
3896	powershell.exe
3896	powershell.exe
4344	powershell.exe
4344	powershell.exe
4428	powershell.exe
4428	powershell.exe
4116	sppsvc.exe
4116	sppsvc.exe
2636	powershell.exe
3896	powershell.exe
3784	powershell.exe
2204	powershell.exe
2180	powershell.exe
1040	powershell.exe
584	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4960	DllCommonsvc.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	4116	sppsvc.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeIncreaseQuotaPrivilege	2636	powershell.exe
Token: SeSecurityPrivilege	2636	powershell.exe
Token: SeTakeOwnershipPrivilege	2636	powershell.exe
Token: SeLoadDriverPrivilege	2636	powershell.exe
Token: SeSystemProfilePrivilege	2636	powershell.exe
Token: SeSystemtimePrivilege	2636	powershell.exe
Token: SeProfSingleProcessPrivilege	2636	powershell.exe
Token: SeIncBasePriorityPrivilege	2636	powershell.exe
Token: SeCreatePagefilePrivilege	2636	powershell.exe
Token: SeBackupPrivilege	2636	powershell.exe
Token: SeRestorePrivilege	2636	powershell.exe
Token: SeShutdownPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeSystemEnvironmentPrivilege	2636	powershell.exe
Token: SeRemoteShutdownPrivilege	2636	powershell.exe
Token: SeUndockPrivilege	2636	powershell.exe
Token: SeManageVolumePrivilege	2636	powershell.exe
Token: 33	2636	powershell.exe
Token: 34	2636	powershell.exe
Token: 35	2636	powershell.exe
Token: 36	2636	powershell.exe
Token: SeIncreaseQuotaPrivilege	3896	powershell.exe
Token: SeSecurityPrivilege	3896	powershell.exe
Token: SeTakeOwnershipPrivilege	3896	powershell.exe
Token: SeLoadDriverPrivilege	3896	powershell.exe
Token: SeSystemProfilePrivilege	3896	powershell.exe
Token: SeSystemtimePrivilege	3896	powershell.exe
Token: SeProfSingleProcessPrivilege	3896	powershell.exe
Token: SeIncBasePriorityPrivilege	3896	powershell.exe
Token: SeCreatePagefilePrivilege	3896	powershell.exe
Token: SeBackupPrivilege	3896	powershell.exe
Token: SeRestorePrivilege	3896	powershell.exe
Token: SeShutdownPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeSystemEnvironmentPrivilege	3896	powershell.exe
Token: SeRemoteShutdownPrivilege	3896	powershell.exe
Token: SeUndockPrivilege	3896	powershell.exe
Token: SeManageVolumePrivilege	3896	powershell.exe
Token: 33	3896	powershell.exe
Token: 34	3896	powershell.exe
Token: 35	3896	powershell.exe
Token: 36	3896	powershell.exe
Token: SeIncreaseQuotaPrivilege	3784	powershell.exe
Token: SeSecurityPrivilege	3784	powershell.exe
Token: SeTakeOwnershipPrivilege	3784	powershell.exe
Token: SeLoadDriverPrivilege	3784	powershell.exe
Token: SeSystemProfilePrivilege	3784	powershell.exe
Token: SeSystemtimePrivilege	3784	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 4764	2620	d231c72097d4ac8130ffbb623fba9d7b4dfab4891eacfbe75998eafdf0f8936e.exe	66
PID 2620 wrote to memory of 4764	2620	d231c72097d4ac8130ffbb623fba9d7b4dfab4891eacfbe75998eafdf0f8936e.exe	66
PID 2620 wrote to memory of 4764	2620	d231c72097d4ac8130ffbb623fba9d7b4dfab4891eacfbe75998eafdf0f8936e.exe	66
PID 4764 wrote to memory of 64	4764	WScript.exe	67
PID 4764 wrote to memory of 64	4764	WScript.exe	67
PID 4764 wrote to memory of 64	4764	WScript.exe	67
PID 64 wrote to memory of 4960	64	cmd.exe	69
PID 64 wrote to memory of 4960	64	cmd.exe	69
PID 4960 wrote to memory of 2204	4960	DllCommonsvc.exe	122
PID 4960 wrote to memory of 2204	4960	DllCommonsvc.exe	122
PID 4960 wrote to memory of 2180	4960	DllCommonsvc.exe	121
PID 4960 wrote to memory of 2180	4960	DllCommonsvc.exe	121
PID 4960 wrote to memory of 1040	4960	DllCommonsvc.exe	119
PID 4960 wrote to memory of 1040	4960	DllCommonsvc.exe	119
PID 4960 wrote to memory of 584	4960	DllCommonsvc.exe	92
PID 4960 wrote to memory of 584	4960	DllCommonsvc.exe	92
PID 4960 wrote to memory of 2188	4960	DllCommonsvc.exe	116
PID 4960 wrote to memory of 2188	4960	DllCommonsvc.exe	116
PID 4960 wrote to memory of 2392	4960	DllCommonsvc.exe	114
PID 4960 wrote to memory of 2392	4960	DllCommonsvc.exe	114
PID 4960 wrote to memory of 2584	4960	DllCommonsvc.exe	93
PID 4960 wrote to memory of 2584	4960	DllCommonsvc.exe	93
PID 4960 wrote to memory of 1976	4960	DllCommonsvc.exe	111
PID 4960 wrote to memory of 1976	4960	DllCommonsvc.exe	111
PID 4960 wrote to memory of 2636	4960	DllCommonsvc.exe	109
PID 4960 wrote to memory of 2636	4960	DllCommonsvc.exe	109
PID 4960 wrote to memory of 2684	4960	DllCommonsvc.exe	107
PID 4960 wrote to memory of 2684	4960	DllCommonsvc.exe	107
PID 4960 wrote to memory of 2904	4960	DllCommonsvc.exe	105
PID 4960 wrote to memory of 2904	4960	DllCommonsvc.exe	105
PID 4960 wrote to memory of 3896	4960	DllCommonsvc.exe	104
PID 4960 wrote to memory of 3896	4960	DllCommonsvc.exe	104
PID 4960 wrote to memory of 3784	4960	DllCommonsvc.exe	103
PID 4960 wrote to memory of 3784	4960	DllCommonsvc.exe	103
PID 4960 wrote to memory of 4344	4960	DllCommonsvc.exe	96
PID 4960 wrote to memory of 4344	4960	DllCommonsvc.exe	96
PID 4960 wrote to memory of 4428	4960	DllCommonsvc.exe	98
PID 4960 wrote to memory of 4428	4960	DllCommonsvc.exe	98
PID 4960 wrote to memory of 4116	4960	DllCommonsvc.exe	101
PID 4960 wrote to memory of 4116	4960	DllCommonsvc.exe	101
PID 4116 wrote to memory of 3908	4116	sppsvc.exe	145
PID 4116 wrote to memory of 3908	4116	sppsvc.exe	145
PID 3908 wrote to memory of 32	3908	cmd.exe	147
PID 3908 wrote to memory of 32	3908	cmd.exe	147
PID 3908 wrote to memory of 4348	3908	cmd.exe	148
PID 3908 wrote to memory of 4348	3908	cmd.exe	148
PID 4348 wrote to memory of 3900	4348	sppsvc.exe	149
PID 4348 wrote to memory of 3900	4348	sppsvc.exe	149
PID 3900 wrote to memory of 4724	3900	cmd.exe	151
PID 3900 wrote to memory of 4724	3900	cmd.exe	151
PID 3900 wrote to memory of 3300	3900	cmd.exe	152
PID 3900 wrote to memory of 3300	3900	cmd.exe	152
PID 3300 wrote to memory of 4224	3300	sppsvc.exe	153
PID 3300 wrote to memory of 4224	3300	sppsvc.exe	153
PID 4224 wrote to memory of 4092	4224	cmd.exe	155
PID 4224 wrote to memory of 4092	4224	cmd.exe	155
PID 4224 wrote to memory of 488	4224	cmd.exe	156
PID 4224 wrote to memory of 488	4224	cmd.exe	156
PID 488 wrote to memory of 2748	488	sppsvc.exe	157
PID 488 wrote to memory of 2748	488	sppsvc.exe	157
PID 2748 wrote to memory of 1568	2748	cmd.exe	159
PID 2748 wrote to memory of 1568	2748	cmd.exe	159
PID 2748 wrote to memory of 652	2748	cmd.exe	160
PID 2748 wrote to memory of 652	2748	cmd.exe	160

C:\Users\Admin\AppData\Local\Temp\d231c72097d4ac8130ffbb623fba9d7b4dfab4891eacfbe75998eafdf0f8936e.exe
"C:\Users\Admin\AppData\Local\Temp\d231c72097d4ac8130ffbb623fba9d7b4dfab4891eacfbe75998eafdf0f8936e.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:64
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\es-ES\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4428
    - - C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4116
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:32
        
        C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q0tVgmHuxR.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4724
        
        C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4092
        
        C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1568
        
        C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat"
        14⤵
        
        PID:3476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2724
        
        C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat"
        16⤵
        
        PID:1432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3840
        
        C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat"
        18⤵
        
        PID:196
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2728
        
        C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat"
        20⤵
        
        PID:3096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:5052
        
        C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat"
        22⤵
        
        PID:2148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1244
        
        C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat"
        24⤵
        
        PID:520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4408
        
        C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat"
        26⤵
        
        PID:4808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3136
        
        C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        27⤵
        Executes dropped EXE
        
        PID:4764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
        5⤵
        
        PID:1976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\reports\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\Temp\Crashpad\reports\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Templates\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Templates\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\odt\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\odt\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\NetHood\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\NetHood\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:96

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\NetHood\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\Templates\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\Crashpad\reports\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
508444328dfd52c191cae015b611eb71

SHA1
0bd774b714d29a69d3b1bed3d665148a581b1534

SHA256
ba2f4979229f8839322b817d9e10191d60f2b6844dbb07be6c3ef715743d4ed3

SHA512
a83a5b314dcba6c95b2f7d932e617306d89a3a60789f584ce6025e4b0b52c7f1011b7bdfab03355025758d8197ea7f2f9ddc53f5febb4086d6266f0d86d96833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
508444328dfd52c191cae015b611eb71

SHA1
0bd774b714d29a69d3b1bed3d665148a581b1534

SHA256
ba2f4979229f8839322b817d9e10191d60f2b6844dbb07be6c3ef715743d4ed3

SHA512
a83a5b314dcba6c95b2f7d932e617306d89a3a60789f584ce6025e4b0b52c7f1011b7bdfab03355025758d8197ea7f2f9ddc53f5febb4086d6266f0d86d96833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
61b2260802fa2b2b7ec9ab8d0877a59b

SHA1
8cf1d14f666b502b9d15e63317c4130abefcee16

SHA256
80dcf43fb775354d5a719d177406b4ae29877abe8c81ada7fe413ace7c1cf3fe

SHA512
2e9280f74a1ac3310064036cde38b960a499d3d056973766c58b8068c9b656f8af3366b176a186e757152b30b181874023b95e9b7e7d09f7314184d8f4f821ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
61b2260802fa2b2b7ec9ab8d0877a59b

SHA1
8cf1d14f666b502b9d15e63317c4130abefcee16

SHA256
80dcf43fb775354d5a719d177406b4ae29877abe8c81ada7fe413ace7c1cf3fe

SHA512
2e9280f74a1ac3310064036cde38b960a499d3d056973766c58b8068c9b656f8af3366b176a186e757152b30b181874023b95e9b7e7d09f7314184d8f4f821ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1655ea1c7759183308157e146e14ae58

SHA1
f0c1faeebd58f88fb52298b8f785d0a4d29bbedc

SHA256
fc68f9ffe61ee51de39c0cc44ea3d2025581c255ee5b7a5d091bcdb4369c8c86

SHA512
b6661a63387232f5fb2bf59f322e4a6b701969177c9bffa9a18eaf6eca4db41c3b60d14f09e934a3beb01491dd1a6236d324c2b4a4d0df0c62a1216ea8943164

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1655ea1c7759183308157e146e14ae58

SHA1
f0c1faeebd58f88fb52298b8f785d0a4d29bbedc

SHA256
fc68f9ffe61ee51de39c0cc44ea3d2025581c255ee5b7a5d091bcdb4369c8c86

SHA512
b6661a63387232f5fb2bf59f322e4a6b701969177c9bffa9a18eaf6eca4db41c3b60d14f09e934a3beb01491dd1a6236d324c2b4a4d0df0c62a1216ea8943164

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2dcd13c0b6eac24967ada0930aed1598

SHA1
5b935fd5db7f9d2568754b502090de9020af2bf2

SHA256
ce433c9dd75de2f913748c7676384b508c91c10541ed7ca4c44abc2b2aacb110

SHA512
57492ac0f6396525476b914b520006f2f3fc78333d5643a72d358d8c4528311e713154704e832a83928cd86e8391b63e33a746c531018a0c57c9704a6c68bde0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f4a069f84ff9742ffd160463ae7f97ef

SHA1
bd873014b54e8a3ee8feef89f6d4684b47f3c240

SHA256
8bd3350821e2af1274c5ef3385d4812683ad9b3db78084222dea007e43662753

SHA512
1c0952d8846bac0d29d052f27c40cbed5c8a6a0f14434f6fa7ae1f736b17c0dab7b4b17894f6c98a7aba36a6e35133519487a067633b982121c7293c2ab065d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
67107005e63b64337c375a752bf7ed91

SHA1
4f2fca819821496208346378fd432599427dffef

SHA256
661cbc27aabd2773428aa0f37ae371dbeacd67966eb9b6a58712eac13d9e5c31

SHA512
c8f70cea5f1f3ed399ea8344482c55bf3eef3549b127af9267eedc827e5799a3fbc9aee4d5b78409560f5680b7ee85072e83c46fa1df5cc95767cb5d040dedb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
75ea6609d5653b51bd5bf44d3fa2d9e7

SHA1
1e6079b89a63ca7b9ac72f8a5c04c6ad4febe385

SHA256
8ff761bbb916248df8c108ae5487f4e3794c6b67527a625688cc32d1faf27529

SHA512
c699b5b3a25c56387b46a360e620a9de480f4b2136789d7c11f0fbc32fe73ba7ffca0d05882ad81c45d433f9c26efc8be3409fab409123aa7bf01b0a8d4dbc4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3ce3ed4732ea2563a7d5e88d3da49cd3

SHA1
a2f686162e1e8b28fd5bb1dcbae15b4110f34100

SHA256
e0e7157657b14528b91ee8d0b04bd16cabd21cbd00a97a5c35ec0d773931cc02

SHA512
79db38e035fe56d1de5942c9941951c3bd564f13f871d32de50a626d7695be133cbae0cf63b56770f29f8016a25951a8bb7700934f48deb778c3418de3d1910c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0e06d35431517f4e98eaa3a36807b386

SHA1
51f44f3ffb2938e3ea9efc92071a369997508b87

SHA256
9f668563b802aa904911d90f65cfa4982a403943a944180a66c610410306ecdc

SHA512
5d488bc8a08fead6ebc6f9614b5fafb33714d300d594773fc55e829f5a870a8814b6e615daac4377cef59a5c461580c00fea9c5b7f636602edbde7d2958fe4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat

Filesize
197B

MD5
a1aa8f08f075971072f865c5e8b5b104

SHA1
6d5176993180cbefec432d2b5dde8fa6ab2b6f22

SHA256
90e22bf9f5d8be50f77dfe41b9ef565c58a4f61ef102ca04e334dddd0f3a0712

SHA512
899304801f05e554461d08c30c2d73d17edba9e18c3d5db5e1c59e9c5c5719080da8e6c871d2db4a06e08417f71f91c6bce78f01ceecabd021f06b89ded176b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat

Filesize
197B

MD5
5db2626a0c0910d36cab9060b0d2637e

SHA1
fd7c92ad8bcba00aebe833a373998643dfd3f2f3

SHA256
b76f388f9aed20925bf7bf59386eda384294e65697bdd989f8522ef9eaea3e71

SHA512
cba56782406cf7536394b235d74a11c9413c03a2ebf8176fe62a0ebc2292797ca8b6acf21eaeca76d1883a2d1423a4b521b0546e5943192b085d67bcb87874b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat

Filesize
197B

MD5
c207fadd9906382377f9052362dcf225

SHA1
5b6828c8b4c297290777464de103b313fdeba09c

SHA256
21b823446212b76c91a6ffcee43ae9612cbd26454dc8d368b1d1287854aa2fb7

SHA512
32712cb70329b7dbb62acbca2a96671f8324dfe0b147eaef4595a579cdc4b6190b969ed6ba945ca352c43d56dae2129669b0be5a0c896a7fc22476f47dda5bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat

Filesize
197B

MD5
c207fadd9906382377f9052362dcf225

SHA1
5b6828c8b4c297290777464de103b313fdeba09c

SHA256
21b823446212b76c91a6ffcee43ae9612cbd26454dc8d368b1d1287854aa2fb7

SHA512
32712cb70329b7dbb62acbca2a96671f8324dfe0b147eaef4595a579cdc4b6190b969ed6ba945ca352c43d56dae2129669b0be5a0c896a7fc22476f47dda5bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q0tVgmHuxR.bat

Filesize
197B

MD5
4af21790b8153dfbfbbf89d1593c5682

SHA1
98cdea9f50b910150b78c7fd8c46a21cdc13d2cb

SHA256
1cca48b2ce391b1f005b89bc3a1ee3ab0f996591aae1b3ebdf0660623c8dbb36

SHA512
20f9a7d546c3a7e590837f37eb644e08c6d6d057f037b729b14fd3f72d0a9f739288df67451bbcac6a4c20b0c0d7a3227bf59e7917c4908c62185b33e894a77d

Download Submit
C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat

Filesize
197B

MD5
df4248e925f0eb2b2537af9d4505bc53

SHA1
bb654e6dae0df9713c937064da72c355b0a66e9d

SHA256
077b13cf51b19a3eb03d35e60ab1ee6f5a177c5e7811b6e19e8c842f272ebb12

SHA512
55826280215b1a2cf79b85056cdb086fae24ee3459aea50a86daae2d42826e671771eed1a5e93e4f9aade847bd9b872c585b169120373c6b8aec3a196aa7afdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat

Filesize
197B

MD5
d173a22b0304bfae9e5d3b2719bff2d5

SHA1
9d6baa58e18c9133f6cd62f192dcca8802291b97

SHA256
8d2f79398ebea4c992711eebf793a493b8135cba3efadc7bfa31cb0dafa9d2a4

SHA512
a6ac0e7f52ef1f8bc823cf0f566276a8870f9d660f3716a08e683616afda5202bcd4f1a21db6cab185412e7fe60a06d9db5b0fd44a499c7b67b959ed5febbf86

Download Submit
C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat

Filesize
197B

MD5
d173a22b0304bfae9e5d3b2719bff2d5

SHA1
9d6baa58e18c9133f6cd62f192dcca8802291b97

SHA256
8d2f79398ebea4c992711eebf793a493b8135cba3efadc7bfa31cb0dafa9d2a4

SHA512
a6ac0e7f52ef1f8bc823cf0f566276a8870f9d660f3716a08e683616afda5202bcd4f1a21db6cab185412e7fe60a06d9db5b0fd44a499c7b67b959ed5febbf86

Download Submit
C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat

Filesize
197B

MD5
241a82e1bdf0c522c6605ca21f15e807

SHA1
49d0b8356a8e0692669bdabea1fe77597ef11124

SHA256
6f3e54da238a0bde1b184d17a9eb867bc999fa7036cd87d51e1e4e395149d9ad

SHA512
bc08d2154806e0ccdd219ec4ac64e0c850c5539ac471595eea070c536d16775d871f7d7af5852f596a06bebb92ff801c4e038d93c88229511ea246f82877947c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat

Filesize
197B

MD5
3609148c429a8de5b6bfbc67358f6af6

SHA1
9225b3b3a05bd87cac9e67e40f151230bcf0c1e9

SHA256
1155d94af5c4e9e1c5864a06fe705f3225d0ce12c1dbab6ce6e7343e20c7542e

SHA512
f0709900f750d12f8c031ac0d5d1090ed6f1545ddfa219d67dedbca851f72b32fc31daadaf47880982d6336bee6c728f4a78fa124e40738b147f87c2ff5288cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat

Filesize
197B

MD5
cb6785677d117358f94f5c45e56c02eb

SHA1
85953cf670794d0dcc931f42e2778f02c3130c18

SHA256
0cbec254f12f80d920d054eacdc6f3422e1ff34843bf77d4d837a0b6b1c840a7

SHA512
6084e025930642fef3f273dc2532141c7e4367c512007b54e88a69aaea90ece09ce22c08bc297eb5e0355b6cfad9484c8d2c380c6d5f03adf2d6ce9f79add07e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/652-808-0x00000000026C0000-0x00000000026D2000-memory.dmp

Filesize
72KB

Download
memory/2180-364-0x000001DCA5160000-0x000001DCA5182000-memory.dmp

Filesize
136KB

Download
memory/2620-160-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-153-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-180-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-182-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-121-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-125-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-127-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-128-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-179-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-124-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-122-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-119-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-129-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-178-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-130-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-132-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-133-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-131-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-134-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-177-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-175-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-135-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-136-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-176-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-137-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-138-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-174-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-169-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-172-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-173-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-140-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-171-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-170-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-168-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-139-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-167-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-166-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-158-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-159-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-120-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-164-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-165-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-163-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-162-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-161-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-157-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-156-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-155-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-150-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-152-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-141-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-154-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-181-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-142-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-143-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-151-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-145-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-144-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-149-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-146-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-148-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2620-147-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2636-369-0x0000019DEAA60000-0x0000019DEAAD6000-memory.dmp

Filesize
472KB

Download
memory/3920-820-0x0000000000E30000-0x0000000000E42000-memory.dmp

Filesize
72KB

Download
memory/4116-365-0x0000000001540000-0x0000000001552000-memory.dmp

Filesize
72KB

Download
memory/4348-792-0x0000000001300000-0x0000000001312000-memory.dmp

Filesize
72KB

Download
memory/4764-185-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/4764-184-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/4828-814-0x0000000001410000-0x0000000001422000-memory.dmp

Filesize
72KB

Download
memory/4960-285-0x0000000000740000-0x0000000000850000-memory.dmp

Filesize
1.1MB

Download
memory/4960-286-0x0000000000D50000-0x0000000000D62000-memory.dmp

Filesize
72KB

Download
memory/4960-287-0x0000000000D60000-0x0000000000D6C000-memory.dmp

Filesize
48KB

Download
memory/4960-289-0x0000000000F70000-0x0000000000F7C000-memory.dmp

Filesize
48KB

Download
memory/4960-288-0x000000001BCF0000-0x000000001BCFC000-memory.dmp

Filesize
48KB

Download