dcrat | 42f5fb5c567dea693fda8f6693c5e871052ee057684696de4923964c8c133a04

Analysis

max time kernel
149s
max time network
151s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01-11-2022 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42f5fb5c567dea693fda8f6693c5e871052ee057684696de4923964c8c133a04.exe
Size

1.3MB
MD5

2f5d14e574eb27c7292d6b64b76decbc
SHA1

e70ebe0bd2cd0e8947f13c87b2ec0c75991deaf0
SHA256

42f5fb5c567dea693fda8f6693c5e871052ee057684696de4923964c8c133a04
SHA512

ba97e1d8a15d8151d8a37d04e9814c8b015f18521eff39bfacd82ef0951e85fed09038d35469ccc5a9a2b8862003a256294ac0218ce7089d01874496d6d5e477
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	200	4024	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	4024	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac32-284.dat	dcrat
behavioral1/files/0x000800000001ac32-285.dat	dcrat
behavioral1/memory/3076-286-0x0000000000CC0000-0x0000000000DD0000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac69-705.dat	dcrat
behavioral1/files/0x000600000001ac69-703.dat	dcrat
behavioral1/files/0x000600000001ac69-792.dat	dcrat
behavioral1/files/0x000600000001ac69-798.dat	dcrat
behavioral1/files/0x000600000001ac69-804.dat	dcrat
behavioral1/files/0x000600000001ac69-810.dat	dcrat
behavioral1/files/0x000600000001ac69-815.dat	dcrat
behavioral1/files/0x000600000001ac69-820.dat	dcrat
behavioral1/files/0x000600000001ac69-826.dat	dcrat
behavioral1/files/0x000600000001ac69-831.dat	dcrat
behavioral1/files/0x000600000001ac69-837.dat	dcrat
behavioral1/files/0x000600000001ac69-843.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
3076	DllCommonsvc.exe
4344	dllhost.exe
4600	dllhost.exe
2792	dllhost.exe
4552	dllhost.exe
1636	dllhost.exe
3740	dllhost.exe
5112	dllhost.exe
4920	dllhost.exe
1684	dllhost.exe
3940	dllhost.exe
1828	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\DllCommonsvc.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\SearchUI.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\dab4d89cac03ec	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Offline Web Pages\services.exe	DllCommonsvc.exe
File created	C:\Windows\Offline Web Pages\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3588	schtasks.exe
300	schtasks.exe
5116	schtasks.exe
5008	schtasks.exe
2864	schtasks.exe
3108	schtasks.exe
652	schtasks.exe
412	schtasks.exe
5076	schtasks.exe
3584	schtasks.exe
4664	schtasks.exe
4028	schtasks.exe
4676	schtasks.exe
4724	schtasks.exe
200	schtasks.exe
3912	schtasks.exe
4424	schtasks.exe
4428	schtasks.exe
4596	schtasks.exe
4796	schtasks.exe
1536	schtasks.exe
3304	schtasks.exe
2276	schtasks.exe
4720	schtasks.exe
4696	schtasks.exe
4776	schtasks.exe
4624	schtasks.exe
588	schtasks.exe
4560	schtasks.exe
900	schtasks.exe
4164	schtasks.exe
3956	schtasks.exe
4680	schtasks.exe
4816	schtasks.exe
32	schtasks.exe
1608	schtasks.exe
4572	schtasks.exe
1736	schtasks.exe
1016	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	42f5fb5c567dea693fda8f6693c5e871052ee057684696de4923964c8c133a04.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	dllhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3076	DllCommonsvc.exe
3076	DllCommonsvc.exe
3076	DllCommonsvc.exe
3076	DllCommonsvc.exe
3076	DllCommonsvc.exe
3076	DllCommonsvc.exe
3076	DllCommonsvc.exe
3076	DllCommonsvc.exe
3076	DllCommonsvc.exe
3076	DllCommonsvc.exe
3076	DllCommonsvc.exe
3076	DllCommonsvc.exe
3076	DllCommonsvc.exe
3076	DllCommonsvc.exe
3076	DllCommonsvc.exe
2248	powershell.exe
2248	powershell.exe
2428	powershell.exe
2428	powershell.exe
3908	powershell.exe
3908	powershell.exe
860	powershell.exe
860	powershell.exe
1296	powershell.exe
1296	powershell.exe
4388	powershell.exe
4388	powershell.exe
860	powershell.exe
4944	powershell.exe
4944	powershell.exe
2772	powershell.exe
2772	powershell.exe
2612	powershell.exe
2612	powershell.exe
2612	powershell.exe
2668	powershell.exe
2668	powershell.exe
1812	powershell.exe
1812	powershell.exe
4836	powershell.exe
4836	powershell.exe
2428	powershell.exe
2364	powershell.exe
2364	powershell.exe
4864	powershell.exe
4864	powershell.exe
4864	powershell.exe
2248	powershell.exe
2248	powershell.exe
860	powershell.exe
4388	powershell.exe
2612	powershell.exe
4944	powershell.exe
1296	powershell.exe
2428	powershell.exe
1812	powershell.exe
3908	powershell.exe
2364	powershell.exe
2668	powershell.exe
4864	powershell.exe
2772	powershell.exe
2248	powershell.exe
4836	powershell.exe
4388	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3076	DllCommonsvc.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeIncreaseQuotaPrivilege	2612	powershell.exe
Token: SeSecurityPrivilege	2612	powershell.exe
Token: SeTakeOwnershipPrivilege	2612	powershell.exe
Token: SeLoadDriverPrivilege	2612	powershell.exe
Token: SeSystemProfilePrivilege	2612	powershell.exe
Token: SeSystemtimePrivilege	2612	powershell.exe
Token: SeProfSingleProcessPrivilege	2612	powershell.exe
Token: SeIncBasePriorityPrivilege	2612	powershell.exe
Token: SeCreatePagefilePrivilege	2612	powershell.exe
Token: SeBackupPrivilege	2612	powershell.exe
Token: SeRestorePrivilege	2612	powershell.exe
Token: SeShutdownPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeSystemEnvironmentPrivilege	2612	powershell.exe
Token: SeRemoteShutdownPrivilege	2612	powershell.exe
Token: SeUndockPrivilege	2612	powershell.exe
Token: SeManageVolumePrivilege	2612	powershell.exe
Token: 33	2612	powershell.exe
Token: 34	2612	powershell.exe
Token: 35	2612	powershell.exe
Token: 36	2612	powershell.exe
Token: SeIncreaseQuotaPrivilege	860	powershell.exe
Token: SeSecurityPrivilege	860	powershell.exe
Token: SeTakeOwnershipPrivilege	860	powershell.exe
Token: SeLoadDriverPrivilege	860	powershell.exe
Token: SeSystemProfilePrivilege	860	powershell.exe
Token: SeSystemtimePrivilege	860	powershell.exe
Token: SeProfSingleProcessPrivilege	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: SeCreatePagefilePrivilege	860	powershell.exe
Token: SeBackupPrivilege	860	powershell.exe
Token: SeRestorePrivilege	860	powershell.exe
Token: SeShutdownPrivilege	860	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeSystemEnvironmentPrivilege	860	powershell.exe
Token: SeRemoteShutdownPrivilege	860	powershell.exe
Token: SeUndockPrivilege	860	powershell.exe
Token: SeManageVolumePrivilege	860	powershell.exe
Token: 33	860	powershell.exe
Token: 34	860	powershell.exe
Token: 35	860	powershell.exe
Token: 36	860	powershell.exe
Token: SeIncreaseQuotaPrivilege	2428	powershell.exe
Token: SeSecurityPrivilege	2428	powershell.exe
Token: SeTakeOwnershipPrivilege	2428	powershell.exe
Token: SeLoadDriverPrivilege	2428	powershell.exe
Token: SeSystemProfilePrivilege	2428	powershell.exe
Token: SeSystemtimePrivilege	2428	powershell.exe
Token: SeProfSingleProcessPrivilege	2428	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 4868	2124	42f5fb5c567dea693fda8f6693c5e871052ee057684696de4923964c8c133a04.exe	66
PID 2124 wrote to memory of 4868	2124	42f5fb5c567dea693fda8f6693c5e871052ee057684696de4923964c8c133a04.exe	66
PID 2124 wrote to memory of 4868	2124	42f5fb5c567dea693fda8f6693c5e871052ee057684696de4923964c8c133a04.exe	66
PID 4868 wrote to memory of 4304	4868	WScript.exe	67
PID 4868 wrote to memory of 4304	4868	WScript.exe	67
PID 4868 wrote to memory of 4304	4868	WScript.exe	67
PID 4304 wrote to memory of 3076	4304	cmd.exe	69
PID 4304 wrote to memory of 3076	4304	cmd.exe	69
PID 3076 wrote to memory of 2248	3076	DllCommonsvc.exe	110
PID 3076 wrote to memory of 2248	3076	DllCommonsvc.exe	110
PID 3076 wrote to memory of 4944	3076	DllCommonsvc.exe	122
PID 3076 wrote to memory of 4944	3076	DllCommonsvc.exe	122
PID 3076 wrote to memory of 2428	3076	DllCommonsvc.exe	120
PID 3076 wrote to memory of 2428	3076	DllCommonsvc.exe	120
PID 3076 wrote to memory of 4388	3076	DllCommonsvc.exe	112
PID 3076 wrote to memory of 4388	3076	DllCommonsvc.exe	112
PID 3076 wrote to memory of 1296	3076	DllCommonsvc.exe	113
PID 3076 wrote to memory of 1296	3076	DllCommonsvc.exe	113
PID 3076 wrote to memory of 3908	3076	DllCommonsvc.exe	114
PID 3076 wrote to memory of 3908	3076	DllCommonsvc.exe	114
PID 3076 wrote to memory of 860	3076	DllCommonsvc.exe	117
PID 3076 wrote to memory of 860	3076	DllCommonsvc.exe	117
PID 3076 wrote to memory of 2612	3076	DllCommonsvc.exe	126
PID 3076 wrote to memory of 2612	3076	DllCommonsvc.exe	126
PID 3076 wrote to memory of 1812	3076	DllCommonsvc.exe	123
PID 3076 wrote to memory of 1812	3076	DllCommonsvc.exe	123
PID 3076 wrote to memory of 2364	3076	DllCommonsvc.exe	127
PID 3076 wrote to memory of 2364	3076	DllCommonsvc.exe	127
PID 3076 wrote to memory of 2668	3076	DllCommonsvc.exe	128
PID 3076 wrote to memory of 2668	3076	DllCommonsvc.exe	128
PID 3076 wrote to memory of 2772	3076	DllCommonsvc.exe	129
PID 3076 wrote to memory of 2772	3076	DllCommonsvc.exe	129
PID 3076 wrote to memory of 4836	3076	DllCommonsvc.exe	133
PID 3076 wrote to memory of 4836	3076	DllCommonsvc.exe	133
PID 3076 wrote to memory of 4864	3076	DllCommonsvc.exe	131
PID 3076 wrote to memory of 4864	3076	DllCommonsvc.exe	131
PID 3076 wrote to memory of 3760	3076	DllCommonsvc.exe	139
PID 3076 wrote to memory of 3760	3076	DllCommonsvc.exe	139
PID 3760 wrote to memory of 1384	3760	cmd.exe	141
PID 3760 wrote to memory of 1384	3760	cmd.exe	141
PID 3760 wrote to memory of 4344	3760	cmd.exe	143
PID 3760 wrote to memory of 4344	3760	cmd.exe	143
PID 4344 wrote to memory of 4412	4344	dllhost.exe	144
PID 4344 wrote to memory of 4412	4344	dllhost.exe	144
PID 4412 wrote to memory of 1100	4412	cmd.exe	146
PID 4412 wrote to memory of 1100	4412	cmd.exe	146
PID 4412 wrote to memory of 4600	4412	cmd.exe	147
PID 4412 wrote to memory of 4600	4412	cmd.exe	147
PID 4600 wrote to memory of 5016	4600	dllhost.exe	148
PID 4600 wrote to memory of 5016	4600	dllhost.exe	148
PID 5016 wrote to memory of 1796	5016	cmd.exe	150
PID 5016 wrote to memory of 1796	5016	cmd.exe	150
PID 5016 wrote to memory of 2792	5016	cmd.exe	151
PID 5016 wrote to memory of 2792	5016	cmd.exe	151
PID 2792 wrote to memory of 2844	2792	dllhost.exe	152
PID 2792 wrote to memory of 2844	2792	dllhost.exe	152
PID 2844 wrote to memory of 4796	2844	cmd.exe	154
PID 2844 wrote to memory of 4796	2844	cmd.exe	154
PID 2844 wrote to memory of 4552	2844	cmd.exe	155
PID 2844 wrote to memory of 4552	2844	cmd.exe	155
PID 4552 wrote to memory of 3044	4552	dllhost.exe	156
PID 4552 wrote to memory of 3044	4552	dllhost.exe	156
PID 3044 wrote to memory of 1816	3044	cmd.exe	158
PID 3044 wrote to memory of 1816	3044	cmd.exe	158

C:\Users\Admin\AppData\Local\Temp\42f5fb5c567dea693fda8f6693c5e871052ee057684696de4923964c8c133a04.exe
"C:\Users\Admin\AppData\Local\Temp\42f5fb5c567dea693fda8f6693c5e871052ee057684696de4923964c8c133a04.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R1F8Cs0Rj1.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3760
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1384
      - C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1100
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1796
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4796
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1816
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"
        15⤵
        
        PID:1936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2932
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat"
        17⤵
        
        PID:5012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2924
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat"
        19⤵
        
        PID:4900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1912
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat"
        21⤵
        
        PID:4844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2920
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"
        23⤵
        
        PID:3876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2288
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat"
        25⤵
        
        PID:512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1100
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"
        27⤵
        
        PID:2184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Templates\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Templates\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Templates\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Offline Web Pages\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\odt\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
87ee0e9e3587ff21d068015b592bad4e

SHA1
9fde4594c67317f2d4fbe3f13190c425ad3f9d0d

SHA256
0dc0c76e64861ee36c5f4e2447e32d6fbb0800cedd7aadd80b81723636c9d5b7

SHA512
e6a1ce39226672e9df07a5f7ff432b3aea7de3158ea7a1dbe82d8202745f78af6aa95cac7388c0c58b28df9dfa7197d0953e3cb948ab9d7776d642a9233d1ce7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
653efb494d79dbd0fda6683b9cbc12bc

SHA1
e67df888c9f68d426d1ed307c795a28938818856

SHA256
f4d79bdb925708d8f1d186a95cdb9a2d7451f3c4e111165011ecb0fe7b6bc54e

SHA512
18b20935ba319ae75666ea9fa391e7157e1cc14d847d10e9766cc3d8e80c41fba814fd196faa7b968a9d590bbf5650c5d9d5dd759bff04ea35118cde7bb845d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
653efb494d79dbd0fda6683b9cbc12bc

SHA1
e67df888c9f68d426d1ed307c795a28938818856

SHA256
f4d79bdb925708d8f1d186a95cdb9a2d7451f3c4e111165011ecb0fe7b6bc54e

SHA512
18b20935ba319ae75666ea9fa391e7157e1cc14d847d10e9766cc3d8e80c41fba814fd196faa7b968a9d590bbf5650c5d9d5dd759bff04ea35118cde7bb845d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
595ec8922d161c4685b110aba890d477

SHA1
9f454e5a97cd9f088d1d4dbb795665548e5e3639

SHA256
c5a008557ebc9823df035beb4ba5afe6d8be41180413d4c4a08f35b3d6aa9594

SHA512
0711c7ef63841e61abb74f6a4a3554f8dd7f6527c6fe794c1386e86e34619396bf1759eff468ef35f73e4f0ff4299b454f504f199e3ab43493d60f9228d9925d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
595ec8922d161c4685b110aba890d477

SHA1
9f454e5a97cd9f088d1d4dbb795665548e5e3639

SHA256
c5a008557ebc9823df035beb4ba5afe6d8be41180413d4c4a08f35b3d6aa9594

SHA512
0711c7ef63841e61abb74f6a4a3554f8dd7f6527c6fe794c1386e86e34619396bf1759eff468ef35f73e4f0ff4299b454f504f199e3ab43493d60f9228d9925d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
595ec8922d161c4685b110aba890d477

SHA1
9f454e5a97cd9f088d1d4dbb795665548e5e3639

SHA256
c5a008557ebc9823df035beb4ba5afe6d8be41180413d4c4a08f35b3d6aa9594

SHA512
0711c7ef63841e61abb74f6a4a3554f8dd7f6527c6fe794c1386e86e34619396bf1759eff468ef35f73e4f0ff4299b454f504f199e3ab43493d60f9228d9925d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
24414eef61b202e6f303a36866c9d871

SHA1
fe254ae46d54e0522c07fa95c956630c2241e791

SHA256
22e69949858374ef6dd5645c4e18efc1deda072c9c1079c10e0555b4c5967af7

SHA512
b38f383458e32cfaf8e4a335935ae0e3204825328f402e80da95c7a9ce6a4e65db175e2b547156419765724d389441110e7a1333daafacd3a3bfe11c62888fcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dd45c6e3755833b9a2134bf4cf0dd845

SHA1
3c37970a62cf8c184a68db71b1e4e5060f2f8a8a

SHA256
98ce519fe0bfae4fcca532fdfe111652d70006f3ac5441e4b62077e591e240a2

SHA512
1ac5b1709e9b9dd9c4eca08be399534ba4bb866ceec83a4ed2eff237de11af90bee0e8586e5af7949fb49c5e27118f32093c9ff8fe5111f36df67adf7561a455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2e19fd8034eea527659cce1bb7e529a3

SHA1
83fc3f7f0f1443b41f3791458bbc9f45b08e408f

SHA256
a03ebacb760fb2fea761eaa02782ffd29dbaf46ddf7069e99c4da17723ac0b0d

SHA512
ac206daf070f8fcb008a373d22cc597153f6d0aad4ea523e202086e32d9756d44ba660016b3400351910cf9aa991035d7d313b99315bcefa1c8d7d0857bf154a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
440f901683bcdccafd1678ab46ca8ddf

SHA1
15b2d415a7babba13801fd15995c729ffd495f33

SHA256
eedfcec7bff290028715f2b0696160ef1dfa5d1ad33c10a74eb82d25d6336929

SHA512
0f25aaa3ceff4d8491a6515b0e3f4b0d8b02bff076db7d926dbfc663009f49b710aeaa2b78848074e3f650048bd866b9e87f6c48bcdc16d22caf230a7b040f79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ccd153c5e2fac078bad2f2925efd343f

SHA1
eb8537a6e6fd72e5b88d46828ec99ba2fed6e6ed

SHA256
8f0b56e66ac40f83128ad842021d403fe00b6a7434f76b65fefe7d55fc559d33

SHA512
2fb952486c3db1bd452dd5ee7f8314be3b0e54a133930ff6d81c8ae3aedc778bea77be3c7e5e546bf4ad4f809ac3dfd57697d3e1ca8d0b05fd04a14f770749ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
892B

MD5
eef3c60f5bd272715ebfa22f835b9158

SHA1
c87df31708a737a09a94404bba6be936a029c51a

SHA256
12e8571a14b17bd34fea67a366c2fa141940ade526fe382d2f8a2da77de51cef

SHA512
a735483dbb8b55b9e991f799486d6b90d549918491ab0b8a89c65a63519a22636f2efb557921c39f064a6a4f453b8e19457763c8adc163f19a40ac28ef7c94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat

Filesize
198B

MD5
3c17299601f5633a5c6abbc3c5c02980

SHA1
d98be13501bf70eea15970f60c65b621b2408894

SHA256
a6310511110a0a16405844ee2a707fb1b617aea588cc0f70f54715e180c50f1f

SHA512
52e751df0429e6b32ee63867f1697d7b4ed24966eac36bfc086f179163b275ed08f8b85bd3662185766fbca8d0b7c48b950021620b043a4febaf27f2fa2da6b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat

Filesize
198B

MD5
3c17299601f5633a5c6abbc3c5c02980

SHA1
d98be13501bf70eea15970f60c65b621b2408894

SHA256
a6310511110a0a16405844ee2a707fb1b617aea588cc0f70f54715e180c50f1f

SHA512
52e751df0429e6b32ee63867f1697d7b4ed24966eac36bfc086f179163b275ed08f8b85bd3662185766fbca8d0b7c48b950021620b043a4febaf27f2fa2da6b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat

Filesize
198B

MD5
fc5173d1e666568b3006ba02b2b7709f

SHA1
79920672d12b15d377565251e559daed82fe8c77

SHA256
1f7c06c6db82269339751196fb1f37695046e177d7575f98d0881fd40e66c5d2

SHA512
a73dba8539fcbff4650373195e49b49ba36954da0f3cc9fe18b8b8dfe86c543c33ba691a41d53bf0a92c02d1ac0914ba163c466caebefda6ea3d800dcab81a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat

Filesize
198B

MD5
76244bbf51783dcc1fd7b7474cb1fc10

SHA1
1c37498dffed2df54c5a3c736a21994a2a16f88e

SHA256
fd2f827f2c644a4890c48bd924191f0dc6c6ef7e9caba9dfbcc2411c491edaf0

SHA512
f0976b272b14450baf3e67de62fcc34e3bf774620d99b70085ab05474004c8bca6f7ffaa5288474c2272a7a2133eb964f4553fc2a846adf8e6e399824263fbc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat

Filesize
198B

MD5
cb3b4c4e6dd68436e32269aedfcad398

SHA1
57c6984afd63619c0977697c4d315d5263967514

SHA256
65608366425ed619b3d2a39073256f307dac8b53e003032c0d2c82dbd4858ffa

SHA512
25db7c9610c572ef5b944a599a268bcc3a5689af4e91d52fb3373b3fda6e184251bddae7b750b60eba9d06c7bcc3079c92b69767aef06afa1eef3538e147639c

Download Submit
C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat

Filesize
198B

MD5
8f57711760bb974b61811e00460aa52c

SHA1
d2453f858e48af48fc9f32a494ddd182cc4b8239

SHA256
cea08371494c0b009fa9a6541b69eec87329744bff955d56671e54fc6fcf499c

SHA512
b4df9e91d093d73e439c4fafaa5f0c4aadd199d712254725b8d684c1d815521dc6eab0a1a1e0e3086f1bedcbcd20a24af864c68391fc0ea64dd4c5dee63b04ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat

Filesize
198B

MD5
8f57711760bb974b61811e00460aa52c

SHA1
d2453f858e48af48fc9f32a494ddd182cc4b8239

SHA256
cea08371494c0b009fa9a6541b69eec87329744bff955d56671e54fc6fcf499c

SHA512
b4df9e91d093d73e439c4fafaa5f0c4aadd199d712254725b8d684c1d815521dc6eab0a1a1e0e3086f1bedcbcd20a24af864c68391fc0ea64dd4c5dee63b04ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\R1F8Cs0Rj1.bat

Filesize
198B

MD5
40818f5c91e5ee3831ddf864bc990587

SHA1
b9199e360494abfecbd8aa9c11d6750f39e463f6

SHA256
48e0b4fbb430fafdd325d82f35c055bebfba32a75f532e3136ba6d427c40954a

SHA512
188cf66c2e35dd6faa49cabd987cb7bb311faf27fa7205f8b5d2456c2d3e909592336012cc155a66d75494e4db85f17f20c918ba1e5b5a6b6aa77cb387fbe38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat

Filesize
198B

MD5
51bf47ddc6c800e6069f0a758b963cfc

SHA1
b9792bb0dee8dde5e53a3e318be75f6f4545b166

SHA256
b9d050f70c57ff857f77e5ad887d1b16939c91afe351693bfaf910cc57f6bf60

SHA512
873525911bd64320306b83c3a0012e006b399fa93112566cc88464cb42bb137f9ad6ac1981d2ff0047f5e188ca50cbb7485c49fc76a589b4db064ecbf48e6174

Download Submit
C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat

Filesize
198B

MD5
ed0c1a1d2fd3ba1aa79b66ca093fcad3

SHA1
21fbd72f291275e47f8bce425dd69b58c7ecd598

SHA256
13ed1ef523e63eb8333433500c1857fe39cb81c1d918ceea7f736c9bc8708a38

SHA512
a851f531cd47d250fde173e2abad77881f186a60ac75b86014597086028950a4656fe5f4cb4dd38d71cbaba86307d1c01f61d7bda6f92c34be6c2d16d9a9ba09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat

Filesize
198B

MD5
36c17d645ecdd5d0acabce82d36cad53

SHA1
c0a8f6a40085662959ed403ba3c10d16842a597c

SHA256
521e5bfd32fbf4a67a981e0e1529257dae0a5d485c12162e2001aa3ed76f82d1

SHA512
5d4b3001881c5f86db662da7f84ebcd70202501992c9833eae9f09e56dbf11ee902a76b834a14a93b746f35e3e638af73da0f61723f1b31ccbd8bb5329c15b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat

Filesize
198B

MD5
584198876c1a9e0ec4889459b45beb55

SHA1
d1d97138fd642c287a4b6c484e4712c78f6a15f3

SHA256
354040d545976bd3edc12ad545622d61403bbc695a5682c61b8ad9bad89b072d

SHA512
25ef1660c909c9454fa33a404d1adbf7dc5873c56c32109e29c599aec84f6a6b226f02371cd94afde3a3a405444a9ffd260e086ba259ea74a4e8f4f663cace6b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/860-365-0x0000019655950000-0x00000196559C6000-memory.dmp

Filesize
472KB

Download
memory/1684-832-0x0000000000880000-0x0000000000892000-memory.dmp

Filesize
72KB

Download
memory/1828-844-0x00000000016A0000-0x00000000016B2000-memory.dmp

Filesize
72KB

Download
memory/2124-153-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-141-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-183-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-181-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-121-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-180-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-179-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-178-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-177-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-176-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-175-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-174-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-173-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-172-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-170-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-171-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-122-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-123-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-169-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-168-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-167-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-125-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-166-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-165-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-164-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-120-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-163-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-161-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-126-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-162-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-160-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-128-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-158-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-159-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-157-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-156-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-155-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-154-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-152-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-151-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-150-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-149-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-148-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-147-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-146-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-145-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-144-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-143-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-142-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-182-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-140-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-139-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-138-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-137-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-136-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-135-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-134-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-133-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-132-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-131-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-130-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-129-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2248-360-0x00000105D79E0000-0x00000105D7A02000-memory.dmp

Filesize
136KB

Download
memory/2792-799-0x0000000000B70000-0x0000000000B82000-memory.dmp

Filesize
72KB

Download
memory/3076-289-0x0000000001590000-0x000000000159C000-memory.dmp

Filesize
48KB

Download
memory/3076-286-0x0000000000CC0000-0x0000000000DD0000-memory.dmp

Filesize
1.1MB

Download
memory/3076-290-0x0000000002F50000-0x0000000002F5C000-memory.dmp

Filesize
48KB

Download
memory/3076-287-0x0000000001560000-0x0000000001572000-memory.dmp

Filesize
72KB

Download
memory/3076-288-0x0000000001570000-0x000000000157C000-memory.dmp

Filesize
48KB

Download
memory/3940-838-0x0000000000B40000-0x0000000000B52000-memory.dmp

Filesize
72KB

Download
memory/4552-805-0x0000000000990000-0x00000000009A2000-memory.dmp

Filesize
72KB

Download
memory/4868-185-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-186-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/5112-821-0x0000000001130000-0x0000000001142000-memory.dmp

Filesize
72KB

Download