dcrat | b6faed325456a366d3ffdd4ba273a42584c1e4ae4c80773619f9d0d4f534e9df

Analysis

max time kernel
148s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
02/11/2022, 00:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b6faed325456a366d3ffdd4ba273a42584c1e4ae4c80773619f9d0d4f534e9df.exe
Size

1.3MB
MD5

e01aaed37cc056172da702e67c4cbc03
SHA1

bf96045f2911511e846480601571ff247178c538
SHA256

b6faed325456a366d3ffdd4ba273a42584c1e4ae4c80773619f9d0d4f534e9df
SHA512

91650e39f5a27d5ff7bf172d374e01a608b4f7a1811868cd30ab9f0f233e87cef103b34a412a0565291aaed0c433468cc1244a2cc238dbb68bb864b078f608eb
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	164	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	4800	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	4800	schtasks.exe	71

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000a00000001abb9-284.dat	dcrat
behavioral1/files/0x000a00000001abb9-285.dat	dcrat
behavioral1/memory/4980-286-0x0000000000D90000-0x0000000000EA0000-memory.dmp	dcrat
behavioral1/files/0x000600000001abe7-645.dat	dcrat
behavioral1/files/0x000600000001abe7-644.dat	dcrat
behavioral1/files/0x000600000001abe7-828.dat	dcrat
behavioral1/files/0x000600000001abe7-835.dat	dcrat
behavioral1/files/0x000600000001abe7-841.dat	dcrat
behavioral1/files/0x000600000001abe7-846.dat	dcrat
behavioral1/files/0x000600000001abe7-851.dat	dcrat
behavioral1/files/0x000600000001abe7-857.dat	dcrat
behavioral1/files/0x000600000001abe7-862.dat	dcrat
behavioral1/files/0x000600000001abe7-865.dat	dcrat
behavioral1/files/0x000600000001abe7-870.dat	dcrat
behavioral1/files/0x000600000001abe7-876.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
4980	DllCommonsvc.exe
3800	dllhost.exe
4140	dllhost.exe
2168	dllhost.exe
780	dllhost.exe
2496	dllhost.exe
3852	dllhost.exe
2856	dllhost.exe
5096	dllhost.exe
244	dllhost.exe
3900	dllhost.exe
3876	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\taskhostw.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\taskhostw.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\ea9f0e6c9e2dcd	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ja-JP\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\ja-JP\dllhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
940	schtasks.exe
824	schtasks.exe
1060	schtasks.exe
2800	schtasks.exe
1672	schtasks.exe
3356	schtasks.exe
3264	schtasks.exe
4868	schtasks.exe
1724	schtasks.exe
1808	schtasks.exe
1132	schtasks.exe
2980	schtasks.exe
2176	schtasks.exe
3328	schtasks.exe
2904	schtasks.exe
3340	schtasks.exe
688	schtasks.exe
1256	schtasks.exe
2480	schtasks.exe
784	schtasks.exe
804	schtasks.exe
2108	schtasks.exe
4004	schtasks.exe
2524	schtasks.exe
164	schtasks.exe
2200	schtasks.exe
3460	schtasks.exe
836	schtasks.exe
1804	schtasks.exe
4992	schtasks.exe
452	schtasks.exe
2172	schtasks.exe
1964	schtasks.exe
1428	schtasks.exe
328	schtasks.exe
4776	schtasks.exe
2152	schtasks.exe
3564	schtasks.exe
216	schtasks.exe
3820	schtasks.exe
1528	schtasks.exe
3208	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	b6faed325456a366d3ffdd4ba273a42584c1e4ae4c80773619f9d0d4f534e9df.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	dllhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4980	DllCommonsvc.exe
4980	DllCommonsvc.exe
4980	DllCommonsvc.exe
4120	powershell.exe
4328	powershell.exe
4328	powershell.exe
5084	powershell.exe
5084	powershell.exe
2580	powershell.exe
2580	powershell.exe
2468	powershell.exe
2468	powershell.exe
3908	powershell.exe
3908	powershell.exe
4896	powershell.exe
4896	powershell.exe
4288	powershell.exe
4288	powershell.exe
4148	powershell.exe
4148	powershell.exe
4328	powershell.exe
3624	powershell.exe
3624	powershell.exe
1392	powershell.exe
1392	powershell.exe
4484	powershell.exe
4484	powershell.exe
5084	powershell.exe
3836	powershell.exe
4512	powershell.exe
3836	powershell.exe
4512	powershell.exe
3396	powershell.exe
3396	powershell.exe
1392	powershell.exe
3396	powershell.exe
4120	powershell.exe
4120	powershell.exe
4288	powershell.exe
5084	powershell.exe
4328	powershell.exe
4328	powershell.exe
4148	powershell.exe
4896	powershell.exe
1392	powershell.exe
4512	powershell.exe
2580	powershell.exe
2468	powershell.exe
3908	powershell.exe
3624	powershell.exe
4484	powershell.exe
4288	powershell.exe
3396	powershell.exe
3836	powershell.exe
4120	powershell.exe
4512	powershell.exe
4148	powershell.exe
2580	powershell.exe
2580	powershell.exe
4896	powershell.exe
4896	powershell.exe
2468	powershell.exe
2468	powershell.exe
3624	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4980	DllCommonsvc.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeDebugPrivilege	4328	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	3396	powershell.exe
Token: SeIncreaseQuotaPrivilege	4328	powershell.exe
Token: SeSecurityPrivilege	4328	powershell.exe
Token: SeTakeOwnershipPrivilege	4328	powershell.exe
Token: SeLoadDriverPrivilege	4328	powershell.exe
Token: SeSystemProfilePrivilege	4328	powershell.exe
Token: SeSystemtimePrivilege	4328	powershell.exe
Token: SeProfSingleProcessPrivilege	4328	powershell.exe
Token: SeIncBasePriorityPrivilege	4328	powershell.exe
Token: SeCreatePagefilePrivilege	4328	powershell.exe
Token: SeBackupPrivilege	4328	powershell.exe
Token: SeRestorePrivilege	4328	powershell.exe
Token: SeShutdownPrivilege	4328	powershell.exe
Token: SeDebugPrivilege	4328	powershell.exe
Token: SeSystemEnvironmentPrivilege	4328	powershell.exe
Token: SeRemoteShutdownPrivilege	4328	powershell.exe
Token: SeUndockPrivilege	4328	powershell.exe
Token: SeManageVolumePrivilege	4328	powershell.exe
Token: 33	4328	powershell.exe
Token: 34	4328	powershell.exe
Token: 35	4328	powershell.exe
Token: 36	4328	powershell.exe
Token: SeIncreaseQuotaPrivilege	5084	powershell.exe
Token: SeSecurityPrivilege	5084	powershell.exe
Token: SeTakeOwnershipPrivilege	5084	powershell.exe
Token: SeLoadDriverPrivilege	5084	powershell.exe
Token: SeSystemProfilePrivilege	5084	powershell.exe
Token: SeSystemtimePrivilege	5084	powershell.exe
Token: SeProfSingleProcessPrivilege	5084	powershell.exe
Token: SeIncBasePriorityPrivilege	5084	powershell.exe
Token: SeCreatePagefilePrivilege	5084	powershell.exe
Token: SeBackupPrivilege	5084	powershell.exe
Token: SeRestorePrivilege	5084	powershell.exe
Token: SeShutdownPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeSystemEnvironmentPrivilege	5084	powershell.exe
Token: SeRemoteShutdownPrivilege	5084	powershell.exe
Token: SeUndockPrivilege	5084	powershell.exe
Token: SeManageVolumePrivilege	5084	powershell.exe
Token: 33	5084	powershell.exe
Token: 34	5084	powershell.exe
Token: 35	5084	powershell.exe
Token: 36	5084	powershell.exe
Token: SeIncreaseQuotaPrivilege	1392	powershell.exe
Token: SeSecurityPrivilege	1392	powershell.exe
Token: SeTakeOwnershipPrivilege	1392	powershell.exe
Token: SeLoadDriverPrivilege	1392	powershell.exe
Token: SeSystemProfilePrivilege	1392	powershell.exe
Token: SeSystemtimePrivilege	1392	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1348	1460	b6faed325456a366d3ffdd4ba273a42584c1e4ae4c80773619f9d0d4f534e9df.exe	67
PID 1460 wrote to memory of 1348	1460	b6faed325456a366d3ffdd4ba273a42584c1e4ae4c80773619f9d0d4f534e9df.exe	67
PID 1460 wrote to memory of 1348	1460	b6faed325456a366d3ffdd4ba273a42584c1e4ae4c80773619f9d0d4f534e9df.exe	67
PID 1348 wrote to memory of 4680	1348	WScript.exe	68
PID 1348 wrote to memory of 4680	1348	WScript.exe	68
PID 1348 wrote to memory of 4680	1348	WScript.exe	68
PID 4680 wrote to memory of 4980	4680	cmd.exe	70
PID 4680 wrote to memory of 4980	4680	cmd.exe	70
PID 4980 wrote to memory of 4120	4980	DllCommonsvc.exe	114
PID 4980 wrote to memory of 4120	4980	DllCommonsvc.exe	114
PID 4980 wrote to memory of 4328	4980	DllCommonsvc.exe	115
PID 4980 wrote to memory of 4328	4980	DllCommonsvc.exe	115
PID 4980 wrote to memory of 5084	4980	DllCommonsvc.exe	125
PID 4980 wrote to memory of 5084	4980	DllCommonsvc.exe	125
PID 4980 wrote to memory of 2580	4980	DllCommonsvc.exe	117
PID 4980 wrote to memory of 2580	4980	DllCommonsvc.exe	117
PID 4980 wrote to memory of 2468	4980	DllCommonsvc.exe	118
PID 4980 wrote to memory of 2468	4980	DllCommonsvc.exe	118
PID 4980 wrote to memory of 4896	4980	DllCommonsvc.exe	119
PID 4980 wrote to memory of 4896	4980	DllCommonsvc.exe	119
PID 4980 wrote to memory of 3908	4980	DllCommonsvc.exe	121
PID 4980 wrote to memory of 3908	4980	DllCommonsvc.exe	121
PID 4980 wrote to memory of 4288	4980	DllCommonsvc.exe	143
PID 4980 wrote to memory of 4288	4980	DllCommonsvc.exe	143
PID 4980 wrote to memory of 4148	4980	DllCommonsvc.exe	128
PID 4980 wrote to memory of 4148	4980	DllCommonsvc.exe	128
PID 4980 wrote to memory of 3624	4980	DllCommonsvc.exe	129
PID 4980 wrote to memory of 3624	4980	DllCommonsvc.exe	129
PID 4980 wrote to memory of 1392	4980	DllCommonsvc.exe	130
PID 4980 wrote to memory of 1392	4980	DllCommonsvc.exe	130
PID 4980 wrote to memory of 4484	4980	DllCommonsvc.exe	131
PID 4980 wrote to memory of 4484	4980	DllCommonsvc.exe	131
PID 4980 wrote to memory of 3836	4980	DllCommonsvc.exe	132
PID 4980 wrote to memory of 3836	4980	DllCommonsvc.exe	132
PID 4980 wrote to memory of 4512	4980	DllCommonsvc.exe	137
PID 4980 wrote to memory of 4512	4980	DllCommonsvc.exe	137
PID 4980 wrote to memory of 3396	4980	DllCommonsvc.exe	133
PID 4980 wrote to memory of 3396	4980	DllCommonsvc.exe	133
PID 4980 wrote to memory of 720	4980	DllCommonsvc.exe	144
PID 4980 wrote to memory of 720	4980	DllCommonsvc.exe	144
PID 720 wrote to memory of 4424	720	cmd.exe	146
PID 720 wrote to memory of 4424	720	cmd.exe	146
PID 720 wrote to memory of 3800	720	cmd.exe	148
PID 720 wrote to memory of 3800	720	cmd.exe	148
PID 3800 wrote to memory of 3360	3800	dllhost.exe	149
PID 3800 wrote to memory of 3360	3800	dllhost.exe	149
PID 3360 wrote to memory of 3400	3360	cmd.exe	151
PID 3360 wrote to memory of 3400	3360	cmd.exe	151
PID 3360 wrote to memory of 4140	3360	cmd.exe	152
PID 3360 wrote to memory of 4140	3360	cmd.exe	152
PID 4140 wrote to memory of 460	4140	dllhost.exe	153
PID 4140 wrote to memory of 460	4140	dllhost.exe	153
PID 460 wrote to memory of 2528	460	cmd.exe	155
PID 460 wrote to memory of 2528	460	cmd.exe	155
PID 460 wrote to memory of 2168	460	cmd.exe	156
PID 460 wrote to memory of 2168	460	cmd.exe	156
PID 2168 wrote to memory of 2384	2168	dllhost.exe	157
PID 2168 wrote to memory of 2384	2168	dllhost.exe	157
PID 2384 wrote to memory of 3356	2384	cmd.exe	159
PID 2384 wrote to memory of 3356	2384	cmd.exe	159
PID 2384 wrote to memory of 780	2384	cmd.exe	160
PID 2384 wrote to memory of 780	2384	cmd.exe	160
PID 780 wrote to memory of 4892	780	dllhost.exe	161
PID 780 wrote to memory of 4892	780	dllhost.exe	161

C:\Users\Admin\AppData\Local\Temp\b6faed325456a366d3ffdd4ba273a42584c1e4ae4c80773619f9d0d4f534e9df.exe
"C:\Users\Admin\AppData\Local\Temp\b6faed325456a366d3ffdd4ba273a42584c1e4ae4c80773619f9d0d4f534e9df.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\es-ES\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4288
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EbIUhSFG2u.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:720
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4424
      - C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3400
        
        C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2528
        
        C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J97QZsi4Oz.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3356
        
        C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlHmrlOhE6.bat"
        13⤵
        
        PID:4892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2232
        
        C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat"
        15⤵
        
        PID:4512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1956
        
        C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat"
        17⤵
        
        PID:1712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3820
        
        C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat"
        19⤵
        
        PID:1808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1536
        
        C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat"
        21⤵
        
        PID:2492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4008
        
        C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat"
        23⤵
        
        PID:4532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:160
        
        C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat"
        25⤵
        
        PID:4232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1472
        
        C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe"
        26⤵
        Executes dropped EXE
        
        PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\AppData\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\AppData\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\AppData\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\odt\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\odt\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dllhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2307d1d0d55989553e5ed112e300eb9f

SHA1
1490c6a2df9ae4f5faec90a886e5fe4c2d70a776

SHA256
be3c6c80d3c63ab07ca33accbc2144bfa2835efef8f51b8ad0471bfa332c8d36

SHA512
e0e0bec59dc7254178516cd58b1fe1de98022acb86f2130fafc5909d1a49010ac40cdbadc0b3b56a34c58fcfd430c46832104a5b8f7b3cdc9d9ad1ba4375fb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
36b430642214d110d1148b8c514fd5fe

SHA1
10456a35e69ad2a7d2dd0dbe61bf484be20ba513

SHA256
212cc55ff1814a42bab398592d1ab42b4cd3319cf7e69a7a7b3ba6bdddf3e9fb

SHA512
52d6a4979c8b7be50c66cff28f1f533686a6786eb8c0ee35f625b6187014cc947ec1e526df22bf955384b3a609acf0524670f562ba42be595164f89cfa0acddb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
36b430642214d110d1148b8c514fd5fe

SHA1
10456a35e69ad2a7d2dd0dbe61bf484be20ba513

SHA256
212cc55ff1814a42bab398592d1ab42b4cd3319cf7e69a7a7b3ba6bdddf3e9fb

SHA512
52d6a4979c8b7be50c66cff28f1f533686a6786eb8c0ee35f625b6187014cc947ec1e526df22bf955384b3a609acf0524670f562ba42be595164f89cfa0acddb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fbb894fc42e4fe79fe8437531e4ad829

SHA1
4ea617a0d3a17d7297bbc6dd395ed6ac3a62aac8

SHA256
c98c2f12659ad717606bb8953213e4e8d5735fa4c7e326389f56b57f82e41595

SHA512
035d717c3f07198f79c99b23e1ddaf41da570933c2ab46aecd4b70e578107201586055d59fb35066ca574a353a8fb13787ebbc1956c53b8194d3c2f88d36759f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f031e3807e2a7d35becc6edd6cbe7958

SHA1
895f48ca773cefd1573c822a5f1c2a60c2676988

SHA256
7645b805f344f782bd217c77d06bdf3f9e842c89d13734b1428769a88e4d7d5c

SHA512
c8d4342864df2081ea18f116696e02015eabaa11128e030aede0562611f785c50938da30ceb187297020e56dd8f7ef403d0eebe1fede01081e6591ea73790617

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f031e3807e2a7d35becc6edd6cbe7958

SHA1
895f48ca773cefd1573c822a5f1c2a60c2676988

SHA256
7645b805f344f782bd217c77d06bdf3f9e842c89d13734b1428769a88e4d7d5c

SHA512
c8d4342864df2081ea18f116696e02015eabaa11128e030aede0562611f785c50938da30ceb187297020e56dd8f7ef403d0eebe1fede01081e6591ea73790617

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
501b7f835ecf57d1023c3557eb8c2211

SHA1
30d285f6d82da145a6cef84d84e79ee59f80d498

SHA256
d54465450b99ea4f7581d4bf5e478181d6f9aa5900e2412b43deb2b496af54f9

SHA512
102bf0816fcd9587c496849bd1622c66fe93c4b2d8ed1dbe571196a5f160d91bddff9cdcde91a8044eeb278e55ba7eecc94d93c57528cffb64782bdff6de5b6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c126aee1e800384ec5c8b03a7df759c0

SHA1
2df5c136697298200c986b9175378400499bce0d

SHA256
baff3322bb286084b0b38648cb0f592e813111f4915986a8ce69ea678ac850ea

SHA512
57636eccdef4397b8d7b48d25476b065a828302b4c858266f54545293174dbd23fafaadcaf949fc9e80d5f549d1b9313c9ca57d3dfab10b5a5bcaae33820f43b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5017c68530a89253ed578df2471469c4

SHA1
b65595a4f9de7b57b6cddd5cc47bce43e03ca3cb

SHA256
136d0b9f768c674b65d7fbbcfe062b5af9b57742e3d4f830817b327215c770b4

SHA512
8e4247d9666e9505de2e756e910b567cd7623d5369597fe62bcceeb1c3905621ad28185fa1301c9a6f160c26ff05ffb2c8e2fc889f8069eb5772ac863cf074c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38d9f0ac6b2882dd10c20c36ee2ef177

SHA1
68edff5742314057da7733824a4d080837bbfbce

SHA256
a75bec48e18c9a15d708fde1dae05f1304e9b7ea75081f03bac73f7d625462bc

SHA512
36eb7c3c7833fbd381b21098cb07d8278f7f1efa728663f3714ef552cb0f8e9f17b70c5121537a63b35763d034170ac7176dbb14347a424172b6eb7152385967

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b9ac41b1e18727168caeb8e8e9499f78

SHA1
94aae90672cbf62041a91aa85af821bee3b495d0

SHA256
ccc68a822cc8cf2c8cc9422f5b3ee1b858ee87689d2e365e5735b2cd2aff2e91

SHA512
2eadd848e329db75794d89c81f4aa665ea22b11085221cdbcd049e23d15d7888b3f4af294a93b754e0bd9d1ff431bc3b8e717348a55f60414168e3e5055438cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a1a74821cf253b3b10514a8a4b82f54d

SHA1
ed5854ba680d193083d2fc9344199864ccf21556

SHA256
44b8f32f1b7850452fcbc963723e93bc88b962dc89edd98d4076b4bc425e1694

SHA512
0e9d3fffd54384feaf26fc4755cd6e06bd25e325982e86ed992c6877c3c8819deda7ee43f8f8aeb496a2e69d96d9d7f03f67fc0e09acb2d50d8c8d1134dddc18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9581e86410a03631045be6e0cce9a5ec

SHA1
fc560a6baf312537e44e0b73851a89eac93fe845

SHA256
d3c2f7cce5f35ca25e6a4a0180062483c2bd1cfeb26abb5eef74526efe255185

SHA512
57c96f8004b67d21ec7dc6748d2cc769364689f1cdcd388da44fd68b62cc76ed0f40875e0949c03dd921e33713268e62b45b870d7a4aa9d1dcd89e2a806c48f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9581e86410a03631045be6e0cce9a5ec

SHA1
fc560a6baf312537e44e0b73851a89eac93fe845

SHA256
d3c2f7cce5f35ca25e6a4a0180062483c2bd1cfeb26abb5eef74526efe255185

SHA512
57c96f8004b67d21ec7dc6748d2cc769364689f1cdcd388da44fd68b62cc76ed0f40875e0949c03dd921e33713268e62b45b870d7a4aa9d1dcd89e2a806c48f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat

Filesize
232B

MD5
f02327cce3ab73333b516dea6d981d6f

SHA1
4151517083d2b7577e513ed8c66fb85557420f3c

SHA256
7548c55023f35602f8a5b282b749a42a619b7a80d9a0239cb6eb71a38d67549b

SHA512
09b9cf5766da851974e7ce4cec308d311c800052b3c27ee72f6da16c6eb89405bb7484628e76f16fc2bc5d34efdc08ddbeade5296e17d6ef13941ddfbbdac038

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat

Filesize
232B

MD5
be0e6e44ff58caa89949f514b69e28eb

SHA1
c75263717ae3a36d4c0e9fe6a4421b8fe37d6d95

SHA256
d5ee0a51647380ad933b28d89bf9394ba13bf17f3949f37f182c5049aca5ad57

SHA512
d13c8ac9562a3fac18291b89ddd4b0f2d95c1a78f1c005c67420180cef09f3cb9b1176d749bc696392351a2089a1693a557624f2ccb0b4ceb8581f0503c07885

Download Submit
C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat

Filesize
232B

MD5
e53e9733b8ee07838413640f9afff79c

SHA1
37bfd3647a9ab78a906f6824672457d172d81413

SHA256
55ff8225cfe127bda4ca1176773e31d4cb273cfd3cb9179dde98605ac768925a

SHA512
98785795ecdda0bdbc1c2116c6c2a72cf430107261a97ec51f0ca8d8af690db491c7accd46664570788ed78c5abb63064ca519c57891ed76939164f857ba41ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\EbIUhSFG2u.bat

Filesize
232B

MD5
9eb07f9695654b0f26ffbad176ee7083

SHA1
d41262d36069bfa1442a05f14d8f8a29ad27b726

SHA256
c5fac4b516052fcfcafb40e1b2ac9b442390b789f5e7ad26f380aa5291179f5a

SHA512
545531b64ec272406b528b6efec0861dddbfc966432c0a859d07898aa411035e68e01861170695ce7173d33e28cf84c96bd4b5b702a6642bb16a9d7cd9b281ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat

Filesize
232B

MD5
b81f281e9efdf66dc555ba0bbe995c9e

SHA1
381219ae3099b914f7d9921be52bd5acf8b011fc

SHA256
1087ed112f72f86f04ca92c922ecaaf4f8846349bd34629edc75a251881dec51

SHA512
f8cbc42650d6207545146c405670e65dce2d2f826485b011f98324f463a08578b72e8162cf5b1fd6e6d723f941a8a0688edbe6ff0e430838d171681d414cb23f

Download Submit
C:\Users\Admin\AppData\Local\Temp\J97QZsi4Oz.bat

Filesize
232B

MD5
ba9cf31c5342c7730a5c01f44b4c327c

SHA1
bb58833e9d5d8ab731db58c4f413af0d932f3586

SHA256
425f81f1233cb2b3393d3bcdcd388e2680e501ed42950820258b6818f85ebefe

SHA512
aebff2e26c70ac784e8c86a5c1df45626a4c1de55a38210007646deb6cb5e34cb2c832fb520a3ec3bdf7f063eb4b3adca15aac7136a9880814fe83a4d6c5e43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat

Filesize
232B

MD5
dcd489b9e56faf0af9235b9a9827d498

SHA1
afec9df4774cbc799367e40abe491302dd0ffcfb

SHA256
a4398fbb629d88508479ed325c261d5cb95201ead735be873776bdbfec0778b5

SHA512
446944bd22fc7521cdd67ee624ca72aad5cacb19852f16ad37dd87d28da7993cd2945263fc0ef22734fbda79f8198715715b054156d01a39f8ac742a06143a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlHmrlOhE6.bat

Filesize
232B

MD5
12211fb7e6387b6bfe4a5b290a912e60

SHA1
3e246254bcb0eef1e498ae06f1281ac66606d6fd

SHA256
e736130c660d446dcfe9e8b553d85014291ef20175eb5fa673bf69bebe961300

SHA512
5cb4490b3f5c6f36ce1664d1febeed9c5c3485c6945f84c0165ef1d6ebcf21659bb1f90a72c1355648695e6200068f4cb44c17fb6d7765670f4ac934e9ec9699

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat

Filesize
232B

MD5
fd543b61edf0daa50875c61c69f5a4ee

SHA1
f8bedbd27a9afefec735f75722fee8a79f9d0440

SHA256
f056570786d204c7ebd28e3dd399152744ec476c71544e00294969862e4b7761

SHA512
b9ddbb5cf1fe6d90b21b2e3465ebf60f51bc57cd2561d2000eebb6be0169dca488160b7a240ef0371933846883bbcdf6acc2ad63e0fcb1ab4dd2d3cc07d29bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat

Filesize
232B

MD5
68f09885cb8439d4a3b55d10c79fc699

SHA1
dfbe32ffddaf57ab98934ce046c04a03437ac782

SHA256
5bab0a60f757061cf4f8438e8903f9ae2166b4a5e67f930c14a623ced1d354ee

SHA512
641818c198cdf386a5db3e87b6eaaebd875873f41047b2ba44788ad46769839eb1c45ee2de03a6190a243e85c05243a117888204a01733309413c18c9eed08d4

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1348-186-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1348-185-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-155-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-140-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-175-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-176-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-177-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-178-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-179-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-180-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-181-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-182-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-183-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-174-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-172-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-171-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-170-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-169-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-168-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-121-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-167-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-166-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-165-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-164-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-163-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-162-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-161-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-160-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-159-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-122-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-158-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-123-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-157-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-156-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-125-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-147-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-126-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-150-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-152-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-154-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-153-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-151-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-149-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-148-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-146-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-145-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-120-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-144-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-143-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-142-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-141-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-173-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-139-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-138-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-137-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-136-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-135-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-133-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-134-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-132-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-131-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-130-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-129-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/1460-128-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

Filesize
1.6MB

Download
memory/2168-836-0x0000000001840000-0x0000000001852000-memory.dmp

Filesize
72KB

Download
memory/3852-852-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download
memory/3876-877-0x0000000001570000-0x0000000001582000-memory.dmp

Filesize
72KB

Download
memory/3900-871-0x00000000026F0000-0x0000000002702000-memory.dmp

Filesize
72KB

Download
memory/4120-364-0x000001FEEFF90000-0x000001FEEFFB2000-memory.dmp

Filesize
136KB

Download
memory/4140-830-0x0000000000E70000-0x0000000000E82000-memory.dmp

Filesize
72KB

Download
memory/4980-288-0x0000000002F00000-0x0000000002F0C000-memory.dmp

Filesize
48KB

Download
memory/4980-289-0x0000000002F10000-0x0000000002F1C000-memory.dmp

Filesize
48KB

Download
memory/4980-287-0x0000000002EF0000-0x0000000002F02000-memory.dmp

Filesize
72KB

Download
memory/4980-290-0x0000000002F20000-0x0000000002F2C000-memory.dmp

Filesize
48KB

Download
memory/4980-286-0x0000000000D90000-0x0000000000EA0000-memory.dmp

Filesize
1.1MB

Download
memory/5084-372-0x0000021DF8520000-0x0000021DF8596000-memory.dmp

Filesize
472KB

Download