dcrat | 76b6ad8d398bed7d393080c714a5e8c2657b7aea7b299215239c12d96ea9cb64

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2022, 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76b6ad8d398bed7d393080c714a5e8c2657b7aea7b299215239c12d96ea9cb64.exe
Size

1.3MB
MD5

9e8106f7ae8e8f19426c3b7b7481428a
SHA1

c7b3dd896230a96aba93e3b3fb58f831033cccb7
SHA256

76b6ad8d398bed7d393080c714a5e8c2657b7aea7b299215239c12d96ea9cb64
SHA512

2fdd60ca2b345eb2ab5729d27cd6c859345a5090d7cc7b74be43cf1fb8748f3fae22795fda33155b8e036a03eb956dc3033d5153bfb3bdcb85d140d25004180d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	3404	schtasks.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	3404	schtasks.exe	47

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000022f45-137.dat	dcrat
behavioral1/files/0x0007000000022f45-138.dat	dcrat
behavioral1/memory/4384-139-0x0000000000E10000-0x0000000000F20000-memory.dmp	dcrat
behavioral1/files/0x0006000000022f55-215.dat	dcrat
behavioral1/files/0x0006000000022f55-216.dat	dcrat
behavioral1/files/0x0006000000022f55-223.dat	dcrat
behavioral1/files/0x0006000000022f55-231.dat	dcrat
behavioral1/files/0x0006000000022f55-238.dat	dcrat
behavioral1/files/0x0006000000022f55-245.dat	dcrat
behavioral1/files/0x0006000000022f55-252.dat	dcrat
behavioral1/files/0x0006000000022f55-259.dat	dcrat
behavioral1/files/0x0006000000022f55-266.dat	dcrat

Executes dropped EXE 9 IoCs

pid	Process
4384	DllCommonsvc.exe
5996	upfc.exe
5236	upfc.exe
5504	upfc.exe
5748	upfc.exe
4552	upfc.exe
1080	upfc.exe
5832	upfc.exe
2728	upfc.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	76b6ad8d398bed7d393080c714a5e8c2657b7aea7b299215239c12d96ea9cb64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Updates\Download\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\es-ES\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Java\jre1.8.0_66\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\es-ES\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jre1.8.0_66\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office16\9e8d7a4ca61bd9	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ja-JP\c82b8037eab33d	DllCommonsvc.exe
File created	C:\Windows\ja-JP\WaaSMedicAgent.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1928	schtasks.exe
2012	schtasks.exe
3716	schtasks.exe
2380	schtasks.exe
3964	schtasks.exe
4960	schtasks.exe
4312	schtasks.exe
2336	schtasks.exe
2868	schtasks.exe
1824	schtasks.exe
4628	schtasks.exe
1168	schtasks.exe
1672	schtasks.exe
2320	schtasks.exe
1412	schtasks.exe
4864	schtasks.exe
2708	schtasks.exe
4516	schtasks.exe
3348	schtasks.exe
2888	schtasks.exe
4908	schtasks.exe
2128	schtasks.exe
4796	schtasks.exe
4456	schtasks.exe
4556	schtasks.exe
1112	schtasks.exe
4236	schtasks.exe
5092	schtasks.exe
4724	schtasks.exe
4616	schtasks.exe
2360	schtasks.exe
4884	schtasks.exe
1372	schtasks.exe
860	schtasks.exe
3772	schtasks.exe
3268	schtasks.exe
4416	schtasks.exe
3128	schtasks.exe
3792	schtasks.exe
1464	schtasks.exe
4804	schtasks.exe
3056	schtasks.exe
404	schtasks.exe
4776	schtasks.exe
4948	schtasks.exe
2172	schtasks.exe
1256	schtasks.exe
4692	schtasks.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	76b6ad8d398bed7d393080c714a5e8c2657b7aea7b299215239c12d96ea9cb64.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	upfc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4384	DllCommonsvc.exe
4384	DllCommonsvc.exe
4384	DllCommonsvc.exe
4384	DllCommonsvc.exe
4384	DllCommonsvc.exe
4384	DllCommonsvc.exe
4384	DllCommonsvc.exe
4384	DllCommonsvc.exe
4384	DllCommonsvc.exe
4384	DllCommonsvc.exe
4384	DllCommonsvc.exe
4384	DllCommonsvc.exe
4384	DllCommonsvc.exe
4384	DllCommonsvc.exe
4384	DllCommonsvc.exe
4228	powershell.exe
4228	powershell.exe
2208	powershell.exe
2208	powershell.exe
4768	powershell.exe
4768	powershell.exe
3564	powershell.exe
3564	powershell.exe
1528	powershell.exe
1528	powershell.exe
2976	powershell.exe
2976	powershell.exe
4468	powershell.exe
4468	powershell.exe
4264	powershell.exe
4264	powershell.exe
3480	powershell.exe
3480	powershell.exe
3276	powershell.exe
3276	powershell.exe
64	powershell.exe
64	powershell.exe
3828	powershell.exe
3828	powershell.exe
3996	powershell.exe
488	powershell.exe
488	powershell.exe
3996	powershell.exe
4888	powershell.exe
4888	powershell.exe
1800	powershell.exe
1800	powershell.exe
3156	powershell.exe
3156	powershell.exe
4228	powershell.exe
4228	powershell.exe
2208	powershell.exe
2208	powershell.exe
4768	powershell.exe
4768	powershell.exe
3564	powershell.exe
3564	powershell.exe
2976	powershell.exe
2976	powershell.exe
4264	powershell.exe
4468	powershell.exe
4468	powershell.exe
1528	powershell.exe
1528	powershell.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	4384	DllCommonsvc.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	4264	powershell.exe
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeDebugPrivilege	3276	powershell.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	488	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	3156	powershell.exe
Token: SeDebugPrivilege	5996	upfc.exe
Token: SeDebugPrivilege	5236	upfc.exe
Token: SeDebugPrivilege	5504	upfc.exe
Token: SeDebugPrivilege	5748	upfc.exe
Token: SeDebugPrivilege	4552	upfc.exe
Token: SeDebugPrivilege	1080	upfc.exe
Token: SeDebugPrivilege	5832	upfc.exe
Token: SeDebugPrivilege	2728	upfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 3996	4640	76b6ad8d398bed7d393080c714a5e8c2657b7aea7b299215239c12d96ea9cb64.exe	81
PID 4640 wrote to memory of 3996	4640	76b6ad8d398bed7d393080c714a5e8c2657b7aea7b299215239c12d96ea9cb64.exe	81
PID 4640 wrote to memory of 3996	4640	76b6ad8d398bed7d393080c714a5e8c2657b7aea7b299215239c12d96ea9cb64.exe	81
PID 3996 wrote to memory of 4920	3996	WScript.exe	85
PID 3996 wrote to memory of 4920	3996	WScript.exe	85
PID 3996 wrote to memory of 4920	3996	WScript.exe	85
PID 4920 wrote to memory of 4384	4920	cmd.exe	87
PID 4920 wrote to memory of 4384	4920	cmd.exe	87
PID 4384 wrote to memory of 4264	4384	DllCommonsvc.exe	137
PID 4384 wrote to memory of 4264	4384	DllCommonsvc.exe	137
PID 4384 wrote to memory of 4228	4384	DllCommonsvc.exe	138
PID 4384 wrote to memory of 4228	4384	DllCommonsvc.exe	138
PID 4384 wrote to memory of 4768	4384	DllCommonsvc.exe	139
PID 4384 wrote to memory of 4768	4384	DllCommonsvc.exe	139
PID 4384 wrote to memory of 2208	4384	DllCommonsvc.exe	141
PID 4384 wrote to memory of 2208	4384	DllCommonsvc.exe	141
PID 4384 wrote to memory of 3564	4384	DllCommonsvc.exe	143
PID 4384 wrote to memory of 3564	4384	DllCommonsvc.exe	143
PID 4384 wrote to memory of 1528	4384	DllCommonsvc.exe	144
PID 4384 wrote to memory of 1528	4384	DllCommonsvc.exe	144
PID 4384 wrote to memory of 4468	4384	DllCommonsvc.exe	155
PID 4384 wrote to memory of 4468	4384	DllCommonsvc.exe	155
PID 4384 wrote to memory of 2976	4384	DllCommonsvc.exe	146
PID 4384 wrote to memory of 2976	4384	DllCommonsvc.exe	146
PID 4384 wrote to memory of 3480	4384	DllCommonsvc.exe	147
PID 4384 wrote to memory of 3480	4384	DllCommonsvc.exe	147
PID 4384 wrote to memory of 64	4384	DllCommonsvc.exe	149
PID 4384 wrote to memory of 64	4384	DllCommonsvc.exe	149
PID 4384 wrote to memory of 3276	4384	DllCommonsvc.exe	151
PID 4384 wrote to memory of 3276	4384	DllCommonsvc.exe	151
PID 4384 wrote to memory of 3828	4384	DllCommonsvc.exe	157
PID 4384 wrote to memory of 3828	4384	DllCommonsvc.exe	157
PID 4384 wrote to memory of 488	4384	DllCommonsvc.exe	158
PID 4384 wrote to memory of 488	4384	DllCommonsvc.exe	158
PID 4384 wrote to memory of 3996	4384	DllCommonsvc.exe	168
PID 4384 wrote to memory of 3996	4384	DllCommonsvc.exe	168
PID 4384 wrote to memory of 1800	4384	DllCommonsvc.exe	160
PID 4384 wrote to memory of 1800	4384	DllCommonsvc.exe	160
PID 4384 wrote to memory of 4888	4384	DllCommonsvc.exe	162
PID 4384 wrote to memory of 4888	4384	DllCommonsvc.exe	162
PID 4384 wrote to memory of 3156	4384	DllCommonsvc.exe	163
PID 4384 wrote to memory of 3156	4384	DllCommonsvc.exe	163
PID 4384 wrote to memory of 4556	4384	DllCommonsvc.exe	173
PID 4384 wrote to memory of 4556	4384	DllCommonsvc.exe	173
PID 4556 wrote to memory of 5508	4556	cmd.exe	175
PID 4556 wrote to memory of 5508	4556	cmd.exe	175
PID 4556 wrote to memory of 5996	4556	cmd.exe	177
PID 4556 wrote to memory of 5996	4556	cmd.exe	177
PID 5996 wrote to memory of 6116	5996	upfc.exe	178
PID 5996 wrote to memory of 6116	5996	upfc.exe	178
PID 6116 wrote to memory of 2840	6116	cmd.exe	180
PID 6116 wrote to memory of 2840	6116	cmd.exe	180
PID 6116 wrote to memory of 5236	6116	cmd.exe	181
PID 6116 wrote to memory of 5236	6116	cmd.exe	181
PID 5236 wrote to memory of 5516	5236	upfc.exe	182
PID 5236 wrote to memory of 5516	5236	upfc.exe	182
PID 5516 wrote to memory of 5336	5516	cmd.exe	184
PID 5516 wrote to memory of 5336	5516	cmd.exe	184
PID 5516 wrote to memory of 5504	5516	cmd.exe	185
PID 5516 wrote to memory of 5504	5516	cmd.exe	185
PID 5504 wrote to memory of 5448	5504	upfc.exe	186
PID 5504 wrote to memory of 5448	5504	upfc.exe	186
PID 5448 wrote to memory of 5608	5448	cmd.exe	188
PID 5448 wrote to memory of 5608	5448	cmd.exe	188

C:\Users\Admin\AppData\Local\Temp\76b6ad8d398bed7d393080c714a5e8c2657b7aea7b299215239c12d96ea9cb64.exe
"C:\Users\Admin\AppData\Local\Temp\76b6ad8d398bed7d393080c714a5e8c2657b7aea7b299215239c12d96ea9cb64.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\upfc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre1.8.0_66\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\upfc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Configuration\Registration\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:64
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\My Documents\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\WaaSMedicAgent.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WmiPrvSE.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Updates\Download\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\es-ES\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IbptgF5Rfz.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4556
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:5508
      - C:\odt\upfc.exe
        
        "C:\odt\upfc.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:6116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2840
        
        C:\odt\upfc.exe
        
        "C:\odt\upfc.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:5336
        
        C:\odt\upfc.exe
        
        "C:\odt\upfc.exe"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:5608
        
        C:\odt\upfc.exe
        
        "C:\odt\upfc.exe"
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W3ML2JPNvQ.bat"
        13⤵
        
        PID:5764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2760
        
        C:\odt\upfc.exe
        
        "C:\odt\upfc.exe"
        14⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat"
        15⤵
        
        PID:3816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1284
        
        C:\odt\upfc.exe
        
        "C:\odt\upfc.exe"
        16⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat"
        17⤵
        
        PID:4796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4584
        
        C:\odt\upfc.exe
        
        "C:\odt\upfc.exe"
        18⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat"
        19⤵
        
        PID:5288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1992
        
        C:\odt\upfc.exe
        
        "C:\odt\upfc.exe"
        20⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"
        21⤵
        
        PID:3876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\odt\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre1.8.0_66\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Java\jre1.8.0_66\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre1.8.0_66\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\odt\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\My Documents\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\odt\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\ja-JP\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\odt\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Updates\Download\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Download\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Updates\Download\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\es-ES\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\es-ES\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1493691a002357de8a77b50b68312cc2

SHA1
b6e0eeeb6bd8b1b95334c158f395b1b7e3316420

SHA256
0755868f00d3a86427dd7117f5cb7e1aa8abb83de6cb3a42c110efd3840836fe

SHA512
9c011d10ff5ff38771364b848ab3b5d0c38e3331a0c5090f6ca398e5cf6a4ed77ec4323fc84fd4f9b4da0e259838c40ceaeef52e5da33eefeabbb31d97eb68b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1493691a002357de8a77b50b68312cc2

SHA1
b6e0eeeb6bd8b1b95334c158f395b1b7e3316420

SHA256
0755868f00d3a86427dd7117f5cb7e1aa8abb83de6cb3a42c110efd3840836fe

SHA512
9c011d10ff5ff38771364b848ab3b5d0c38e3331a0c5090f6ca398e5cf6a4ed77ec4323fc84fd4f9b4da0e259838c40ceaeef52e5da33eefeabbb31d97eb68b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1493691a002357de8a77b50b68312cc2

SHA1
b6e0eeeb6bd8b1b95334c158f395b1b7e3316420

SHA256
0755868f00d3a86427dd7117f5cb7e1aa8abb83de6cb3a42c110efd3840836fe

SHA512
9c011d10ff5ff38771364b848ab3b5d0c38e3331a0c5090f6ca398e5cf6a4ed77ec4323fc84fd4f9b4da0e259838c40ceaeef52e5da33eefeabbb31d97eb68b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1493691a002357de8a77b50b68312cc2

SHA1
b6e0eeeb6bd8b1b95334c158f395b1b7e3316420

SHA256
0755868f00d3a86427dd7117f5cb7e1aa8abb83de6cb3a42c110efd3840836fe

SHA512
9c011d10ff5ff38771364b848ab3b5d0c38e3331a0c5090f6ca398e5cf6a4ed77ec4323fc84fd4f9b4da0e259838c40ceaeef52e5da33eefeabbb31d97eb68b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8e43a65cf1d00049977a7b287ba88a81

SHA1
8692eda4be475e97f5996e371070d034f5af817d

SHA256
381a26ab19917a6aff5f35b1223f4f32ae1ea83ac5e1259109f22560b68c3d77

SHA512
8fc9901f505bdbefbcd33392c7175f1c61ab9a771bd9a4217baabf37841a002206e3a3d3d734a05afeaa0a95149713ac7f72aa4240e3e1281db7be06d2378002

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat

Filesize
180B

MD5
80c60290760c4fcafe1bb35975fee846

SHA1
c9b90df49d36c518430973df14dbe55f7e354d01

SHA256
dca5ef0b98241785b5ecebb945f3416c0f2ceb1a4609f148fd94939a6050a5be

SHA512
18f569952e5e6d12ed39e929c12595acd7212582a2644602c528b7c6260ad05ef59085984d7c63f5c2d5cebb9ac0f2c7f41f0aed5644491eb46aaf5829fb0762

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat

Filesize
180B

MD5
6cba4cc6ec8ad2b3c689095339445097

SHA1
3ec6b906359ad1c61a370e68724eb03de5389d9c

SHA256
fadf59f2415bb2e95a0663aee48c74afc21ff6f77cb8322c91943167ec9ab91a

SHA512
2f5a6a9d7c8b0381c740bf113943df4c01e6c7676bc7a91d875cc98571f2168172415e52487ef1e5cad6e9b717f69aa070e4c1b8503fd87a9dc2c1d2740deec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat

Filesize
180B

MD5
6cba4cc6ec8ad2b3c689095339445097

SHA1
3ec6b906359ad1c61a370e68724eb03de5389d9c

SHA256
fadf59f2415bb2e95a0663aee48c74afc21ff6f77cb8322c91943167ec9ab91a

SHA512
2f5a6a9d7c8b0381c740bf113943df4c01e6c7676bc7a91d875cc98571f2168172415e52487ef1e5cad6e9b717f69aa070e4c1b8503fd87a9dc2c1d2740deec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat

Filesize
180B

MD5
4381c2ca247f0bca7b94b88f1bf9d597

SHA1
589433bb512a616d1dfcef59c7431b37aa109e87

SHA256
64208a663e92fd52669b8661362fe51a50c13e303eb6a7e9512de65e925a6a45

SHA512
7f891f74353bddd02caf38d26969686f94a8730713a756797321707e92c9da1d589b676187e3ac1779a7e920b9b271a01c3b72d32c4bba8d2512e28e670a9896

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat

Filesize
180B

MD5
0da66dbed1b18df0f5408c6c97ebb7e2

SHA1
0cb064c56d9a148388e83e0631ee1b561ac21fd0

SHA256
a72f4b148ff1f9cd84d1444e9fdd94d8693a2f4f288694a1662f937b0d395be6

SHA512
b42bd2e2d69b118719c64f642fb188f5c5b14b05c329be0bd0fb03ebc11876872f77e5592a78d4232eac71d8ac653f35064cf5062e357774d0a7622108d5cff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IbptgF5Rfz.bat

Filesize
180B

MD5
011477b95c3b257d24e4213d1dab6752

SHA1
7346cee0c66e447555848d9091d36f70347c5252

SHA256
4aad0808f40279efcce4ac396fac75c51738cdfadc95a5ee4afb816692d8cad3

SHA512
7b591fffabbdb59c427c6d1dc00d6cdfa917610b65c67a1baf3b510f3d974240399b7d972eb1b57ec800c1917a6ed3310aac99c77db457db98317688989fbfcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat

Filesize
180B

MD5
516ba4ffa90e8af13e037b36f8742573

SHA1
8ae9f6cdda890493f6cef0895747c213559c31f7

SHA256
4fd3479760b8f898570d56a0e22b516b32c86dd461143feb6b83fd46e5bc3a31

SHA512
815dcf562ad545ac507af9db66c7b0d7b08cd670e81dad142d3b9e90c8330279278b8ddc1479168aa48eb86507be6e846b47e112c73865b47cc81b30dbb536cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\W3ML2JPNvQ.bat

Filesize
180B

MD5
8cb772d9890b4f6596d48a53b1288d75

SHA1
664e860be3652bacab2072be8408ff6a50437a96

SHA256
4f1d697e2f68d48b3575ac03baa24ead7dbf4eb7670c1f6584d10bf49d7c3b37

SHA512
8edd3613a840b041091841e25d6741cdcee399c79bee04cd7ee8278c081bc2a8cf3b669fee4b240bfe95115829161a436deae0f6e383ce43632d1351fda18d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat

Filesize
180B

MD5
68c4431aacd6c4f9663a2db1fc6fa356

SHA1
3523b85dd8262658470d15847445e9f8bcd7d2de

SHA256
32e937351e898f73bfb27fcbf942ddc939f4e67f6753df636e9f7277fa73341a

SHA512
c42a79e4fd4fa17b5994a3223ccc406ec729ba7c6fda446d2d26648ed522d87f65d1fda6a1a9f27e44bf30aa83c75440a82258deb30654ebb6124928a0547fdc

Download Submit
C:\odt\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/64-176-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/64-196-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/488-178-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/488-210-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/1080-253-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/1080-257-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/1528-198-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/1528-164-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/1800-179-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/1800-211-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/2208-189-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/2208-161-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/2728-267-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/2728-271-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/2976-165-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/2976-190-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/3156-172-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/3156-208-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/3276-168-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/3276-203-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/3480-175-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/3480-191-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/3564-188-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/3564-162-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/3828-201-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/3828-169-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/3996-170-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/3996-213-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/4228-154-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/4228-186-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/4228-157-0x000001DB7F0E0000-0x000001DB7F102000-memory.dmp

Filesize
136KB

Download
memory/4264-166-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/4264-202-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/4384-167-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/4384-140-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/4384-139-0x0000000000E10000-0x0000000000F20000-memory.dmp

Filesize
1.1MB

Download
memory/4468-174-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/4468-195-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/4552-250-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/4552-246-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/4768-158-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/4768-187-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/4888-171-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/4888-209-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/5236-225-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/5236-229-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/5504-232-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/5504-236-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/5748-239-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/5748-243-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/5832-260-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/5832-264-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/5996-221-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download
memory/5996-217-0x00007FFE848A0000-0x00007FFE85361000-memory.dmp

Filesize
10.8MB

Download