dcrat | d76734ad8f1dcd59e2014e66a98c2384a55e7fa666916f4253dfdbd551869b95

Analysis

max time kernel
146s
max time network
149s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
02/11/2022, 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d76734ad8f1dcd59e2014e66a98c2384a55e7fa666916f4253dfdbd551869b95.exe
Size

1.3MB
MD5

1737555fcd9ad520575e08e75fea771d
SHA1

7fb90d06e16094c2f9fb307fa8ed2f67ae64fed7
SHA256

d76734ad8f1dcd59e2014e66a98c2384a55e7fa666916f4253dfdbd551869b95
SHA512

b14ece5d88b1f2566ca2443b6f9fc86aebf023c1df110d7773480311ffd301e13a6db6e69376c1297118ee3855eaa2c612a23478e12c24fefb3d653174290b59
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	4504	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	4504	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001abd2-284.dat	dcrat
behavioral1/files/0x000800000001abd2-285.dat	dcrat
behavioral1/memory/4156-286-0x0000000000A60000-0x0000000000B70000-memory.dmp	dcrat
behavioral1/files/0x000600000001abf2-346.dat	dcrat
behavioral1/files/0x000600000001abf2-344.dat	dcrat
behavioral1/files/0x000600000001abf2-825.dat	dcrat
behavioral1/files/0x000600000001abf2-832.dat	dcrat
behavioral1/files/0x000600000001abf2-838.dat	dcrat
behavioral1/files/0x000600000001abf2-843.dat	dcrat
behavioral1/files/0x000600000001abf2-848.dat	dcrat
behavioral1/files/0x000600000001abf2-853.dat	dcrat
behavioral1/files/0x000600000001abf2-858.dat	dcrat
behavioral1/files/0x000600000001abf2-863.dat	dcrat
behavioral1/files/0x000600000001abf2-869.dat	dcrat
behavioral1/files/0x000600000001abf2-874.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
4156	DllCommonsvc.exe
3500	OfficeClickToRun.exe
2684	OfficeClickToRun.exe
2764	OfficeClickToRun.exe
1560	OfficeClickToRun.exe
4336	OfficeClickToRun.exe
4500	OfficeClickToRun.exe
380	OfficeClickToRun.exe
4732	OfficeClickToRun.exe
3940	OfficeClickToRun.exe
1424	OfficeClickToRun.exe
4648	OfficeClickToRun.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\System\it-IT\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\System\it-IT\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\5b884080fd4f94	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ImmersiveControlPanel\de-DE\smss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4960	schtasks.exe
3756	schtasks.exe
4672	schtasks.exe
1260	schtasks.exe
1220	schtasks.exe
3140	schtasks.exe
3908	schtasks.exe
4540	schtasks.exe
4340	schtasks.exe
3656	schtasks.exe
4288	schtasks.exe
4572	schtasks.exe
3116	schtasks.exe
4600	schtasks.exe
4112	schtasks.exe
1620	schtasks.exe
608	schtasks.exe
1008	schtasks.exe
1164	schtasks.exe
1096	schtasks.exe
4316	schtasks.exe
800	schtasks.exe
992	schtasks.exe
1788	schtasks.exe
4428	schtasks.exe
4492	schtasks.exe
4656	schtasks.exe
1856	schtasks.exe
848	schtasks.exe
4992	schtasks.exe
4556	schtasks.exe
4524	schtasks.exe
4632	schtasks.exe
4476	schtasks.exe
4620	schtasks.exe
4880	schtasks.exe
4508	schtasks.exe
4956	schtasks.exe
3808	schtasks.exe
4308	schtasks.exe
644	schtasks.exe
692	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	d76734ad8f1dcd59e2014e66a98c2384a55e7fa666916f4253dfdbd551869b95.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4156	DllCommonsvc.exe
4156	DllCommonsvc.exe
4156	DllCommonsvc.exe
4156	DllCommonsvc.exe
4156	DllCommonsvc.exe
4156	DllCommonsvc.exe
4156	DllCommonsvc.exe
4156	DllCommonsvc.exe
4156	DllCommonsvc.exe
2224	powershell.exe
2224	powershell.exe
2252	powershell.exe
2252	powershell.exe
2200	powershell.exe
2200	powershell.exe
1496	powershell.exe
1496	powershell.exe
1848	powershell.exe
1848	powershell.exe
4696	powershell.exe
4696	powershell.exe
2812	powershell.exe
2812	powershell.exe
1496	powershell.exe
2420	powershell.exe
2420	powershell.exe
2352	powershell.exe
2352	powershell.exe
3768	powershell.exe
3768	powershell.exe
2868	powershell.exe
2868	powershell.exe
4712	powershell.exe
4712	powershell.exe
4796	powershell.exe
4796	powershell.exe
3352	powershell.exe
3352	powershell.exe
936	powershell.exe
936	powershell.exe
3500	OfficeClickToRun.exe
3500	OfficeClickToRun.exe
2420	powershell.exe
1496	powershell.exe
2224	powershell.exe
4696	powershell.exe
2252	powershell.exe
2200	powershell.exe
2812	powershell.exe
1848	powershell.exe
3768	powershell.exe
2420	powershell.exe
2352	powershell.exe
4712	powershell.exe
2868	powershell.exe
4796	powershell.exe
3352	powershell.exe
936	powershell.exe
4696	powershell.exe
2252	powershell.exe
2252	powershell.exe
2352	powershell.exe
3768	powershell.exe
4712	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4156	DllCommonsvc.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	4696	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	3500	OfficeClickToRun.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeIncreaseQuotaPrivilege	1496	powershell.exe
Token: SeSecurityPrivilege	1496	powershell.exe
Token: SeTakeOwnershipPrivilege	1496	powershell.exe
Token: SeLoadDriverPrivilege	1496	powershell.exe
Token: SeSystemProfilePrivilege	1496	powershell.exe
Token: SeSystemtimePrivilege	1496	powershell.exe
Token: SeProfSingleProcessPrivilege	1496	powershell.exe
Token: SeIncBasePriorityPrivilege	1496	powershell.exe
Token: SeCreatePagefilePrivilege	1496	powershell.exe
Token: SeBackupPrivilege	1496	powershell.exe
Token: SeRestorePrivilege	1496	powershell.exe
Token: SeShutdownPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeSystemEnvironmentPrivilege	1496	powershell.exe
Token: SeRemoteShutdownPrivilege	1496	powershell.exe
Token: SeUndockPrivilege	1496	powershell.exe
Token: SeManageVolumePrivilege	1496	powershell.exe
Token: 33	1496	powershell.exe
Token: 34	1496	powershell.exe
Token: 35	1496	powershell.exe
Token: 36	1496	powershell.exe
Token: SeIncreaseQuotaPrivilege	2420	powershell.exe
Token: SeSecurityPrivilege	2420	powershell.exe
Token: SeTakeOwnershipPrivilege	2420	powershell.exe
Token: SeLoadDriverPrivilege	2420	powershell.exe
Token: SeSystemProfilePrivilege	2420	powershell.exe
Token: SeSystemtimePrivilege	2420	powershell.exe
Token: SeProfSingleProcessPrivilege	2420	powershell.exe
Token: SeIncBasePriorityPrivilege	2420	powershell.exe
Token: SeCreatePagefilePrivilege	2420	powershell.exe
Token: SeBackupPrivilege	2420	powershell.exe
Token: SeRestorePrivilege	2420	powershell.exe
Token: SeShutdownPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeSystemEnvironmentPrivilege	2420	powershell.exe
Token: SeRemoteShutdownPrivilege	2420	powershell.exe
Token: SeUndockPrivilege	2420	powershell.exe
Token: SeManageVolumePrivilege	2420	powershell.exe
Token: 33	2420	powershell.exe
Token: 34	2420	powershell.exe
Token: 35	2420	powershell.exe
Token: 36	2420	powershell.exe
Token: SeIncreaseQuotaPrivilege	2252	powershell.exe
Token: SeSecurityPrivilege	2252	powershell.exe
Token: SeTakeOwnershipPrivilege	2252	powershell.exe
Token: SeLoadDriverPrivilege	2252	powershell.exe
Token: SeSystemProfilePrivilege	2252	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 4012	2704	d76734ad8f1dcd59e2014e66a98c2384a55e7fa666916f4253dfdbd551869b95.exe	66
PID 2704 wrote to memory of 4012	2704	d76734ad8f1dcd59e2014e66a98c2384a55e7fa666916f4253dfdbd551869b95.exe	66
PID 2704 wrote to memory of 4012	2704	d76734ad8f1dcd59e2014e66a98c2384a55e7fa666916f4253dfdbd551869b95.exe	66
PID 4012 wrote to memory of 4860	4012	WScript.exe	67
PID 4012 wrote to memory of 4860	4012	WScript.exe	67
PID 4012 wrote to memory of 4860	4012	WScript.exe	67
PID 4860 wrote to memory of 4156	4860	cmd.exe	69
PID 4860 wrote to memory of 4156	4860	cmd.exe	69
PID 4156 wrote to memory of 2252	4156	DllCommonsvc.exe	113
PID 4156 wrote to memory of 2252	4156	DllCommonsvc.exe	113
PID 4156 wrote to memory of 2224	4156	DllCommonsvc.exe	142
PID 4156 wrote to memory of 2224	4156	DllCommonsvc.exe	142
PID 4156 wrote to memory of 2200	4156	DllCommonsvc.exe	114
PID 4156 wrote to memory of 2200	4156	DllCommonsvc.exe	114
PID 4156 wrote to memory of 1496	4156	DllCommonsvc.exe	139
PID 4156 wrote to memory of 1496	4156	DllCommonsvc.exe	139
PID 4156 wrote to memory of 1848	4156	DllCommonsvc.exe	115
PID 4156 wrote to memory of 1848	4156	DllCommonsvc.exe	115
PID 4156 wrote to memory of 4696	4156	DllCommonsvc.exe	137
PID 4156 wrote to memory of 4696	4156	DllCommonsvc.exe	137
PID 4156 wrote to memory of 2812	4156	DllCommonsvc.exe	118
PID 4156 wrote to memory of 2812	4156	DllCommonsvc.exe	118
PID 4156 wrote to memory of 2420	4156	DllCommonsvc.exe	119
PID 4156 wrote to memory of 2420	4156	DllCommonsvc.exe	119
PID 4156 wrote to memory of 2352	4156	DllCommonsvc.exe	120
PID 4156 wrote to memory of 2352	4156	DllCommonsvc.exe	120
PID 4156 wrote to memory of 3768	4156	DllCommonsvc.exe	121
PID 4156 wrote to memory of 3768	4156	DllCommonsvc.exe	121
PID 4156 wrote to memory of 2868	4156	DllCommonsvc.exe	122
PID 4156 wrote to memory of 2868	4156	DllCommonsvc.exe	122
PID 4156 wrote to memory of 4712	4156	DllCommonsvc.exe	123
PID 4156 wrote to memory of 4712	4156	DllCommonsvc.exe	123
PID 4156 wrote to memory of 4796	4156	DllCommonsvc.exe	124
PID 4156 wrote to memory of 4796	4156	DllCommonsvc.exe	124
PID 4156 wrote to memory of 3352	4156	DllCommonsvc.exe	125
PID 4156 wrote to memory of 3352	4156	DllCommonsvc.exe	125
PID 4156 wrote to memory of 936	4156	DllCommonsvc.exe	130
PID 4156 wrote to memory of 936	4156	DllCommonsvc.exe	130
PID 4156 wrote to memory of 3500	4156	DllCommonsvc.exe	143
PID 4156 wrote to memory of 3500	4156	DllCommonsvc.exe	143
PID 3500 wrote to memory of 3144	3500	OfficeClickToRun.exe	145
PID 3500 wrote to memory of 3144	3500	OfficeClickToRun.exe	145
PID 3144 wrote to memory of 3460	3144	cmd.exe	147
PID 3144 wrote to memory of 3460	3144	cmd.exe	147
PID 3144 wrote to memory of 2684	3144	cmd.exe	148
PID 3144 wrote to memory of 2684	3144	cmd.exe	148
PID 2684 wrote to memory of 4620	2684	OfficeClickToRun.exe	149
PID 2684 wrote to memory of 4620	2684	OfficeClickToRun.exe	149
PID 4620 wrote to memory of 96	4620	cmd.exe	151
PID 4620 wrote to memory of 96	4620	cmd.exe	151
PID 4620 wrote to memory of 2764	4620	cmd.exe	152
PID 4620 wrote to memory of 2764	4620	cmd.exe	152
PID 2764 wrote to memory of 2672	2764	OfficeClickToRun.exe	153
PID 2764 wrote to memory of 2672	2764	OfficeClickToRun.exe	153
PID 2672 wrote to memory of 4440	2672	cmd.exe	155
PID 2672 wrote to memory of 4440	2672	cmd.exe	155
PID 2672 wrote to memory of 1560	2672	cmd.exe	156
PID 2672 wrote to memory of 1560	2672	cmd.exe	156
PID 1560 wrote to memory of 4412	1560	OfficeClickToRun.exe	157
PID 1560 wrote to memory of 4412	1560	OfficeClickToRun.exe	157
PID 4412 wrote to memory of 4304	4412	cmd.exe	159
PID 4412 wrote to memory of 4304	4412	cmd.exe	159
PID 4412 wrote to memory of 4336	4412	cmd.exe	160
PID 4412 wrote to memory of 4336	4412	cmd.exe	160

C:\Users\Admin\AppData\Local\Temp\d76734ad8f1dcd59e2014e66a98c2384a55e7fa666916f4253dfdbd551869b95.exe
"C:\Users\Admin\AppData\Local\Temp\d76734ad8f1dcd59e2014e66a98c2384a55e7fa666916f4253dfdbd551869b95.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4860
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\it-IT\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
    - - C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3500
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3460
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:96
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4440
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SXo39smTXJ.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4304
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat"
        14⤵
        
        PID:3508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4476
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oxTQ808hvM.bat"
        16⤵
        
        PID:3892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3620
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x1DfgQ9qXa.bat"
        18⤵
        
        PID:4352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4864
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat"
        20⤵
        
        PID:5020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2068
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SXo39smTXJ.bat"
        22⤵
        
        PID:372
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2676
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat"
        24⤵
        
        PID:5104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:164
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat"
        26⤵
        
        PID:2776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\odt\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\System\it-IT\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\it-IT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\System\it-IT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\odt\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\odt\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\odt\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\odt\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
07e9ebd1768bbfac14eff60234aebfa0

SHA1
87bc35c711c7dab29a040f8a571d602ce0ad0978

SHA256
f391766501b84dcadd915caf3232ba362316aa6fe7f16f9370ca13e181074ef9

SHA512
02e6fbae4b35ffe252da7509b4509a9c846b54aa720ad6b85e2dd67d3e84da7be451365b84267ad653d2a1f5ebd083458e4f06fe0a780022cc55b47b58a39f7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
31cd8b0643a9aa0c7633f23d25b7193e

SHA1
da45fa0ac52e351554357de5ba14bc2465ce860d

SHA256
aae211784186b18e410f71b9df33f89c3927876b5b69c2c163517f1b73d43e07

SHA512
c0ad758cbcab9877012e8c6baa587a4c8f9f8b380cbe581c3d662a388889ddab82ae3d93b8c6977346efc91b7f0a994e018122a9ac6fa05ebd5360f85544ab7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
15c283e4c5ed5f5e77b35a9da99fe5d6

SHA1
0b9e03deed608ffd0ac492f2283ca60043886bac

SHA256
4de8e074f63ab9cc7ecf6390cad42c0f806abb73faadfa11ac2f3322075ff864

SHA512
91c88ba59f670ce9401c2343b9deb96b159c11f9f5cfebf4188ea6d2a37412229d8ed2fe9f3121a6ac5bab8140f0e973240a455c8ee5c288409baf5cd0eb60a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
15265d9fb718d61daca7a723fceacbd2

SHA1
138e445e0c1b99f87f633e86423ffa7b48ee9172

SHA256
1eff8b255ebef7894917cb6e211fad9a33e947a6e7e627a76255cce1c33b2c57

SHA512
bcc0c15f7c200c65e65914310d90a37f6bdafefeadb51020f78e71faab08dfb45aa75633afcd2c3e92950396c7b2ae2198e4ea029d7bc47da6b2562dc9f6d770

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
15265d9fb718d61daca7a723fceacbd2

SHA1
138e445e0c1b99f87f633e86423ffa7b48ee9172

SHA256
1eff8b255ebef7894917cb6e211fad9a33e947a6e7e627a76255cce1c33b2c57

SHA512
bcc0c15f7c200c65e65914310d90a37f6bdafefeadb51020f78e71faab08dfb45aa75633afcd2c3e92950396c7b2ae2198e4ea029d7bc47da6b2562dc9f6d770

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ef5deab9cadfdb37c7ae8412884e8b2

SHA1
81a702fdb7dcf3efc3e7e324ccee48b93d32ce4e

SHA256
9d1bc2059e3a45842f52bb75418c502f80c7545dc86226feb445f9d7d04999c6

SHA512
ebce0ace14386963c1b025b89250622759735ac35e185799186e4f74daed7491ca2abed280aac88463dfdfc7e20ef6c1b2a0727e2959c86f4893704aa5936ed3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
77263f2880b7806d7457c2cc82d88920

SHA1
c11bad696cd328291a5cb73f443db911105ba863

SHA256
08045bd9d527e04d6e0535ad301af87ae658fea2c0cbc2c2546b5aacc51cf046

SHA512
2f775fffbe9c4843d46fe0d8e4869b1ca06683f6a3f6fb95b6ea127e36496cc15ff48f902549167e2028331848f34dffe034160bbe7f7013033c11ff378c6e32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2e107e36b02c6b480bd619331b6412c7

SHA1
649491c0c36c8bde2a696fdc45038005354d6766

SHA256
51583b401980817d1f645c162b7e623283f3be4d0653e16c5e352e840d02dd4d

SHA512
4f5587211ab7be312700a9d1cfbd298e3b4228dfa11cfaa64c8137501039e5010298d32a5f174fc89c446a35806e8e82ccae532eb56b6efea04631e2597441f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aa5a89932ef381bade7130aee17c4cc8

SHA1
79ef67a86e3635e130f35b2e4a3e37160e9e9b78

SHA256
8ac2623dd97fdb3a949a2931c0dc4f257412126fdf3505ae35d9a78e1d916c17

SHA512
3b7ff21dc661e6d2ebd03ad990445b59ec76db83e6e3e0678789081cfc2d2ba4e6f33194a49cd6a35c1b07d522a2604ee4124f9c1b5d43e7bc5be519143408b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aa5a89932ef381bade7130aee17c4cc8

SHA1
79ef67a86e3635e130f35b2e4a3e37160e9e9b78

SHA256
8ac2623dd97fdb3a949a2931c0dc4f257412126fdf3505ae35d9a78e1d916c17

SHA512
3b7ff21dc661e6d2ebd03ad990445b59ec76db83e6e3e0678789081cfc2d2ba4e6f33194a49cd6a35c1b07d522a2604ee4124f9c1b5d43e7bc5be519143408b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
418db2686af744458bfe9a7c0568016a

SHA1
75cb8174a00d029c0cdaa5af9929eff5df439d40

SHA256
0ab935c8eb920f0146667b6579492f1cf1fd4c652c2aa99757e9d62303986f8b

SHA512
a64fe9c550970af9e51fdc044cf8ed855c839f291905c192e2a09bce1998045e33ea9b2ecca62cb93152f62c226faea1657b065d1d8f67eb64f70ea44e50ef22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
418db2686af744458bfe9a7c0568016a

SHA1
75cb8174a00d029c0cdaa5af9929eff5df439d40

SHA256
0ab935c8eb920f0146667b6579492f1cf1fd4c652c2aa99757e9d62303986f8b

SHA512
a64fe9c550970af9e51fdc044cf8ed855c839f291905c192e2a09bce1998045e33ea9b2ecca62cb93152f62c226faea1657b065d1d8f67eb64f70ea44e50ef22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
586a73c15bade3e6431a1a2f2d651dfd

SHA1
ad50e47ae724fc0a81b7f1f1843ad5f9ea63c721

SHA256
b084fed0d2175cb1017a6c39a198777ed1555d147767ea3c2265a7aa35895fc6

SHA512
6b2eeb1ff6804af2f689e91c214bea585812849b54b943ff6e0ce846ca9f90bd264ecbdac5dac613c773cf4c453168832564295014999e9ac2560b2afd3d3f18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
03eb209c92013c7c199ee5f31cf9cc5e

SHA1
c5b5ea4d7f59f9f61514752cec772136a0a9b3fc

SHA256
2b1bcad9ab9733cce267ad83340d67d2f5df13becc615ad5eb87cf0bde0670df

SHA512
f5d7d8a0d8a32c9de5282febad7c96c086d67fba5645f66e0c3296ef2a7b14eb4d828725b46aceb7229fae61b1d795d45de2cef5c2040fceac9671da772448a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat

Filesize
207B

MD5
338110d86b156c300f3311745ed5fd81

SHA1
3ad4522e2a9ad80e86f1395a17b658958df74684

SHA256
8a1660f6974bc79d4c8929852be60f60bde7da0fecc85de63313b320f15de618

SHA512
8504b34f20ae3cdabb71d1e03cf80a45cd726fa350b8ec26078ae765634643b0c427bb445ac2904c950e201616ea57a9c7fe0b8f35a65d5b76735f1be5883526

Download Submit
C:\Users\Admin\AppData\Local\Temp\SXo39smTXJ.bat

Filesize
207B

MD5
84b049107a55073db842512dd9008c05

SHA1
7f127493cc24e580054f5c0637f342bdef553647

SHA256
bf984ec4115fe4682cc91875b150bf680703185d4b84c9d526c7773db375db58

SHA512
41a33706a57ea7af905d815a88e97576cfe043a46960260da83d1e4f5e4defdc99538d17169f950d16528b321fd285ed7680b62274df715cec53afda0f033877

Download Submit
C:\Users\Admin\AppData\Local\Temp\SXo39smTXJ.bat

Filesize
207B

MD5
84b049107a55073db842512dd9008c05

SHA1
7f127493cc24e580054f5c0637f342bdef553647

SHA256
bf984ec4115fe4682cc91875b150bf680703185d4b84c9d526c7773db375db58

SHA512
41a33706a57ea7af905d815a88e97576cfe043a46960260da83d1e4f5e4defdc99538d17169f950d16528b321fd285ed7680b62274df715cec53afda0f033877

Download Submit
C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat

Filesize
207B

MD5
26ad466007c88b92bebb747f7466320d

SHA1
3946aa892e8debc3cf1982b52962987218322d71

SHA256
f6807af8964e659bc9e16e3c23aa1e75754ea678a71dc03782e768e1221c1292

SHA512
ae1763a669cd43bed7242191b0413f53600d95ed80dedaca1eb007e2cbe98143e7e3f90ce514b4cf29a2f65eacfec774baf28037d0c24ed1ae18c62f1f36e502

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat

Filesize
207B

MD5
4cf19002040f4150af2561c1e5bc2016

SHA1
8372ac53bee109968130f57cc917bf2a7a0ccbfd

SHA256
0f8d52697e586be5eb100255f5b1f7fe4fb6a890e5cbb1df64fcc58caf8816ac

SHA512
dcdd710446a40f75fdf617121fb63ecd66fd80e4489565c012994324cc17bfbe6d3aedfe1add4022520204fd5945e45baed159096ebc7a75f12a0ffc440ec0f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat

Filesize
207B

MD5
1c27f7cd2c03e867753590397cf55118

SHA1
4d343fd69b70463c8d5ce9f5e97317de54c7f00e

SHA256
07290bcadb417ec984a04b100c1fb662b0533160ecf79afbd17f034b74fa214b

SHA512
1183865e48c3487019a9afe8f81b3210f19285d8abb1fb6008dd5a215e2e783a61d678892be21d5692adf30e4b911d122eb25134753e9613e4dda4e3a2f6162a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxTQ808hvM.bat

Filesize
207B

MD5
23fa27014cb6ec026b06bce94bc6644b

SHA1
0663eb929b919adf769458e99abf5bcd39165d20

SHA256
0b5f78f37b609d44875c78dd6d29084996744fdcc8570f20fc1698e70aad670b

SHA512
fa95f110beee77efdb276eba2d5f5d520f099e281052ea17001390f23f6cdd3fb3495d25e5ffce5bb24dcccd2d1764d3d47f149e9c608225820f71d10ada35f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat

Filesize
207B

MD5
8029eb0f4b8494943c87d6036ff79317

SHA1
3364abb16a4343eb6e60767bf845fe1c965b9b8a

SHA256
1e4cf7d5b007dd3fac63687e0315286ae054295ca1c699ed68ef9dc7cf8e738f

SHA512
40a34410a204edbc7d24e14f269078bd09577afffe377780b749243c04483e2f4ce59f51d6205f38ef1d1ef8cc8f0a312d71c329d496d7678d9e69d88b73cd86

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1DfgQ9qXa.bat

Filesize
207B

MD5
4778e82eacb543d6c4b9af6512f25930

SHA1
a64def386dda3ab06cc6a5a791ccd3087fa7fba7

SHA256
1fe300040bddbcb86959649172eb21e2380673b401b016472beb56a228703d5b

SHA512
f706ed864f59b8098c26d3aeed38b74f6f21156f7b7fe2a26f43f80de9d67194ea1e8a161ec786edd6d4e669f543d1ab58dd0695c0209c7dd6829d4390182b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat

Filesize
207B

MD5
85440f29df91fee0497b534984632809

SHA1
6f97322481659ebb7653994b5d12398131f66243

SHA256
fbe59ca2bde04b89d0995dc9989c3d7a4e81186a0d3c4abca4e75382799c191f

SHA512
01f80128da45b8d8eca05a7bdbd951f5231b3a7e028e942c17c8be2b8ea5190ce17743c8acafaeb3246b194c8ba5a7cfb583bec578bd28b4735df2714807afbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat

Filesize
207B

MD5
85440f29df91fee0497b534984632809

SHA1
6f97322481659ebb7653994b5d12398131f66243

SHA256
fbe59ca2bde04b89d0995dc9989c3d7a4e81186a0d3c4abca4e75382799c191f

SHA512
01f80128da45b8d8eca05a7bdbd951f5231b3a7e028e942c17c8be2b8ea5190ce17743c8acafaeb3246b194c8ba5a7cfb583bec578bd28b4735df2714807afbf

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1496-372-0x00000209E03A0000-0x00000209E0416000-memory.dmp

Filesize
472KB

Download
memory/1496-365-0x00000209E00E0000-0x00000209E0102000-memory.dmp

Filesize
136KB

Download
memory/2684-827-0x0000000000A30000-0x0000000000A42000-memory.dmp

Filesize
72KB

Download
memory/2704-164-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-152-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-121-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-122-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-123-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-125-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-183-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-126-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-128-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-129-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-130-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-131-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-182-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-181-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-180-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-132-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-133-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-134-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-135-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-179-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-136-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-137-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-178-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-177-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-138-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-176-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-175-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-139-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-174-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-172-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-173-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-171-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-140-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-170-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-141-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-169-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-168-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-167-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-166-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-165-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-120-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-163-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-162-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-161-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-160-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-159-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-158-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-157-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-156-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-155-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-154-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-142-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-153-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-151-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-143-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-150-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-149-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-144-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-148-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-145-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-147-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-146-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-833-0x0000000000990000-0x00000000009A2000-memory.dmp

Filesize
72KB

Download
memory/3940-864-0x00000000023A0000-0x00000000023B2000-memory.dmp

Filesize
72KB

Download
memory/4012-186-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-185-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/4156-286-0x0000000000A60000-0x0000000000B70000-memory.dmp

Filesize
1.1MB

Download
memory/4156-289-0x000000001C0A0000-0x000000001C0AC000-memory.dmp

Filesize
48KB

Download
memory/4156-287-0x0000000002C90000-0x0000000002CA2000-memory.dmp

Filesize
72KB

Download
memory/4156-288-0x0000000002CA0000-0x0000000002CAC000-memory.dmp

Filesize
48KB

Download
memory/4156-290-0x000000001B690000-0x000000001B69C000-memory.dmp

Filesize
48KB

Download