dcrat | 115def4783bdb25f2ecf458257ef6dd44d3d9e9a1c2e85daf3a41c50c0d5f65b

Analysis

max time kernel
147s
max time network
145s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
03/11/2022, 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

115def4783bdb25f2ecf458257ef6dd44d3d9e9a1c2e85daf3a41c50c0d5f65b.exe
Size

1.3MB
MD5

6d8932cdff1a4186bcbb03fd986eb674
SHA1

a620dce3b1c906080786da85c97732c299d2249c
SHA256

115def4783bdb25f2ecf458257ef6dd44d3d9e9a1c2e85daf3a41c50c0d5f65b
SHA512

5bd97a7acfa3e58de571b426c475aba5367811eedaefe2b1732645ba27656f7c0e84fd10fd60a1e0710068003a7891e010d3887d724d4897977fdf53886294c6
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	424	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	160	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3300	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	192	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	3924	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	3924	schtasks.exe	70

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac1f-279.dat	dcrat
behavioral1/files/0x000800000001ac1f-280.dat	dcrat
behavioral1/memory/3952-281-0x0000000000D70000-0x0000000000E80000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac3e-742.dat	dcrat
behavioral1/files/0x000600000001ac3e-745.dat	dcrat
behavioral1/files/0x000600000001ac3e-928.dat	dcrat
behavioral1/files/0x000600000001ac3e-935.dat	dcrat
behavioral1/files/0x000600000001ac3e-940.dat	dcrat
behavioral1/files/0x000600000001ac3e-945.dat	dcrat
behavioral1/files/0x000600000001ac3e-951.dat	dcrat
behavioral1/files/0x000600000001ac3e-957.dat	dcrat
behavioral1/files/0x000600000001ac3e-962.dat	dcrat
behavioral1/files/0x000600000001ac3e-967.dat	dcrat
behavioral1/files/0x000600000001ac3e-972.dat	dcrat
behavioral1/files/0x000600000001ac3e-978.dat	dcrat
behavioral1/files/0x000600000001ac3e-984.dat	dcrat

Executes dropped EXE 13 IoCs

pid	Process
3952	DllCommonsvc.exe
5984	services.exe
5340	services.exe
5612	services.exe
5932	services.exe
744	services.exe
5052	services.exe
4332	services.exe
5920	services.exe
1100	services.exe
4772	services.exe
748	services.exe
5168	services.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\Accessories\de-DE\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\de-DE\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\886983d96e3d3e	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\bcastdvr\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\bcastdvr\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\es-ES\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\es-ES\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Windows\bcastdvr\dwm.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4524	schtasks.exe
736	schtasks.exe
4032	schtasks.exe
516	schtasks.exe
3300	schtasks.exe
224	schtasks.exe
1740	schtasks.exe
3560	schtasks.exe
4336	schtasks.exe
4484	schtasks.exe
852	schtasks.exe
684	schtasks.exe
1788	schtasks.exe
2352	schtasks.exe
392	schtasks.exe
3648	schtasks.exe
2576	schtasks.exe
424	schtasks.exe
1976	schtasks.exe
1468	schtasks.exe
4684	schtasks.exe
4316	schtasks.exe
4976	schtasks.exe
4968	schtasks.exe
4576	schtasks.exe
732	schtasks.exe
4416	schtasks.exe
1204	schtasks.exe
160	schtasks.exe
560	schtasks.exe
2180	schtasks.exe
1208	schtasks.exe
2220	schtasks.exe
4320	schtasks.exe
5096	schtasks.exe
2000	schtasks.exe
4504	schtasks.exe
800	schtasks.exe
2396	schtasks.exe
3756	schtasks.exe
4708	schtasks.exe
192	schtasks.exe
4912	schtasks.exe
2144	schtasks.exe
2072	schtasks.exe
1016	schtasks.exe
3156	schtasks.exe
4652	schtasks.exe
4312	schtasks.exe
4696	schtasks.exe
4676	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	115def4783bdb25f2ecf458257ef6dd44d3d9e9a1c2e85daf3a41c50c0d5f65b.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	services.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3952	DllCommonsvc.exe
3952	DllCommonsvc.exe
3952	DllCommonsvc.exe
3952	DllCommonsvc.exe
3952	DllCommonsvc.exe
3952	DllCommonsvc.exe
3952	DllCommonsvc.exe
3952	DllCommonsvc.exe
3952	DllCommonsvc.exe
3952	DllCommonsvc.exe
3952	DllCommonsvc.exe
3952	DllCommonsvc.exe
3952	DllCommonsvc.exe
3952	DllCommonsvc.exe
3952	DllCommonsvc.exe
3952	DllCommonsvc.exe
3952	DllCommonsvc.exe
3952	DllCommonsvc.exe
3952	DllCommonsvc.exe
3952	DllCommonsvc.exe
3952	DllCommonsvc.exe
3952	DllCommonsvc.exe
3952	DllCommonsvc.exe
3952	DllCommonsvc.exe
3952	DllCommonsvc.exe
2356	powershell.exe
2356	powershell.exe
3780	powershell.exe
3780	powershell.exe
2272	powershell.exe
2272	powershell.exe
4716	powershell.exe
4716	powershell.exe
4756	powershell.exe
4756	powershell.exe
2596	powershell.exe
2596	powershell.exe
4752	powershell.exe
4752	powershell.exe
3352	powershell.exe
3352	powershell.exe
4572	powershell.exe
4572	powershell.exe
2060	powershell.exe
2060	powershell.exe
4880	powershell.exe
4880	powershell.exe
4260	powershell.exe
4260	powershell.exe
4744	powershell.exe
4744	powershell.exe
1988	powershell.exe
1988	powershell.exe
4056	powershell.exe
4056	powershell.exe
4756	powershell.exe
3324	powershell.exe
3324	powershell.exe
3484	powershell.exe
3484	powershell.exe
4260	powershell.exe
4880	powershell.exe
4892	powershell.exe
4892	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3952	DllCommonsvc.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	3780	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeIncreaseQuotaPrivilege	4756	powershell.exe
Token: SeSecurityPrivilege	4756	powershell.exe
Token: SeTakeOwnershipPrivilege	4756	powershell.exe
Token: SeLoadDriverPrivilege	4756	powershell.exe
Token: SeSystemProfilePrivilege	4756	powershell.exe
Token: SeSystemtimePrivilege	4756	powershell.exe
Token: SeProfSingleProcessPrivilege	4756	powershell.exe
Token: SeIncBasePriorityPrivilege	4756	powershell.exe
Token: SeCreatePagefilePrivilege	4756	powershell.exe
Token: SeBackupPrivilege	4756	powershell.exe
Token: SeRestorePrivilege	4756	powershell.exe
Token: SeShutdownPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeSystemEnvironmentPrivilege	4756	powershell.exe
Token: SeRemoteShutdownPrivilege	4756	powershell.exe
Token: SeUndockPrivilege	4756	powershell.exe
Token: SeManageVolumePrivilege	4756	powershell.exe
Token: 33	4756	powershell.exe
Token: 34	4756	powershell.exe
Token: 35	4756	powershell.exe
Token: 36	4756	powershell.exe
Token: SeIncreaseQuotaPrivilege	3352	powershell.exe
Token: SeSecurityPrivilege	3352	powershell.exe
Token: SeTakeOwnershipPrivilege	3352	powershell.exe
Token: SeLoadDriverPrivilege	3352	powershell.exe
Token: SeSystemProfilePrivilege	3352	powershell.exe
Token: SeSystemtimePrivilege	3352	powershell.exe
Token: SeProfSingleProcessPrivilege	3352	powershell.exe
Token: SeIncBasePriorityPrivilege	3352	powershell.exe
Token: SeCreatePagefilePrivilege	3352	powershell.exe
Token: SeBackupPrivilege	3352	powershell.exe
Token: SeRestorePrivilege	3352	powershell.exe
Token: SeShutdownPrivilege	3352	powershell.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeSystemEnvironmentPrivilege	3352	powershell.exe
Token: SeRemoteShutdownPrivilege	3352	powershell.exe
Token: SeUndockPrivilege	3352	powershell.exe
Token: SeManageVolumePrivilege	3352	powershell.exe
Token: 33	3352	powershell.exe
Token: 34	3352	powershell.exe
Token: 35	3352	powershell.exe
Token: 36	3352	powershell.exe
Token: SeIncreaseQuotaPrivilege	4260	powershell.exe
Token: SeSecurityPrivilege	4260	powershell.exe
Token: SeTakeOwnershipPrivilege	4260	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 60	2832	115def4783bdb25f2ecf458257ef6dd44d3d9e9a1c2e85daf3a41c50c0d5f65b.exe	66
PID 2832 wrote to memory of 60	2832	115def4783bdb25f2ecf458257ef6dd44d3d9e9a1c2e85daf3a41c50c0d5f65b.exe	66
PID 2832 wrote to memory of 60	2832	115def4783bdb25f2ecf458257ef6dd44d3d9e9a1c2e85daf3a41c50c0d5f65b.exe	66
PID 60 wrote to memory of 4236	60	WScript.exe	67
PID 60 wrote to memory of 4236	60	WScript.exe	67
PID 60 wrote to memory of 4236	60	WScript.exe	67
PID 4236 wrote to memory of 3952	4236	cmd.exe	69
PID 4236 wrote to memory of 3952	4236	cmd.exe	69
PID 3952 wrote to memory of 2272	3952	DllCommonsvc.exe	147
PID 3952 wrote to memory of 2272	3952	DllCommonsvc.exe	147
PID 3952 wrote to memory of 2356	3952	DllCommonsvc.exe	146
PID 3952 wrote to memory of 2356	3952	DllCommonsvc.exe	146
PID 3952 wrote to memory of 3780	3952	DllCommonsvc.exe	130
PID 3952 wrote to memory of 3780	3952	DllCommonsvc.exe	130
PID 3952 wrote to memory of 4716	3952	DllCommonsvc.exe	128
PID 3952 wrote to memory of 4716	3952	DllCommonsvc.exe	128
PID 3952 wrote to memory of 2596	3952	DllCommonsvc.exe	126
PID 3952 wrote to memory of 2596	3952	DllCommonsvc.exe	126
PID 3952 wrote to memory of 4756	3952	DllCommonsvc.exe	124
PID 3952 wrote to memory of 4756	3952	DllCommonsvc.exe	124
PID 3952 wrote to memory of 4752	3952	DllCommonsvc.exe	122
PID 3952 wrote to memory of 4752	3952	DllCommonsvc.exe	122
PID 3952 wrote to memory of 4572	3952	DllCommonsvc.exe	131
PID 3952 wrote to memory of 4572	3952	DllCommonsvc.exe	131
PID 3952 wrote to memory of 3352	3952	DllCommonsvc.exe	143
PID 3952 wrote to memory of 3352	3952	DllCommonsvc.exe	143
PID 3952 wrote to memory of 2060	3952	DllCommonsvc.exe	142
PID 3952 wrote to memory of 2060	3952	DllCommonsvc.exe	142
PID 3952 wrote to memory of 4880	3952	DllCommonsvc.exe	135
PID 3952 wrote to memory of 4880	3952	DllCommonsvc.exe	135
PID 3952 wrote to memory of 4744	3952	DllCommonsvc.exe	136
PID 3952 wrote to memory of 4744	3952	DllCommonsvc.exe	136
PID 3952 wrote to memory of 4260	3952	DllCommonsvc.exe	138
PID 3952 wrote to memory of 4260	3952	DllCommonsvc.exe	138
PID 3952 wrote to memory of 1988	3952	DllCommonsvc.exe	140
PID 3952 wrote to memory of 1988	3952	DllCommonsvc.exe	140
PID 3952 wrote to memory of 4056	3952	DllCommonsvc.exe	148
PID 3952 wrote to memory of 4056	3952	DllCommonsvc.exe	148
PID 3952 wrote to memory of 4892	3952	DllCommonsvc.exe	149
PID 3952 wrote to memory of 4892	3952	DllCommonsvc.exe	149
PID 3952 wrote to memory of 3324	3952	DllCommonsvc.exe	155
PID 3952 wrote to memory of 3324	3952	DllCommonsvc.exe	155
PID 3952 wrote to memory of 3484	3952	DllCommonsvc.exe	154
PID 3952 wrote to memory of 3484	3952	DllCommonsvc.exe	154
PID 3952 wrote to memory of 68	3952	DllCommonsvc.exe	158
PID 3952 wrote to memory of 68	3952	DllCommonsvc.exe	158
PID 68 wrote to memory of 2684	68	cmd.exe	160
PID 68 wrote to memory of 2684	68	cmd.exe	160
PID 68 wrote to memory of 5984	68	cmd.exe	162
PID 68 wrote to memory of 5984	68	cmd.exe	162
PID 5984 wrote to memory of 6092	5984	services.exe	165
PID 5984 wrote to memory of 6092	5984	services.exe	165
PID 6092 wrote to memory of 5308	6092	cmd.exe	164
PID 6092 wrote to memory of 5308	6092	cmd.exe	164
PID 6092 wrote to memory of 5340	6092	cmd.exe	166
PID 6092 wrote to memory of 5340	6092	cmd.exe	166
PID 5340 wrote to memory of 5504	5340	services.exe	169
PID 5340 wrote to memory of 5504	5340	services.exe	169
PID 5504 wrote to memory of 1056	5504	cmd.exe	168
PID 5504 wrote to memory of 1056	5504	cmd.exe	168
PID 5504 wrote to memory of 5612	5504	cmd.exe	170
PID 5504 wrote to memory of 5612	5504	cmd.exe	170
PID 5612 wrote to memory of 684	5612	services.exe	173
PID 5612 wrote to memory of 684	5612	services.exe	173

C:\Users\Admin\AppData\Local\Temp\115def4783bdb25f2ecf458257ef6dd44d3d9e9a1c2e85daf3a41c50c0d5f65b.exe
"C:\Users\Admin\AppData\Local\Temp\115def4783bdb25f2ecf458257ef6dd44d3d9e9a1c2e85daf3a41c50c0d5f65b.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4236
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\de-DE\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\bcastdvr\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3324
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0M4WFsUwhH.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:68
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2684
      - C:\odt\services.exe
        
        "C:\odt\services.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:6092
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5504
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat"
        11⤵
        
        PID:684
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat"
        13⤵
        
        PID:4508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4392
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"
        15⤵
        
        PID:3048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:3532
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat"
        17⤵
        
        PID:4260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4304
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat"
        19⤵
        
        PID:4344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2984
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MTMDnLe0ZL.bat"
        21⤵
        
        PID:3484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4804
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat"
        23⤵
        
        PID:4636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:5712
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat"
        25⤵
        
        PID:2272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:5028
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat"
        27⤵
        
        PID:5296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:3920
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        28⤵
        Executes dropped EXE
        
        PID:5168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\bcastdvr\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\bcastdvr\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\bcastdvr\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\odt\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\odt\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\es-ES\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\odt\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\odt\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3756

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:5308

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:1056

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:5912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d2ae34a9e66ea27023c3b5ea4ecd5254

SHA1
24a20a2e6a258c7c1142ed3f157ee09b68d07aa0

SHA256
407285f763d6bfef0d4a046e008b035e9e567670668434c76f89de852dbf4dca

SHA512
81c7440db9a1f0754224252bab062cfea6c4072f1368685e9e60f983fa3c6d20132799c76f280350a3ce0fc38a993a60e7b5ce997654a6c7ecf7aa872164e282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e60c9fde94a202182ce7c352ec81dff0

SHA1
dd47564a9a2778e34c6aebc01685324c2c351c35

SHA256
9014e39b9e2d060632c3d16329aeac8321bb1dd2f3e9189e46583b4481e34977

SHA512
8c84cbb383f13ff5719b66fa71631725b6d485904d2c765afe72b285f24d79126ac03fbaddfcd6f68d07bbb77af0ea2f88ae1c2926e11cb5714e279850ed8376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e60c9fde94a202182ce7c352ec81dff0

SHA1
dd47564a9a2778e34c6aebc01685324c2c351c35

SHA256
9014e39b9e2d060632c3d16329aeac8321bb1dd2f3e9189e46583b4481e34977

SHA512
8c84cbb383f13ff5719b66fa71631725b6d485904d2c765afe72b285f24d79126ac03fbaddfcd6f68d07bbb77af0ea2f88ae1c2926e11cb5714e279850ed8376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
78de35c64c0cd8d9de94772526edf5b4

SHA1
e32f9c88c7391012297278bc8bd05758ab17c806

SHA256
a9562d13490aad3d9f016023af8e6f053317f2e8f6005f4aa87da85995e436e9

SHA512
6b05e93518775d7390d16a407559ed95ad19fa88a54a3b2771e2365aa1c8ec9148cf49ce79b038b4ad2fb866e5e7f165a800e1d54fdf955cc0f00af3548f09e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9fb8f1ae3110f763d5986d07c579966b

SHA1
dd4719a369714c9452d6cb5fc1ec913b878ff6d1

SHA256
525775746bef7f9d22d9ea45e157c1fd0035aed330b094618695b970716f4e8f

SHA512
57ca3ffe5be9d2fc3656dfb932dd348029e8ca0b86b8e44f41dfb3f1a3ee027fcd20cf0ce2219ef2162e3b22d2618aaf2db3036b70ecc34504cb26d05f4482d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fb6d7a655fb8054ec2030d741b6dc98f

SHA1
4f495382bc3101ab85f1bdb09bc961d9a6bfd124

SHA256
78ccfe9557a6b06f53c6dfad2e2e2d84e7e46e2cdd8d78b9f8570d934dcd563d

SHA512
b090c20823f1238a21850b92d03cc884c004fdd75fd1ebc343cbe1df2009b3ea81f258459c18327787a893545660d66f55fb8ef702e7137f88bd63910056bc7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a55ff62fd5de4f88b932752fb796f29a

SHA1
26aa37e174b2ced89d12dd672cdaaec0b532123c

SHA256
fd5ea2185fcef65e6973dfd8de249cb54aaf81cc82d3cdab05c3dc66ab470e35

SHA512
f2202d71e735c3da47a53d015c8c641842aae05ad759df004fc546dfde67e01bf7f26ce9e3b932c4979b0537847777263d688fb65439e29ae2898536eb53cd39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c161fb9ff85a88334b2107a93bb82657

SHA1
96ad0c72ec9dc24f4a7f3f3a1885b4f038c078c7

SHA256
dc45d981cbf335f2b27347badd7ea3f9847b12458b5afd300c12b6e6e366e2be

SHA512
3550e654ed20c1bc4cd984248249efac5a3a2264e35f6f29ddd67eacde63808b19a0036a2f2d9cccc511a2b00c7bf24b95351c18ddcc570c98b41ea3f726f3dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c161fb9ff85a88334b2107a93bb82657

SHA1
96ad0c72ec9dc24f4a7f3f3a1885b4f038c078c7

SHA256
dc45d981cbf335f2b27347badd7ea3f9847b12458b5afd300c12b6e6e366e2be

SHA512
3550e654ed20c1bc4cd984248249efac5a3a2264e35f6f29ddd67eacde63808b19a0036a2f2d9cccc511a2b00c7bf24b95351c18ddcc570c98b41ea3f726f3dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
501c858c7a321226280622d531471216

SHA1
b8a2d4f20f243216e3043fc9a9ed52f7a7c7fb4b

SHA256
034536f2b0739ec5bf67cf2f3cd4f9a4b031e5d1c0e6b486443635e1593a080a

SHA512
6d81cf76ba3c7ad1bd01a4c9b1fba176ba42fd81ca7af4e36f0674a209f4621df51b0c53680b9f4bd08b056f36cb42e56a74d3bbef6fd8a41701e974551a5db3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
79e162022602395b6c81f4784f24b5d6

SHA1
2c36bf63312c2a8caf214a31a1e572018db13c4f

SHA256
eb62b89ff78e7a482714ee73c77a9b3b6db3f8f094c1ce1aa29fe31e09691d2b

SHA512
c3c536e5b62c636e68f0f092132609e2a4a8dc7393f6d605c6f2fdb26b1e76e7c572af0ade31ea9b4643e471fe1d7df39b65d0c6e0bb672a6cb16aa04bd7036e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
79e162022602395b6c81f4784f24b5d6

SHA1
2c36bf63312c2a8caf214a31a1e572018db13c4f

SHA256
eb62b89ff78e7a482714ee73c77a9b3b6db3f8f094c1ce1aa29fe31e09691d2b

SHA512
c3c536e5b62c636e68f0f092132609e2a4a8dc7393f6d605c6f2fdb26b1e76e7c572af0ade31ea9b4643e471fe1d7df39b65d0c6e0bb672a6cb16aa04bd7036e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
586358a556c30cea107b352fcb0af63a

SHA1
95c3895351c2e983f53dad075c9ea6e19fd65d35

SHA256
8f2fa7ebea426a50e6adf5b8f6ba30b107f16943ccfb34af6d3e072c17af08d0

SHA512
94a997b0c95ba69f23977a83e5dbb59c1c131e4a09b8ed60f54f5dd8e21b1392eada77a35aff78ed855d642ef9e711d8a4c59001a7d09cdbb2b5179786f45028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
00cd05796d64ba9eb4d2738ec9856392

SHA1
af8d28b9e783054def1541e3da66f6eeebfdcfff

SHA256
4a301fbd691556b60760e80079b676ad71d25d3c69a413678d7974c28c4539c5

SHA512
f7d8230a9496997a6cb85854ede39afd388c69ef510fd0cf5cb81daa90ff2be5c2ec80e90845db59856176b2e4679aea12c9bf67f4bfa565b38305ebdecadf49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
00cd05796d64ba9eb4d2738ec9856392

SHA1
af8d28b9e783054def1541e3da66f6eeebfdcfff

SHA256
4a301fbd691556b60760e80079b676ad71d25d3c69a413678d7974c28c4539c5

SHA512
f7d8230a9496997a6cb85854ede39afd388c69ef510fd0cf5cb81daa90ff2be5c2ec80e90845db59856176b2e4679aea12c9bf67f4bfa565b38305ebdecadf49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
178c146d0fbfc31a8ef02f795235b14f

SHA1
cd6b77a59dd60cefb1c44ee999ca7b63e81da5cd

SHA256
c84f21c005c6e41b93d2753d0219f5726a229f831cffb658cfb38a63f071414b

SHA512
5c8699ba733de9deab7af5520b41da4474c91b2e0a74b8d71556adf3d84133bbefea5769948f2e3c3c693a07e45f31abdafbb800ee5706478a10915c51c9066d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0M4WFsUwhH.bat

Filesize
184B

MD5
a1de4db2e8de8d648700ae91eaaacfd9

SHA1
790338f814d7f3882e9701e0ec0120b9996b7b22

SHA256
0b33410f6758e50216b3a8de4c2975940be93ae7e022e1b0f01c07ffbc3c79c4

SHA512
3d4d2779273c0aeb4b8b1031659df4b337b51233acee8b2dc9010d58b7939a278ee34b711ee6fd783d70080e98b9b8348703917eb10cffa798606ade78fa7aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat

Filesize
184B

MD5
18fdf7a3d3b4ae9ac62224b1797c1320

SHA1
5243a8abf8a1af3fee77e9ec46ee0d96cba992d0

SHA256
e892b402e8e04573bc89418f4dd9762af87f2cdc5075cfa361bf92e15d247944

SHA512
5b359009629cc96e397882a673beccd271cfc68e311131db2b014a26d0e9cf89f2159f5322a86b886b2dd8095386f75ddec933fe7130c78467120620c0706e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat

Filesize
184B

MD5
b79508c0c4388337202baa555ff0e814

SHA1
91b06d7e712503c968432004ccd0d2c68e596f32

SHA256
1e121cb75791bba93ae364534ae57f7e4801f24871b51d89bac5eabaa6623924

SHA512
3366ef2bf3b274a2473f82d8683e215c83cb6d2f061dd41aec6c912f46e3bc3eb51842600cb87a5c7818febb7815f6cd75e33a1ce1c1aa89a54b077026f740f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat

Filesize
184B

MD5
fbc6190634856a8b6937d2861a5c6f0c

SHA1
cdc17ab5027f8e2115c31149d3318c8315ebe4b6

SHA256
3c02b7ceefc21817c8180b3e11cc33a5d57e76600c9091d83f8d5c0baeecf489

SHA512
b9dbe4a8678d913e0b3870f4e04a7f0b20451c2235096099d948f143fecadcba16ab09bab7f041393299db98548d3525502e7d73ae2f6f67a39ee2fe49b72134

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat

Filesize
184B

MD5
398499cb01f9078e478bbfe263cecd18

SHA1
7a7019fe5bac58b8419e612b77f7d449f52c3471

SHA256
94d374aa2cef2e98f0ad03557e96bc353a33cec2f77c4352a4b31c1a6db980a5

SHA512
2a8d6f50682f5cc1746dee14f4f28ad255c0f7a9fc1d7860eebc2042e64caee86139f41535c7a482f37d23b89a33a33e8584ae967820e8d2bed5ee4117dff055

Download Submit
C:\Users\Admin\AppData\Local\Temp\MTMDnLe0ZL.bat

Filesize
184B

MD5
3c16a8f86d70c73cafdc5e5d3f91eaa8

SHA1
c44848e86429f64e2f59a2d27fd688aaaf0bcb11

SHA256
8407a26a62482148b585933e62fb566b036f70c8e60852380929bf173843328f

SHA512
6e3023c121cbb37cafce607b919a740bdad826fc3a4b341ec0a9d6e018e5a9189693f464684ba50f2955436f06db33bdbd570426183759d64d3e6f2746d537c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat

Filesize
184B

MD5
534720353e7211dc46c58056b639b896

SHA1
69a2789d412d69086d75ac49f762e4f26cc31799

SHA256
c643e1978636a7ba59e20c6320f287af8215b1c0062cc8c133dd30a9038a434f

SHA512
b85ff0cdb7b7fb858d82d61d8f530b47678b28ce97f0a25fcd3aa400c2a9f79c0b5769cba59702150e310f6ae3d41dcbe7ce40c09b7523da743285ac2cf7e354

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat

Filesize
184B

MD5
3dc27d02bf8b800f77cfd2267ed17781

SHA1
ab3b77444ea4a5f04a492a751f694c49253dd967

SHA256
0802c018cfdbe7ff42eca37f486a108c100befedf8ece17c460aeee497f3e115

SHA512
842f4d720b71831e0cae2326ffaefb56ca971b80949396115d3d758eb2e2ab7a7d297cb0ac588c76c3898f48895780925a1a6f1ebd2d960f076617f93bff9fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat

Filesize
184B

MD5
77b5d3fb0175b27129c5f8eaaf0443d4

SHA1
a74f147ed097fab968766aed04b12fcf574e8b15

SHA256
de7f101cd6aa48c7f306a423dfba05335b1520a470d3db9af9cf23da09b63656

SHA512
e9c60784511f4ff86894aa89c113e4ec653e257a3d3c637378a7948fbd968b48d35b39c4e638d4794fe4db6a8a3c2d1a443084079ddaf74bcb96738198b58a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat

Filesize
184B

MD5
851f3ce9b3a7c21d92bf6199859a6d8a

SHA1
a5a6c9a8216a1a328a363fc5b19b8300f1b47930

SHA256
4fc1e7f8712b40b4f279dfcfe4c7eaa0831cbb448b519a40a955cbbd090a73c2

SHA512
b2a2311011005d197ee29df19296195e9c32a883c5d0f8ec0c4f88dbcf98745868dc1ecc3fbfdfff43bc610c5e0f0e5c6ed6eb371506f6474ef39eb8b18c6e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat

Filesize
184B

MD5
51629c6584e0c1ba7eaf7fd673617e33

SHA1
ecee419e3991098858fdabda02fe75a1cbfb89c6

SHA256
a23ebf07421edc830e2e72685eabb16e18ae1ebec2f0c47214d40c464a6dc414

SHA512
bd3fd29d1d0bebc2e3c524d8441e12ace121d9c3cd1d5bc206427fb6e5953b70683a600dacbce267a4bd686809cfcebf863d485b903e5b051ad95f6ffce40e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat

Filesize
184B

MD5
812e213e0b918fff88a0f1fb5576142c

SHA1
4d4cd4aead4a278340e0efc3ea20a6a85c9879a4

SHA256
7346e915101fdc892e84832572767fd0654103ab51197b2fa7353114a9a6f040

SHA512
e11c69fb670730cad4f3c159ea0c98727f829144691bc8f21f732873566bf47c1550ac01b30db72183f51899d0902dd07bd2bc1a9d1106099b4ad8fdf9eae619

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/60-180-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/60-181-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/744-946-0x0000000002CF0000-0x0000000002D02000-memory.dmp

Filesize
72KB

Download
memory/748-979-0x0000000000C40000-0x0000000000C52000-memory.dmp

Filesize
72KB

Download
memory/2356-372-0x00000295B3080000-0x00000295B30A2000-memory.dmp

Filesize
136KB

Download
memory/2832-162-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-149-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-116-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-178-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-177-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-118-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-121-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-120-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-117-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-123-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-124-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-125-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-176-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-126-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-175-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-174-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-128-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-130-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-131-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-173-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-132-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-129-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-127-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-172-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-133-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-134-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-136-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-135-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-171-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-170-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-138-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-169-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-168-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-137-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-167-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-166-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-139-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-164-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-165-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-163-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-115-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-161-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-160-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-159-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-153-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-154-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-157-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-158-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-155-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-156-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-152-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-151-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-150-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-146-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-140-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-142-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-148-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-145-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-144-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-147-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-143-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2832-141-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/3952-284-0x0000000002EE0000-0x0000000002EEC000-memory.dmp

Filesize
48KB

Download
memory/3952-281-0x0000000000D70000-0x0000000000E80000-memory.dmp

Filesize
1.1MB

Download
memory/3952-283-0x0000000002ED0000-0x0000000002EDC000-memory.dmp

Filesize
48KB

Download
memory/3952-285-0x0000000002EF0000-0x0000000002EFC000-memory.dmp

Filesize
48KB

Download
memory/3952-282-0x0000000001690000-0x00000000016A2000-memory.dmp

Filesize
72KB

Download
memory/4756-380-0x000001E9FF950000-0x000001E9FF9C6000-memory.dmp

Filesize
472KB

Download
memory/4772-973-0x0000000000780000-0x0000000000792000-memory.dmp

Filesize
72KB

Download
memory/5052-952-0x00000000006F0000-0x0000000000702000-memory.dmp

Filesize
72KB

Download
memory/5340-930-0x0000000001550000-0x0000000001562000-memory.dmp

Filesize
72KB

Download
memory/5984-831-0x00000000010E0000-0x00000000010F2000-memory.dmp

Filesize
72KB

Download