dcrat | 1e5950919bef34119b8e1ac08b1b40ae79baec60992eed35e7711f80731a86fa

Analysis

max time kernel
147s
max time network
144s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
02-02-2023 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e5950919bef34119b8e1ac08b1b40ae79baec60992eed35e7711f80731a86fa.exe
Size

1.3MB
MD5

eca69f21e0c115239ebcdef898673d07
SHA1

f4593cffd8668841cc9734e66c27364d992f6db6
SHA256

1e5950919bef34119b8e1ac08b1b40ae79baec60992eed35e7711f80731a86fa
SHA512

3bb3d72a6f2d10be0252bf20abb93359c47433b78cb089d0a61da43b181af6ecc7bdfd3c275e19d6ea679d626537ca4739600ffbfe8ef0412b2e4c470b806578
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	160	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	204	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	196	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	4064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	4064	schtasks.exe

DCRat payload 17 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/3904-286-0x0000000000D40000-0x0000000000E50000-memory.dmp	dcrat
C:\odt\conhost.exe	dcrat
C:\odt\conhost.exe	dcrat
C:\odt\conhost.exe	dcrat
C:\odt\conhost.exe	dcrat
C:\odt\conhost.exe	dcrat
C:\odt\conhost.exe	dcrat
C:\odt\conhost.exe	dcrat
C:\odt\conhost.exe	dcrat
C:\odt\conhost.exe	dcrat
C:\odt\conhost.exe	dcrat
C:\odt\conhost.exe	dcrat
C:\odt\conhost.exe	dcrat
C:\odt\conhost.exe	dcrat
C:\odt\conhost.exe	dcrat

Executes dropped EXE 14 IoCs

Processes:

DllCommonsvc.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.exe

pid	process
3904	DllCommonsvc.exe
3216	conhost.exe
5396	conhost.exe
5580	conhost.exe
5772	conhost.exe
5948	conhost.exe
6124	conhost.exe
2380	conhost.exe
4592	conhost.exe
3460	conhost.exe
324	conhost.exe
4816	conhost.exe
1564	conhost.exe
5344	conhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 12 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\winlogon.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

DllCommonsvc.exe

description ioc process

File created C:\Windows\it-IT\csrss.exe DllCommonsvc.exe
File created C:\Windows\it-IT\886983d96e3d3e DllCommonsvc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\it-IT\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\it-IT\886983d96e3d3e	DllCommonsvc.exe

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4428	schtasks.exe
440	schtasks.exe
1232	schtasks.exe
4204	schtasks.exe
4680	schtasks.exe
5112	schtasks.exe
4132	schtasks.exe
204	schtasks.exe
1340	schtasks.exe
160	schtasks.exe
436	schtasks.exe
1148	schtasks.exe
5092	schtasks.exe
4728	schtasks.exe
4460	schtasks.exe
4616	schtasks.exe
4572	schtasks.exe
4828	schtasks.exe
4984	schtasks.exe
2224	schtasks.exe
4600	schtasks.exe
4816	schtasks.exe
3176	schtasks.exe
4552	schtasks.exe
1664	schtasks.exe
4776	schtasks.exe
4464	schtasks.exe
4408	schtasks.exe
664	schtasks.exe
612	schtasks.exe
1648	schtasks.exe
876	schtasks.exe
196	schtasks.exe
3064	schtasks.exe
4732	schtasks.exe
4632	schtasks.exe
1324	schtasks.exe
1828	schtasks.exe
2300	schtasks.exe
2376	schtasks.exe
4624	schtasks.exe
3800	schtasks.exe
1116	schtasks.exe
5028	schtasks.exe
328	schtasks.exe

Modifies registry class 13 IoCs

Processes:

conhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.exe1e5950919bef34119b8e1ac08b1b40ae79baec60992eed35e7711f80731a86fa.execonhost.execonhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	1e5950919bef34119b8e1ac08b1b40ae79baec60992eed35e7711f80731a86fa.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	conhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exe

pid	process
3904	DllCommonsvc.exe
3904	DllCommonsvc.exe
3904	DllCommonsvc.exe
3904	DllCommonsvc.exe
3904	DllCommonsvc.exe
3904	DllCommonsvc.exe
3904	DllCommonsvc.exe
3904	DllCommonsvc.exe
3904	DllCommonsvc.exe
3904	DllCommonsvc.exe
3904	DllCommonsvc.exe
3904	DllCommonsvc.exe
3904	DllCommonsvc.exe
3100	powershell.exe
3100	powershell.exe
1508	powershell.exe
1508	powershell.exe
3724	powershell.exe
3724	powershell.exe
2816	powershell.exe
2816	powershell.exe
1056	powershell.exe
1056	powershell.exe
2696	powershell.exe
2696	powershell.exe
4812	powershell.exe
4812	powershell.exe
2612	powershell.exe
2612	powershell.exe
1912	powershell.exe
1912	powershell.exe
4812	powershell.exe
2620	powershell.exe
2620	powershell.exe
4324	powershell.exe
4324	powershell.exe
956	powershell.exe
956	powershell.exe
3428	powershell.exe
3428	powershell.exe
4324	powershell.exe
3836	powershell.exe
3836	powershell.exe
2884	powershell.exe
2884	powershell.exe
2884	powershell.exe
3388	powershell.exe
3388	powershell.exe
3428	powershell.exe
3216	conhost.exe
3216	conhost.exe
3100	powershell.exe
1508	powershell.exe
1912	powershell.exe
2816	powershell.exe
2696	powershell.exe
2612	powershell.exe
956	powershell.exe
2620	powershell.exe
1056	powershell.exe
3724	powershell.exe
3836	powershell.exe
3388	powershell.exe
4324	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3904	DllCommonsvc.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	3724	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	3216	conhost.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	3428	powershell.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeIncreaseQuotaPrivilege	2884	powershell.exe
Token: SeSecurityPrivilege	2884	powershell.exe
Token: SeTakeOwnershipPrivilege	2884	powershell.exe
Token: SeLoadDriverPrivilege	2884	powershell.exe
Token: SeSystemProfilePrivilege	2884	powershell.exe
Token: SeSystemtimePrivilege	2884	powershell.exe
Token: SeProfSingleProcessPrivilege	2884	powershell.exe
Token: SeIncBasePriorityPrivilege	2884	powershell.exe
Token: SeCreatePagefilePrivilege	2884	powershell.exe
Token: SeBackupPrivilege	2884	powershell.exe
Token: SeRestorePrivilege	2884	powershell.exe
Token: SeShutdownPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeSystemEnvironmentPrivilege	2884	powershell.exe
Token: SeRemoteShutdownPrivilege	2884	powershell.exe
Token: SeUndockPrivilege	2884	powershell.exe
Token: SeManageVolumePrivilege	2884	powershell.exe
Token: 33	2884	powershell.exe
Token: 34	2884	powershell.exe
Token: 35	2884	powershell.exe
Token: 36	2884	powershell.exe
Token: SeIncreaseQuotaPrivilege	4324	powershell.exe
Token: SeSecurityPrivilege	4324	powershell.exe
Token: SeTakeOwnershipPrivilege	4324	powershell.exe
Token: SeLoadDriverPrivilege	4324	powershell.exe
Token: SeSystemProfilePrivilege	4324	powershell.exe
Token: SeSystemtimePrivilege	4324	powershell.exe
Token: SeProfSingleProcessPrivilege	4324	powershell.exe
Token: SeIncBasePriorityPrivilege	4324	powershell.exe
Token: SeCreatePagefilePrivilege	4324	powershell.exe
Token: SeBackupPrivilege	4324	powershell.exe
Token: SeRestorePrivilege	4324	powershell.exe
Token: SeShutdownPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeSystemEnvironmentPrivilege	4324	powershell.exe
Token: SeRemoteShutdownPrivilege	4324	powershell.exe
Token: SeUndockPrivilege	4324	powershell.exe
Token: SeManageVolumePrivilege	4324	powershell.exe
Token: 33	4324	powershell.exe
Token: 34	4324	powershell.exe
Token: 35	4324	powershell.exe
Token: 36	4324	powershell.exe
Token: SeIncreaseQuotaPrivilege	4812	powershell.exe
Token: SeSecurityPrivilege	4812	powershell.exe
Token: SeTakeOwnershipPrivilege	4812	powershell.exe
Token: SeLoadDriverPrivilege	4812	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1e5950919bef34119b8e1ac08b1b40ae79baec60992eed35e7711f80731a86fa.exeWScript.execmd.exeDllCommonsvc.execonhost.execmd.execonhost.execmd.execonhost.execmd.execonhost.execmd.exe

description	pid	process	target process
PID 1928 wrote to memory of 3424	1928	1e5950919bef34119b8e1ac08b1b40ae79baec60992eed35e7711f80731a86fa.exe	WScript.exe
PID 1928 wrote to memory of 3424	1928	1e5950919bef34119b8e1ac08b1b40ae79baec60992eed35e7711f80731a86fa.exe	WScript.exe
PID 1928 wrote to memory of 3424	1928	1e5950919bef34119b8e1ac08b1b40ae79baec60992eed35e7711f80731a86fa.exe	WScript.exe
PID 3424 wrote to memory of 2644	3424	WScript.exe	cmd.exe
PID 3424 wrote to memory of 2644	3424	WScript.exe	cmd.exe
PID 3424 wrote to memory of 2644	3424	WScript.exe	cmd.exe
PID 2644 wrote to memory of 3904	2644	cmd.exe	DllCommonsvc.exe
PID 2644 wrote to memory of 3904	2644	cmd.exe	DllCommonsvc.exe
PID 3904 wrote to memory of 1912	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 1912	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 3100	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 3100	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 1508	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 1508	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 1056	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 1056	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 2696	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 2696	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 2816	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 2816	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 2612	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 2612	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 2620	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 2620	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 3836	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 3836	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 3724	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 3724	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 4812	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 4812	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 4324	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 4324	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 956	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 956	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 3388	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 3388	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 2884	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 2884	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 3428	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 3428	3904	DllCommonsvc.exe	powershell.exe
PID 3904 wrote to memory of 3216	3904	DllCommonsvc.exe	conhost.exe
PID 3904 wrote to memory of 3216	3904	DllCommonsvc.exe	conhost.exe
PID 3216 wrote to memory of 4420	3216	conhost.exe	cmd.exe
PID 3216 wrote to memory of 4420	3216	conhost.exe	cmd.exe
PID 4420 wrote to memory of 4424	4420	cmd.exe	w32tm.exe
PID 4420 wrote to memory of 4424	4420	cmd.exe	w32tm.exe
PID 4420 wrote to memory of 5396	4420	cmd.exe	conhost.exe
PID 4420 wrote to memory of 5396	4420	cmd.exe	conhost.exe
PID 5396 wrote to memory of 5504	5396	conhost.exe	cmd.exe
PID 5396 wrote to memory of 5504	5396	conhost.exe	cmd.exe
PID 5504 wrote to memory of 5560	5504	cmd.exe	w32tm.exe
PID 5504 wrote to memory of 5560	5504	cmd.exe	w32tm.exe
PID 5504 wrote to memory of 5580	5504	cmd.exe	conhost.exe
PID 5504 wrote to memory of 5580	5504	cmd.exe	conhost.exe
PID 5580 wrote to memory of 5680	5580	conhost.exe	cmd.exe
PID 5580 wrote to memory of 5680	5580	conhost.exe	cmd.exe
PID 5680 wrote to memory of 5736	5680	cmd.exe	w32tm.exe
PID 5680 wrote to memory of 5736	5680	cmd.exe	w32tm.exe
PID 5680 wrote to memory of 5772	5680	cmd.exe	conhost.exe
PID 5680 wrote to memory of 5772	5680	cmd.exe	conhost.exe
PID 5772 wrote to memory of 5872	5772	conhost.exe	cmd.exe
PID 5772 wrote to memory of 5872	5772	conhost.exe	cmd.exe
PID 5872 wrote to memory of 5928	5872	cmd.exe	w32tm.exe
PID 5872 wrote to memory of 5928	5872	cmd.exe	w32tm.exe

C:\Users\Admin\AppData\Local\Temp\1e5950919bef34119b8e1ac08b1b40ae79baec60992eed35e7711f80731a86fa.exe
"C:\Users\Admin\AppData\Local\Temp\1e5950919bef34119b8e1ac08b1b40ae79baec60992eed35e7711f80731a86fa.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Configuration\Registration\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3428
    - - C:\odt\conhost.exe
        
        "C:\odt\conhost.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3216
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uItNEyebdJ.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4424
        
        C:\odt\conhost.exe
        
        "C:\odt\conhost.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5560
        
        C:\odt\conhost.exe
        
        "C:\odt\conhost.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:5736
        
        C:\odt\conhost.exe
        
        "C:\odt\conhost.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:5928
        
        C:\odt\conhost.exe
        
        "C:\odt\conhost.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat"
        14⤵
        
        PID:6048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:6104
        
        C:\odt\conhost.exe
        
        "C:\odt\conhost.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat"
        16⤵
        
        PID:4776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4316
        
        C:\odt\conhost.exe
        
        "C:\odt\conhost.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uItNEyebdJ.bat"
        18⤵
        
        PID:4596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:5244
        
        C:\odt\conhost.exe
        
        "C:\odt\conhost.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat"
        20⤵
        
        PID:3844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2816
        
        C:\odt\conhost.exe
        
        "C:\odt\conhost.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aTd08pZfDw.bat"
        22⤵
        
        PID:224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4664
        
        C:\odt\conhost.exe
        
        "C:\odt\conhost.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"
        24⤵
        
        PID:2052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4820
        
        C:\odt\conhost.exe
        
        "C:\odt\conhost.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8qIUyQJ4qD.bat"
        26⤵
        
        PID:1668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3832
        
        C:\odt\conhost.exe
        
        "C:\odt\conhost.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8zQYTmmGlF.bat"
        28⤵
        
        PID:4492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4516
        
        C:\odt\conhost.exe
        
        "C:\odt\conhost.exe"
        29⤵
        Executes dropped EXE
        
        PID:5344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\odt\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
361371abca5de9517ca78d5acb4b997b

SHA1
b90d9c6301e1cd0af2ea23a517948a7ee3ecd98f

SHA256
ee6c6a8eb09f5403f93e999f8e7d0c033849bfd29e2fdf090f46828b01e11406

SHA512
834bd30f40963f038fb3cd75a5705ff6208156ef2f960bc3f434cee41ea66bd27a50b6fc08e145b7fc162bf8d09a74628e4f63e0f8a408c8b877cea202a40820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eea6cf47cece273628d5117ed99c9242

SHA1
970ad41d22802a40af26a3567fbe03d015892fe6

SHA256
83db58f06b4e5b062918e5347004f8fd98d3d534644110007127cf0e52c63f9a

SHA512
15a5e7812b9d6891212c939c1748dd17abeea4c1458f7ada4613659607a1170114db52223ec0eda36b808efd9296c4c9506c1ad7a5fa87513583cfdc52a0e483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
013a49adf3a2d295519a8bbc0e59f67f

SHA1
141357e8f7d142b46195c41a3fd47c6f644fb408

SHA256
49ce593aae5c197447e5258f4a725b2e98bc410ce6aab9e519eee5fa743d4479

SHA512
65a8e497a2160c66803c442c8d26d1b8ce55e1199eaac5fa09d9e95114a480ae52c568187b2a0deb363754dd3b512e1be1dd8c941df4ca5dd578df294884faa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
013a49adf3a2d295519a8bbc0e59f67f

SHA1
141357e8f7d142b46195c41a3fd47c6f644fb408

SHA256
49ce593aae5c197447e5258f4a725b2e98bc410ce6aab9e519eee5fa743d4479

SHA512
65a8e497a2160c66803c442c8d26d1b8ce55e1199eaac5fa09d9e95114a480ae52c568187b2a0deb363754dd3b512e1be1dd8c941df4ca5dd578df294884faa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fd6733ff106285044591f016c3ab20bf

SHA1
f5578beb2bf6a057ca5c084920a866f07c617229

SHA256
b64f1d3e172d9cce0a019260f48a76b24ae9d18a500dbdb7e27ff1e0572e3140

SHA512
be29b84c79917dc94582b3fff1f0036f1d118f2acaa45ec397147fa867962e26aa2b92675e3faaf60130d0b64a57d7f855df4d3199ed15cfb7985e92b646a117

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a0a493b61ce835397759ff68172600f5

SHA1
f1a611b25a9f3db875617d014fab234e9b655de5

SHA256
b14aa39204d6e61cd296f2d422abdd7825eea98eb28d81ff6af1605286048734

SHA512
a329d4373debdea3a3ab2ef85cc11bbe424165ee924323debc70313988ebbb893782993dace32088515e8c068304ff13d09e7ebde7b76ad06540249fe73d5a08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a0a493b61ce835397759ff68172600f5

SHA1
f1a611b25a9f3db875617d014fab234e9b655de5

SHA256
b14aa39204d6e61cd296f2d422abdd7825eea98eb28d81ff6af1605286048734

SHA512
a329d4373debdea3a3ab2ef85cc11bbe424165ee924323debc70313988ebbb893782993dace32088515e8c068304ff13d09e7ebde7b76ad06540249fe73d5a08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a0a493b61ce835397759ff68172600f5

SHA1
f1a611b25a9f3db875617d014fab234e9b655de5

SHA256
b14aa39204d6e61cd296f2d422abdd7825eea98eb28d81ff6af1605286048734

SHA512
a329d4373debdea3a3ab2ef85cc11bbe424165ee924323debc70313988ebbb893782993dace32088515e8c068304ff13d09e7ebde7b76ad06540249fe73d5a08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a0a493b61ce835397759ff68172600f5

SHA1
f1a611b25a9f3db875617d014fab234e9b655de5

SHA256
b14aa39204d6e61cd296f2d422abdd7825eea98eb28d81ff6af1605286048734

SHA512
a329d4373debdea3a3ab2ef85cc11bbe424165ee924323debc70313988ebbb893782993dace32088515e8c068304ff13d09e7ebde7b76ad06540249fe73d5a08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
24f611614123e2f63b38b1a43961b39d

SHA1
bbd6997edc79516cada91e322228b78dec8780b6

SHA256
ce7136cd2b3c00bd0dbe68f1a1eefbd6ad9ec595c245b4270869bd79831268d3

SHA512
33bfbc4399f1547f75d85b34db3e202df42a36af5f15590914ee0c5d7f9019e892ff61df6f96a045ef7678eb99456e1ed0957034388c48c30b2dff5dbb189af8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
95dcdd500d58368c5fdfeac72ecd2666

SHA1
eaa9acd1a582dbb313117b5f41d865f504727519

SHA256
c824a05740bc5ffb1b730809efe74d0e164563957adf1730fbe818fd78111768

SHA512
46bd0c921e0e8a3d405a7075ed6c008a80c8231a9af924235710e6a63009b5f4530af9e1417c3424c8fddaf0b91157fd226b6903cf1d372e37d78ca4bbeaad0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
95dcdd500d58368c5fdfeac72ecd2666

SHA1
eaa9acd1a582dbb313117b5f41d865f504727519

SHA256
c824a05740bc5ffb1b730809efe74d0e164563957adf1730fbe818fd78111768

SHA512
46bd0c921e0e8a3d405a7075ed6c008a80c8231a9af924235710e6a63009b5f4530af9e1417c3424c8fddaf0b91157fd226b6903cf1d372e37d78ca4bbeaad0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
95dcdd500d58368c5fdfeac72ecd2666

SHA1
eaa9acd1a582dbb313117b5f41d865f504727519

SHA256
c824a05740bc5ffb1b730809efe74d0e164563957adf1730fbe818fd78111768

SHA512
46bd0c921e0e8a3d405a7075ed6c008a80c8231a9af924235710e6a63009b5f4530af9e1417c3424c8fddaf0b91157fd226b6903cf1d372e37d78ca4bbeaad0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
95dcdd500d58368c5fdfeac72ecd2666

SHA1
eaa9acd1a582dbb313117b5f41d865f504727519

SHA256
c824a05740bc5ffb1b730809efe74d0e164563957adf1730fbe818fd78111768

SHA512
46bd0c921e0e8a3d405a7075ed6c008a80c8231a9af924235710e6a63009b5f4530af9e1417c3424c8fddaf0b91157fd226b6903cf1d372e37d78ca4bbeaad0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4b247b3b7648d42bf5633079b449afdf

SHA1
a19d5aa5d8c2428faec047afe3a891c99985bd90

SHA256
566da4d067796de35b257fdb4b2f41030dc648981a3570795cac8ef6ba555f27

SHA512
086fe31131fc162a4393649b234f62a25b8cf371b6c0abcc6b3e56516d382e6e438905810944a5c00ec6435685a31c56492ecd6a6307d2fcb02ab3ffe04edd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\8qIUyQJ4qD.bat

Filesize
183B

MD5
d6081c55a9f38fb0db20fdd05b0c5195

SHA1
90ede7828e0abca48dc30bb63204e20740f10acd

SHA256
ed0a33b73780d315ee4a219927163d022149a3f99f6681bd1c5ac590891db0f1

SHA512
3fc692d51cb8e10986cc10f622dcbacd35d0d4bd9d2d8854e56b63eba035d9e0bf44ad63d3c498bb86425d638b2c76f23a7f12469b3107fd579d4123f9a7d069

Download Submit
C:\Users\Admin\AppData\Local\Temp\8zQYTmmGlF.bat

Filesize
183B

MD5
7bfe967f53fa19311a8e0f3c908b0d93

SHA1
c54c57da086b656db89e63956c5714ac96ad4f89

SHA256
32423d7bb57b3ffdf9be4ecbe98c353975e22dbc02a39d50b9ce0b64af1e41ff

SHA512
8e81e75c1807d1b48d4539e8a2d50cd29ad19c6f2c4e85f91c6c4fcd6d26c23b3037c21247fea4d5db7a591af804641a721d9fc9d3c9ebcd7702fa2a35ad1d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat

Filesize
183B

MD5
05457618ac8f6211567ce31d881a8d5e

SHA1
70a4dde8d2168fd74355fcf677d6f34c21e43fdb

SHA256
3c237800e7046e664f557988a1e7d0bb45ba3dd7973e102769743b2a6056f605

SHA512
aacf6cd6296e2e4cad30d5617aad673a670c0b44618fb31bbed6c5a4044ad5b65be0853eccc862d65055f1d615be66afe57c6ec1451082e36b61194073a8a78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat

Filesize
183B

MD5
6114df522fc02a164485d62a128f29a8

SHA1
1a1df16839dec3e8d2ec676fb1115260651460f4

SHA256
a665422a6fd1f6ff923a900edd80e89853e28d72ad5fa0b4a1ff67fcc1b6961c

SHA512
ca8f36e4b7e8db3affcdb8734ac29f20e171b53dbe087fde91f7ff58e98481b766bd121ebc6bfd3c322d812ab3ee140d38bb0a4e067aebbcdc9dc27d18edffe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat

Filesize
183B

MD5
2174fedfb551019f7c66a4f761ba6858

SHA1
8a6de65aca4ffae0ed349b065b2df1f5db59f625

SHA256
e75b54f839e06aa9cc900cf5e115a6b267fdff1e4fd8725d884b1cb1a1f73111

SHA512
cdfe5b28ae4a768f2bde47531a21b6bdc0e3df0be7a4dfb7e43fceace4c1be8fd56b7f77b1f3a5f4018a9aa715908812bd01c0a8f275552def066a0ae61f779b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat

Filesize
183B

MD5
627feb1ee7bcb436c39357ebd73510a8

SHA1
e85fd6b8b263589207851d3ab029608ca2f4ee28

SHA256
dcca8fe4a34e53e2d83ba5863868a33398e9b7ea1b0b05fa151f1256944bbedc

SHA512
f0990cda8fa137f36a62acbab2774fae1447d43c2ab700048a7d5b05378919cc46b56a463f4b18cfdd267a101ff57ac3fbf97516645981102d9ac517d2053ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat

Filesize
183B

MD5
627feb1ee7bcb436c39357ebd73510a8

SHA1
e85fd6b8b263589207851d3ab029608ca2f4ee28

SHA256
dcca8fe4a34e53e2d83ba5863868a33398e9b7ea1b0b05fa151f1256944bbedc

SHA512
f0990cda8fa137f36a62acbab2774fae1447d43c2ab700048a7d5b05378919cc46b56a463f4b18cfdd267a101ff57ac3fbf97516645981102d9ac517d2053ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat

Filesize
183B

MD5
198de603e4028f3fc6f24cf3e069fa13

SHA1
1813b7bbe8226a5166aed5e38eaa5bf2704b318f

SHA256
d1f5c86d9616cbeafdcf7894846f58cfb8d08f53707a019843d9ef113145311a

SHA512
c31f50b5873a868f17fccdb77ad878c167b556643d5af4d3d7f4fa8a95a09a192766067f1d34e28820e098b36ea108f16000797ee6e11bfc35516b94ffc5be16

Download Submit
C:\Users\Admin\AppData\Local\Temp\aTd08pZfDw.bat

Filesize
183B

MD5
4ec34b0d6ebf35178d7d3a532c7680ec

SHA1
6b2eb9cc30774795cb728e57835180a6b129f088

SHA256
089e9ff9263616ea250e80d466944bfdd76c003f03269dcda17007d432f4dd9f

SHA512
2a26930b9e493aa592e2d67ea267776e920163d6bfe862f2fdccd12485b1c296423bcc7436c6106fd0ff1cb742aa7dbb00dd208dea3a274c646b7cc86760463f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat

Filesize
183B

MD5
8e010d0e0f0cef4cac85d15daf695657

SHA1
8b638ab2afb37b4ffe93626340847225047ef1e9

SHA256
a386291430e8222a3f2cfe8515b4677854c669c7741c093ebb4e515a6d0d6a4f

SHA512
dd6775f202bdfb469e47237a43e8e7cb6cf0f5b2db9fb9b2055ee09f2d17801d2820cd4813a13046480ae791b0cdb315be69d565f9ec7f0ec4982a602f05efd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\uItNEyebdJ.bat

Filesize
183B

MD5
f73604eff940732d58cd1ed68e04d081

SHA1
9ab8e4617f67de0cf3b1da5b57914edbe87f4a88

SHA256
e9c673a56ecc298602c55bbdbb354e8178868d59efef8288d973806ad1603380

SHA512
ca145690f10f19f778a85e83dea0bb7b9590c6b63464d6fbe403e99d5cce9831b469a61ebcf899f4ea640832e633b88626c47565538ad6e0059f9e14e067f066

Download Submit
C:\Users\Admin\AppData\Local\Temp\uItNEyebdJ.bat

Filesize
183B

MD5
f73604eff940732d58cd1ed68e04d081

SHA1
9ab8e4617f67de0cf3b1da5b57914edbe87f4a88

SHA256
e9c673a56ecc298602c55bbdbb354e8178868d59efef8288d973806ad1603380

SHA512
ca145690f10f19f778a85e83dea0bb7b9590c6b63464d6fbe403e99d5cce9831b469a61ebcf899f4ea640832e633b88626c47565538ad6e0059f9e14e067f066

Download Submit
C:\odt\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/224-900-0x0000000000000000-mapping.dmp

Download
memory/324-903-0x0000000000000000-mapping.dmp

Download
memory/324-905-0x0000000001930000-0x0000000001942000-memory.dmp

Filesize
72KB

Download
memory/956-309-0x0000000000000000-mapping.dmp

Download
memory/1056-294-0x0000000000000000-mapping.dmp

Download
memory/1508-293-0x0000000000000000-mapping.dmp

Download
memory/1508-371-0x00000264A1D40000-0x00000264A1D62000-memory.dmp

Filesize
136KB

Download
memory/1564-916-0x00000000011A0000-0x00000000011B2000-memory.dmp

Filesize
72KB

Download
memory/1564-914-0x0000000000000000-mapping.dmp

Download
memory/1668-911-0x0000000000000000-mapping.dmp

Download
memory/1912-291-0x0000000000000000-mapping.dmp

Download
memory/1928-166-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-152-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-182-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-183-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-121-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-122-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-123-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-179-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-180-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-125-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-178-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-177-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-126-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-128-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-129-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-130-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-131-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-132-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-176-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-133-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-134-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-135-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-136-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-175-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-173-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-137-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-139-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-138-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-140-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-141-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-174-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-172-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-170-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-142-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-143-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-171-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-144-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-145-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-146-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-147-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-148-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-169-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-149-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-168-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-167-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-120-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-165-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-164-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-163-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-162-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-161-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-160-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-159-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-158-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-157-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-156-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-154-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-155-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-153-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-151-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-150-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1928-181-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/2052-906-0x0000000000000000-mapping.dmp

Download
memory/2380-888-0x0000000000000000-mapping.dmp

Download
memory/2612-297-0x0000000000000000-mapping.dmp

Download
memory/2620-298-0x0000000000000000-mapping.dmp

Download
memory/2644-260-0x0000000000000000-mapping.dmp

Download
memory/2696-295-0x0000000000000000-mapping.dmp

Download
memory/2816-296-0x0000000000000000-mapping.dmp

Download
memory/2816-897-0x0000000000000000-mapping.dmp

Download
memory/2884-315-0x0000000000000000-mapping.dmp

Download
memory/3100-292-0x0000000000000000-mapping.dmp

Download
memory/3216-375-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/3216-351-0x0000000000000000-mapping.dmp

Download
memory/3388-313-0x0000000000000000-mapping.dmp

Download
memory/3424-184-0x0000000000000000-mapping.dmp

Download
memory/3424-185-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3424-186-0x0000000077D70000-0x0000000077EFE000-memory.dmp

Filesize
1.6MB

Download
memory/3428-320-0x0000000000000000-mapping.dmp

Download
memory/3460-898-0x0000000000000000-mapping.dmp

Download
memory/3724-300-0x0000000000000000-mapping.dmp

Download
memory/3832-913-0x0000000000000000-mapping.dmp

Download
memory/3836-299-0x0000000000000000-mapping.dmp

Download
memory/3844-895-0x0000000000000000-mapping.dmp

Download
memory/3904-289-0x00000000015D0000-0x00000000015DC000-memory.dmp

Filesize
48KB

Download
memory/3904-290-0x00000000015E0000-0x00000000015EC000-memory.dmp

Filesize
48KB

Download
memory/3904-288-0x0000000001380000-0x000000000138C000-memory.dmp

Filesize
48KB

Download
memory/3904-287-0x0000000001360000-0x0000000001372000-memory.dmp

Filesize
72KB

Download
memory/3904-286-0x0000000000D40000-0x0000000000E50000-memory.dmp

Filesize
1.1MB

Download
memory/3904-283-0x0000000000000000-mapping.dmp

Download
memory/4316-887-0x0000000000000000-mapping.dmp

Download
memory/4324-305-0x0000000000000000-mapping.dmp

Download
memory/4420-508-0x0000000000000000-mapping.dmp

Download
memory/4424-761-0x0000000000000000-mapping.dmp

Download
memory/4492-917-0x0000000000000000-mapping.dmp

Download
memory/4516-919-0x0000000000000000-mapping.dmp

Download
memory/4592-893-0x0000000000000000-mapping.dmp

Download
memory/4596-890-0x0000000000000000-mapping.dmp

Download
memory/4664-902-0x0000000000000000-mapping.dmp

Download
memory/4776-885-0x0000000000000000-mapping.dmp

Download
memory/4812-301-0x0000000000000000-mapping.dmp

Download
memory/4812-408-0x0000027559FE0000-0x000002755A056000-memory.dmp

Filesize
472KB

Download
memory/4816-909-0x0000000000000000-mapping.dmp

Download
memory/4820-908-0x0000000000000000-mapping.dmp

Download
memory/5244-892-0x0000000000000000-mapping.dmp

Download
memory/5344-920-0x0000000000000000-mapping.dmp

Download
memory/5396-863-0x0000000002300000-0x0000000002312000-memory.dmp

Filesize
72KB

Download
memory/5396-860-0x0000000000000000-mapping.dmp

Download
memory/5504-864-0x0000000000000000-mapping.dmp

Download
memory/5560-866-0x0000000000000000-mapping.dmp

Download
memory/5580-867-0x0000000000000000-mapping.dmp

Download
memory/5680-869-0x0000000000000000-mapping.dmp

Download
memory/5736-871-0x0000000000000000-mapping.dmp

Download
memory/5772-872-0x0000000000000000-mapping.dmp

Download
memory/5872-874-0x0000000000000000-mapping.dmp

Download
memory/5928-876-0x0000000000000000-mapping.dmp

Download
memory/5948-877-0x0000000000000000-mapping.dmp

Download
memory/6048-879-0x0000000000000000-mapping.dmp

Download
memory/6104-881-0x0000000000000000-mapping.dmp

Download
memory/6124-884-0x0000000000DB0000-0x0000000000DC2000-memory.dmp

Filesize
72KB

Download
memory/6124-882-0x0000000000000000-mapping.dmp

Download