dcrat | 12850da293286fc5b3378daa118f53bb7b3b70c7f509277985ea0a7c125faf2f

Analysis

max time kernel
150s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02-02-2023 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12850da293286fc5b3378daa118f53bb7b3b70c7f509277985ea0a7c125faf2f.exe
Size

1.3MB
MD5

7ebd8a583a301c4cc57aa697a7583bc6
SHA1

1b152813651c6687f411ed15dfbdf4c1f4e350e6
SHA256

12850da293286fc5b3378daa118f53bb7b3b70c7f509277985ea0a7c125faf2f
SHA512

d9f90d6e9ea9c496206310f22041d5164f21ebc58c5cffd26127293bb8b6c4a2d7fd6c287bdee9d74aacacd7ae1e7424f4e22cf4054e4dbe346c0f36e3bfd313
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3768	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	420	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	312	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	3912	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	3912	schtasks.exe

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/4244-282-0x00000000004D0000-0x00000000005E0000-memory.dmp	dcrat
C:\odt\cmd.exe	dcrat
C:\odt\cmd.exe	dcrat
C:\odt\cmd.exe	dcrat
C:\odt\cmd.exe	dcrat
C:\odt\cmd.exe	dcrat
C:\odt\cmd.exe	dcrat
C:\odt\cmd.exe	dcrat
C:\odt\cmd.exe	dcrat
C:\odt\cmd.exe	dcrat
C:\odt\cmd.exe	dcrat
C:\odt\cmd.exe	dcrat
C:\odt\cmd.exe	dcrat

Executes dropped EXE 12 IoCs

Processes:

DllCommonsvc.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

pid	process
4244	DllCommonsvc.exe
4604	cmd.exe
5804	cmd.exe
6024	cmd.exe
1688	cmd.exe
5468	cmd.exe
1304	cmd.exe
3740	cmd.exe
4168	cmd.exe
4216	cmd.exe
4384	cmd.exe
5688	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 2 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\5b884080fd4f94	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\Panther\setup.exe\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\Panther\setup.exe\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Windows\Provisioning\Packages\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\Provisioning\Packages\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\services.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\services.exe	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4484	schtasks.exe
4368	schtasks.exe
804	schtasks.exe
1300	schtasks.exe
3304	schtasks.exe
2200	schtasks.exe
3708	schtasks.exe
4960	schtasks.exe
4548	schtasks.exe
3200	schtasks.exe
1056	schtasks.exe
288	schtasks.exe
2288	schtasks.exe
4536	schtasks.exe
4876	schtasks.exe
1572	schtasks.exe
2228	schtasks.exe
2256	schtasks.exe
4988	schtasks.exe
4468	schtasks.exe
4396	schtasks.exe
1360	schtasks.exe
368	schtasks.exe
1820	schtasks.exe
2948	schtasks.exe
5104	schtasks.exe
1012	schtasks.exe
736	schtasks.exe
2088	schtasks.exe
2760	schtasks.exe
212	schtasks.exe
3768	schtasks.exe
4956	schtasks.exe
4448	schtasks.exe
4388	schtasks.exe
4444	schtasks.exe
3208	schtasks.exe
420	schtasks.exe
1104	schtasks.exe
4348	schtasks.exe
1760	schtasks.exe
4200	schtasks.exe
968	schtasks.exe
996	schtasks.exe
3788	schtasks.exe
580	schtasks.exe
4476	schtasks.exe
4576	schtasks.exe
312	schtasks.exe
2244	schtasks.exe
1792	schtasks.exe

Modifies registry class 12 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.exe12850da293286fc5b3378daa118f53bb7b3b70c7f509277985ea0a7c125faf2f.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	12850da293286fc5b3378daa118f53bb7b3b70c7f509277985ea0a7c125faf2f.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exe

pid	process
4244	DllCommonsvc.exe
4244	DllCommonsvc.exe
4244	DllCommonsvc.exe
4244	DllCommonsvc.exe
4244	DllCommonsvc.exe
4244	DllCommonsvc.exe
4244	DllCommonsvc.exe
4244	DllCommonsvc.exe
4244	DllCommonsvc.exe
2676	powershell.exe
2676	powershell.exe
2552	powershell.exe
2552	powershell.exe
1608	powershell.exe
1608	powershell.exe
3896	powershell.exe
3896	powershell.exe
2676	powershell.exe
2552	powershell.exe
1608	powershell.exe
3896	powershell.exe
2408	powershell.exe
2408	powershell.exe
2408	powershell.exe
3588	powershell.exe
3588	powershell.exe
2552	powershell.exe
3512	powershell.exe
3512	powershell.exe
4636	powershell.exe
4636	powershell.exe
2676	powershell.exe
3896	powershell.exe
1608	powershell.exe
2408	powershell.exe
4636	powershell.exe
4364	powershell.exe
4364	powershell.exe
2072	powershell.exe
2072	powershell.exe
4084	powershell.exe
4084	powershell.exe
4740	powershell.exe
4740	powershell.exe
2928	powershell.exe
2928	powershell.exe
4112	powershell.exe
4112	powershell.exe
2880	powershell.exe
2880	powershell.exe
4636	powershell.exe
3512	powershell.exe
4828	powershell.exe
4828	powershell.exe
2928	powershell.exe
1996	powershell.exe
1996	powershell.exe
3316	powershell.exe
3316	powershell.exe
3588	powershell.exe
4084	powershell.exe
4604	cmd.exe
4604	cmd.exe
4364	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4244	DllCommonsvc.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	3588	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	4084	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeDebugPrivilege	4604	cmd.exe
Token: SeIncreaseQuotaPrivilege	2552	powershell.exe
Token: SeSecurityPrivilege	2552	powershell.exe
Token: SeTakeOwnershipPrivilege	2552	powershell.exe
Token: SeLoadDriverPrivilege	2552	powershell.exe
Token: SeSystemProfilePrivilege	2552	powershell.exe
Token: SeSystemtimePrivilege	2552	powershell.exe
Token: SeProfSingleProcessPrivilege	2552	powershell.exe
Token: SeIncBasePriorityPrivilege	2552	powershell.exe
Token: SeCreatePagefilePrivilege	2552	powershell.exe
Token: SeBackupPrivilege	2552	powershell.exe
Token: SeRestorePrivilege	2552	powershell.exe
Token: SeShutdownPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeSystemEnvironmentPrivilege	2552	powershell.exe
Token: SeRemoteShutdownPrivilege	2552	powershell.exe
Token: SeUndockPrivilege	2552	powershell.exe
Token: SeManageVolumePrivilege	2552	powershell.exe
Token: 33	2552	powershell.exe
Token: 34	2552	powershell.exe
Token: 35	2552	powershell.exe
Token: 36	2552	powershell.exe
Token: SeIncreaseQuotaPrivilege	1608	powershell.exe
Token: SeSecurityPrivilege	1608	powershell.exe
Token: SeTakeOwnershipPrivilege	1608	powershell.exe
Token: SeLoadDriverPrivilege	1608	powershell.exe
Token: SeSystemProfilePrivilege	1608	powershell.exe
Token: SeSystemtimePrivilege	1608	powershell.exe
Token: SeProfSingleProcessPrivilege	1608	powershell.exe
Token: SeIncBasePriorityPrivilege	1608	powershell.exe
Token: SeCreatePagefilePrivilege	1608	powershell.exe
Token: SeBackupPrivilege	1608	powershell.exe
Token: SeRestorePrivilege	1608	powershell.exe
Token: SeShutdownPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeSystemEnvironmentPrivilege	1608	powershell.exe
Token: SeRemoteShutdownPrivilege	1608	powershell.exe
Token: SeUndockPrivilege	1608	powershell.exe
Token: SeManageVolumePrivilege	1608	powershell.exe
Token: 33	1608	powershell.exe
Token: 34	1608	powershell.exe
Token: 35	1608	powershell.exe
Token: 36	1608	powershell.exe
Token: SeIncreaseQuotaPrivilege	2676	powershell.exe
Token: SeSecurityPrivilege	2676	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

12850da293286fc5b3378daa118f53bb7b3b70c7f509277985ea0a7c125faf2f.exeWScript.execmd.exeDllCommonsvc.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2700 wrote to memory of 4972	2700	12850da293286fc5b3378daa118f53bb7b3b70c7f509277985ea0a7c125faf2f.exe	WScript.exe
PID 2700 wrote to memory of 4972	2700	12850da293286fc5b3378daa118f53bb7b3b70c7f509277985ea0a7c125faf2f.exe	WScript.exe
PID 2700 wrote to memory of 4972	2700	12850da293286fc5b3378daa118f53bb7b3b70c7f509277985ea0a7c125faf2f.exe	WScript.exe
PID 4972 wrote to memory of 4400	4972	WScript.exe	cmd.exe
PID 4972 wrote to memory of 4400	4972	WScript.exe	cmd.exe
PID 4972 wrote to memory of 4400	4972	WScript.exe	cmd.exe
PID 4400 wrote to memory of 4244	4400	cmd.exe	DllCommonsvc.exe
PID 4400 wrote to memory of 4244	4400	cmd.exe	DllCommonsvc.exe
PID 4244 wrote to memory of 2676	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 2676	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 1608	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 1608	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 2552	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 2552	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 2408	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 2408	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 3896	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 3896	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 3512	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 3512	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 4636	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 4636	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 3588	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 3588	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 4364	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 4364	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 4084	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 4084	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 2072	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 2072	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 4740	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 4740	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 2928	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 2928	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 2880	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 2880	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 4112	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 4112	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 4828	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 4828	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 1996	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 1996	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 3316	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 3316	4244	DllCommonsvc.exe	powershell.exe
PID 4244 wrote to memory of 4604	4244	DllCommonsvc.exe	cmd.exe
PID 4244 wrote to memory of 4604	4244	DllCommonsvc.exe	cmd.exe
PID 4604 wrote to memory of 5928	4604	cmd.exe	cmd.exe
PID 4604 wrote to memory of 5928	4604	cmd.exe	cmd.exe
PID 5928 wrote to memory of 5216	5928	cmd.exe	w32tm.exe
PID 5928 wrote to memory of 5216	5928	cmd.exe	w32tm.exe
PID 5928 wrote to memory of 5804	5928	cmd.exe	cmd.exe
PID 5928 wrote to memory of 5804	5928	cmd.exe	cmd.exe
PID 5804 wrote to memory of 5476	5804	cmd.exe	cmd.exe
PID 5804 wrote to memory of 5476	5804	cmd.exe	cmd.exe
PID 5476 wrote to memory of 5992	5476	cmd.exe	w32tm.exe
PID 5476 wrote to memory of 5992	5476	cmd.exe	w32tm.exe
PID 5476 wrote to memory of 6024	5476	cmd.exe	cmd.exe
PID 5476 wrote to memory of 6024	5476	cmd.exe	cmd.exe
PID 6024 wrote to memory of 5720	6024	cmd.exe	cmd.exe
PID 6024 wrote to memory of 5720	6024	cmd.exe	cmd.exe
PID 5720 wrote to memory of 6128	5720	cmd.exe	w32tm.exe
PID 5720 wrote to memory of 6128	5720	cmd.exe	w32tm.exe
PID 5720 wrote to memory of 1688	5720	cmd.exe	cmd.exe
PID 5720 wrote to memory of 1688	5720	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\12850da293286fc5b3378daa118f53bb7b3b70c7f509277985ea0a7c125faf2f.exe
"C:\Users\Admin\AppData\Local\Temp\12850da293286fc5b3378daa118f53bb7b3b70c7f509277985ea0a7c125faf2f.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4400
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteDesktops\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\setup.exe\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\Packages\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
    - - C:\odt\cmd.exe
        
        "C:\odt\cmd.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4604
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5216
        
        C:\odt\cmd.exe
        
        "C:\odt\cmd.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zY3yp8Lh1n.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5992
        
        C:\odt\cmd.exe
        
        "C:\odt\cmd.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:6024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:6128
        
        C:\odt\cmd.exe
        
        "C:\odt\cmd.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4WSxKcEorb.bat"
        12⤵
        
        PID:5268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:6072
        
        C:\odt\cmd.exe
        
        "C:\odt\cmd.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat"
        14⤵
        
        PID:396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3052
        
        C:\odt\cmd.exe
        
        "C:\odt\cmd.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\raSqT8qddO.bat"
        16⤵
        
        PID:2664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4568
        
        C:\odt\cmd.exe
        
        "C:\odt\cmd.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat"
        18⤵
        
        PID:968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:5676
        
        C:\odt\cmd.exe
        
        "C:\odt\cmd.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat"
        20⤵
        
        PID:5680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4788
        
        C:\odt\cmd.exe
        
        "C:\odt\cmd.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat"
        22⤵
        
        PID:3708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:5708
        
        C:\odt\cmd.exe
        
        "C:\odt\cmd.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rgoiaSdxpd.bat"
        24⤵
        
        PID:4184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:584
        
        C:\odt\cmd.exe
        
        "C:\odt\cmd.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat"
        26⤵
        
        PID:5392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteDesktops\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\RemotePackages\RemoteDesktops\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\setup.exe\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Panther\setup.exe\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Desktop\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\Provisioning\Packages\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Provisioning\Packages\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\Provisioning\Packages\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\odt\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Music\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Music\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Music\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\providercommon\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\providercommon\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\providercommon\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\odt\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default\AppData\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\AppData\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default\AppData\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\odt\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
51b1053567e9fe2c2105ff0c490b0295

SHA1
70f94b902876037dc4432eaca59e04a75127e136

SHA256
8aacc2215d348838a03a629968b5e3618669680431cc57e54a45e8d1b348ea1a

SHA512
34b8e1839f141fca9a2a7c2458ce7a2704f4242d96b3563e092638d5adce6d30a8045f96ffafafb8cdc6ba8d996ee9512a9282d4fe5f3011909eca999d4ff970

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4193c1f7eae584408db767971783ec29

SHA1
52a2504a97d744b5d38121c00121d798303266f7

SHA256
fb714b578fa6f4052de6270d060aa2e79ca66855ef6081cd6e2561c6fb473e9a

SHA512
08cecbf01ad4dc7521b39c9a7d0046a5828bada721a8a3a03857b81e282b3191513ad2e500c52634d50276b5b5c2cbb5211833a39fb414040232be7d3e3d9090

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8cbe13e5742547a4fd5ddffdb997aebc

SHA1
1bd2933e4e5c9f73f91fc27a04929a08ed36131e

SHA256
6aae6f378e9be63b8012289777ba06376928d2a22e40ce49a1a80a292c135f47

SHA512
110cdb4bdd102bd28824e5fbe02970ab6854c973e2466baa5c001748a4a25c6faee1dacb7837ddf6c19d927cb5d4a80f4989f770ba774a4f2ffa8b21207a6ae3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8cbe13e5742547a4fd5ddffdb997aebc

SHA1
1bd2933e4e5c9f73f91fc27a04929a08ed36131e

SHA256
6aae6f378e9be63b8012289777ba06376928d2a22e40ce49a1a80a292c135f47

SHA512
110cdb4bdd102bd28824e5fbe02970ab6854c973e2466baa5c001748a4a25c6faee1dacb7837ddf6c19d927cb5d4a80f4989f770ba774a4f2ffa8b21207a6ae3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e850f9616294bcd59d41793de0112b6c

SHA1
7685f6be57c5b0e5efa9a9ce4fc78967ed47b0fc

SHA256
783326772323cf7976265ecda68f9fc75bfdb5dd64104cb970921fd94e30e6dc

SHA512
01fa04c15f9946d5c5b2170bc07d47ef525d81d47297a8bbd939fc1029bb559e28e550635712b98faafa3eb2e862909f9466d61b93062b0bef05d6afb7127481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
753fc24027e3df4df159b6d7db1fccc1

SHA1
064f1218ca8b295ecf92133882d1122b0d1dc80b

SHA256
faa6465199a8c96e2e19af7ad81237b1a977f9deb84b7090ae3af69a0b3baf34

SHA512
37fcce9dd7c8e5fd64f8eadd926259042af5c7cc1b707a6741274c86e3c33c94bbada984a45f9e46e7f8c73e7e8c6b811b486a3052b400d55d4ff5cf0d549f4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bac02a62a7706a584237467916327b6d

SHA1
81f2ae6832ed71135b5f59e5bd81cb7cee2cb878

SHA256
cec64e60358a56b8af184cde771085b8fc2569c03ef218db6e47f410ed32bfcd

SHA512
b074a0e50c2cb7b3ad5acba5c0690b865caf4023ea8b68285a0e0744f7a5c17a313c52af49775563ccb7e4dba7a0568670e37a6b8e282efd656505913d8e1188

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0d59337cf79ccc6eac5a4cb153225d98

SHA1
875fc093920d0e4faad86092445f8965911fb25d

SHA256
a350c8824f5ede840a4c95c5e1fd7c0678c9c9500111fa26aa9b9af9f4e839da

SHA512
7f5c7d70381122881f0a59f786be8f27c15353ab8b6a5c38498938a24f3f91874325f73d194cc5c1a7a04f06ab57d7ec52f4c7aecedfff9bfdc1282939d81a88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6dccfabc937bba36c2f83e0a8276accd

SHA1
ed0c6bcfe1cbad84d1719028e36d8db8e3fad99c

SHA256
aef6a63157a1f420bd13a5f6e5c65ae8f187c395c8ee46e6cd4961852c97d546

SHA512
951110e1585cf66008b2b38628a0f6f48076b806f0c72855d2bf23f89a5080fcb2d31a198a82203aa3cd21cf63963efd1b0a7a60e8e04171b4e28b5e7a134bb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6dccfabc937bba36c2f83e0a8276accd

SHA1
ed0c6bcfe1cbad84d1719028e36d8db8e3fad99c

SHA256
aef6a63157a1f420bd13a5f6e5c65ae8f187c395c8ee46e6cd4961852c97d546

SHA512
951110e1585cf66008b2b38628a0f6f48076b806f0c72855d2bf23f89a5080fcb2d31a198a82203aa3cd21cf63963efd1b0a7a60e8e04171b4e28b5e7a134bb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9581e86410a03631045be6e0cce9a5ec

SHA1
fc560a6baf312537e44e0b73851a89eac93fe845

SHA256
d3c2f7cce5f35ca25e6a4a0180062483c2bd1cfeb26abb5eef74526efe255185

SHA512
57c96f8004b67d21ec7dc6748d2cc769364689f1cdcd388da44fd68b62cc76ed0f40875e0949c03dd921e33713268e62b45b870d7a4aa9d1dcd89e2a806c48f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a3bd391ee570752f315a9beaab53ee14

SHA1
da045aeafbcf6e4e9cb40c2f249551aa16ce04a9

SHA256
266e5e1d8579bf4bd14904110d518645b9095faa3b9b41a35f19f720f8bd384e

SHA512
07b24f2900457b7c6c1cdc8c888342a019603d680e46fc8e55493e707ec881f64e69741beb821b49a6308c93b01c4e344f48b1942cafa0892afdc36949ccf67a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a3bd391ee570752f315a9beaab53ee14

SHA1
da045aeafbcf6e4e9cb40c2f249551aa16ce04a9

SHA256
266e5e1d8579bf4bd14904110d518645b9095faa3b9b41a35f19f720f8bd384e

SHA512
07b24f2900457b7c6c1cdc8c888342a019603d680e46fc8e55493e707ec881f64e69741beb821b49a6308c93b01c4e344f48b1942cafa0892afdc36949ccf67a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d40816fa26b7bfd9e28b102256b64dfa

SHA1
a91d0f1682b7c1d1dd94769f7c3895a4123858d9

SHA256
94a044391f5a1fd0b6c7cedf2707f5539d90efb7a7f7cdac838ea1beb29a1199

SHA512
052a76cb6b778e926e1cfadaddba6fb90c0dde580c0f3c70c3ad8c0f8d23e95ff29f39a7db30c69f926c63fa275e7824becf9704dc798381813cba41a1df05fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d40816fa26b7bfd9e28b102256b64dfa

SHA1
a91d0f1682b7c1d1dd94769f7c3895a4123858d9

SHA256
94a044391f5a1fd0b6c7cedf2707f5539d90efb7a7f7cdac838ea1beb29a1199

SHA512
052a76cb6b778e926e1cfadaddba6fb90c0dde580c0f3c70c3ad8c0f8d23e95ff29f39a7db30c69f926c63fa275e7824becf9704dc798381813cba41a1df05fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f933b45f6d7f15f7f5f9e443fb10f4a5

SHA1
8da9aba2f79a594303c5db04120683b4790f8033

SHA256
0e314f794ef3be912e8fa708e99cea12151a8d3c9198a80b51b84fb13d8e7f9f

SHA512
bc3e46a87835372fe73d622cd1fc039014ffa6e6a24053053115532a2ff3553b96e9f2354392cd6f78fb1566542beb5f61c81a05d4c73919f79000ab3c49ee79

Download Submit
C:\Users\Admin\AppData\Local\Temp\4WSxKcEorb.bat

Filesize
179B

MD5
27afcaf4d5c144cac91b7f61c6092f8e

SHA1
9c5e468bd0ed0eb11f68a2e4527f202cfeb60be6

SHA256
bf3624ff42e6949abbdcae0c6682f3c438ce3ac5751f34aec0283587bc321b6d

SHA512
4bae0b0f5608ff39578694f030ed9f699815e58b41e1543f9dabbdc05e6ab6de1376f154c82eacff236cf145c46725b24458e840843c4471a519cab09c235b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat

Filesize
179B

MD5
e8db3fa991b3a59447e1de97dc38ebb0

SHA1
0476f2a45cba7f3ee5bc03e32aec187c8c9c04ba

SHA256
a9ba08673c36f63f2f69826271dd538b497edba89949b5536dccb92c7d558dc1

SHA512
1015f1ab387f4697a6186f4c1c037f6eb0bfaf708a010285d242848250894f1e3e836c34f5005d75811a270ed3896e59b89ecbc9fa2f8a793bf285e463b8a427

Download Submit
C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat

Filesize
179B

MD5
2c16e7af349fd800b5e6e5f5a9bc807e

SHA1
ebcc32d3d3c46a33464f9820dfb222cb59e44a32

SHA256
007bb8fcd1b9405c79ce549f7ee044f6f2f56cf655aa313c40843d46cb977bce

SHA512
a6800084f3cfca8735b316f84bff5fea0398f96641168f8beb8a0313542ee9d0e548f666797fd1abd085aa2d78573537d129fd6009db8b90fca7dc1910de1c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat

Filesize
179B

MD5
1bc77fcf51674985d855c13c04e02be9

SHA1
04eaa6ef3eb2c51faf00a48465c5467ef48be29e

SHA256
c9edf4c0be6ca663165df888dafc07437c57a770c5541953f321d090a2b6de34

SHA512
a6c1d6445b529a311980965ea71940b0047edfd451da2def1044a2fc837ed5afcc634a01b5792a950c5a0f0b3583ad82ba9a007dd7c1bb6807ff16604fa9a470

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat

Filesize
179B

MD5
dee60bd346753ad5fdff9b0b8f52ef8d

SHA1
eecbaf085604df4d21090254ed3836707b765c8c

SHA256
155203bf28e71c14f1a4779ef86ccff00e95e6230c40047381c48db32b9acd14

SHA512
04f722e531b8e17a2ba0d8811b76a12feadb22908f2135d10cf26e6d7562f5b461d7bd674a46125ba4da6ee5c8d981c824bac726e14c76eb53b798b152dfb338

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat

Filesize
179B

MD5
111a7a472691b01b55cad27167f1aaaf

SHA1
43d7a8d39ba560582543703b7afd0c19a15a42d7

SHA256
7c82a70a3ad14193ce2a8a67a04e6fc76c2f0b5adc750631cd5acbbb3fb08b27

SHA512
948a2316d8e865a4167b86eb5995c9411562f4cf9d507f4917a2f44636ee01decd0cbf6b373a243ff3503697b88bf7e92269445c25d7ad5bc285db54dde2b0b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat

Filesize
179B

MD5
2d5f622a02183d97b4d189227d722e91

SHA1
9a03882572d77dbcb45e7ee52379dbecd3420965

SHA256
05c196967cada057d2812c91fdebd05b965273aead6797aee39a9f64a3227c6b

SHA512
751b9abff0ecd3dd2fcffec34d9f6ee6ca5cab855db6804f4ed9b8b3112eafc0cb7b90b6508e0129aa4ccd80a62b452cb36b11c66e8eb507015209120f2783bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\raSqT8qddO.bat

Filesize
179B

MD5
6c45f174301302b9e8c08407932f99c2

SHA1
bc1952d00df310c58d9a6431b8b179e4ca282d76

SHA256
048f56eac4d61685f1ef5b3cb8ca017838d62e34090d57959762f242d47fc3ac

SHA512
ae5d3d8b332823d92b17a4a7aa64b4b52cca01572663d7e49dccf43fa2921821d9937bcae428a42193bc009649a29915f87cb4a18522602ae61dac8e70ba4727

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgoiaSdxpd.bat

Filesize
179B

MD5
622d26f30acf17760af015f2cc421a36

SHA1
ae0cc2f604125191b0dff6343135fa1b5776a159

SHA256
41ea0be1162323d8179d74cdbd57e3769803f815dd774e0919928e6e8ffab04f

SHA512
7192d4717ee7db4969dc06bb9297f8eb50473666c01205f30706159fa135e8c057fa7ac210c1a61094cf9f9c9d24a3c3cd8ac0af3396f794df1a18324833b1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat

Filesize
179B

MD5
09b085dde18a042a619c15bbd6e7911a

SHA1
1741353eb79859fa808cccd572bb9fe49ad90288

SHA256
7c2ccc433d5f53ac0cfdac6857b90ff75c3517a7e6dad37c5e767f4cd35daa82

SHA512
f23dbcd6dc2aeb496f7b6fc88d3545af6621ddc609f722ca06c5ae77388af60cf6baeb59b68c62c2611359c44000560e41a8cbb09fa73bf3e551721e07b7635a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zY3yp8Lh1n.bat

Filesize
179B

MD5
579b99086e83f725023408b6aaabe5b0

SHA1
233fc075daaaab2cf81ab23028e7726fdbd8dc7f

SHA256
648c5a53bb49b41b4b1562401dc5b9f97e0c628319e270f0c803e7c382ba3449

SHA512
21fbd39ee43d62f71d0afb69d91a61667f1d3d85746e1954fb69ea4cce74b8a7065ba8d10686b20a5454be432c383844816e224322913a9c17a72c57ef98f516

Download Submit
C:\odt\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/396-999-0x0000000000000000-mapping.dmp

Download
memory/584-1029-0x0000000000000000-mapping.dmp

Download
memory/968-1010-0x0000000000000000-mapping.dmp

Download
memory/1304-1002-0x0000000000000000-mapping.dmp

Download
memory/1608-288-0x0000000000000000-mapping.dmp

Download
memory/1688-991-0x0000000000000000-mapping.dmp

Download
memory/1688-993-0x0000000001060000-0x0000000001072000-memory.dmp

Filesize
72KB

Download
memory/1996-323-0x0000000000000000-mapping.dmp

Download
memory/2072-298-0x0000000000000000-mapping.dmp

Download
memory/2408-290-0x0000000000000000-mapping.dmp

Download
memory/2552-289-0x0000000000000000-mapping.dmp

Download
memory/2664-1004-0x0000000000000000-mapping.dmp

Download
memory/2676-372-0x000001ACF92D0000-0x000001ACF92F2000-memory.dmp

Filesize
136KB

Download
memory/2676-287-0x0000000000000000-mapping.dmp

Download
memory/2676-389-0x000001ACF9600000-0x000001ACF9676000-memory.dmp

Filesize
472KB

Download
memory/2700-149-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-152-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-178-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-182-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-177-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-176-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-175-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-174-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-173-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-172-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-171-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-170-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-169-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-168-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-166-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-167-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-165-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-164-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-163-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-162-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-161-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-160-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-159-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-158-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-157-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-156-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-117-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-116-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-155-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-154-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-118-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-119-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-153-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-179-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-151-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-150-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-148-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-147-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-146-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-145-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-144-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-143-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-142-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-141-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-140-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-139-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-138-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-137-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-136-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-135-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-134-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-133-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-132-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-131-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-130-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-129-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-128-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-127-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-126-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-125-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-124-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-122-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-121-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/2880-312-0x0000000000000000-mapping.dmp

Download
memory/2928-306-0x0000000000000000-mapping.dmp

Download
memory/3052-1001-0x0000000000000000-mapping.dmp

Download
memory/3316-330-0x0000000000000000-mapping.dmp

Download
memory/3512-292-0x0000000000000000-mapping.dmp

Download
memory/3588-294-0x0000000000000000-mapping.dmp

Download
memory/3708-1022-0x0000000000000000-mapping.dmp

Download
memory/3740-1009-0x0000000000CA0000-0x0000000000CB2000-memory.dmp

Filesize
72KB

Download
memory/3740-1007-0x0000000000000000-mapping.dmp

Download
memory/3896-291-0x0000000000000000-mapping.dmp

Download
memory/4084-296-0x0000000000000000-mapping.dmp

Download
memory/4112-315-0x0000000000000000-mapping.dmp

Download
memory/4168-1013-0x0000000000000000-mapping.dmp

Download
memory/4168-1015-0x00000000009E0000-0x00000000009F2000-memory.dmp

Filesize
72KB

Download
memory/4184-1027-0x0000000000000000-mapping.dmp

Download
memory/4216-1019-0x0000000000000000-mapping.dmp

Download
memory/4216-1021-0x00000000011C0000-0x00000000011D2000-memory.dmp

Filesize
72KB

Download
memory/4244-283-0x0000000002840000-0x0000000002852000-memory.dmp

Filesize
72KB

Download
memory/4244-282-0x00000000004D0000-0x00000000005E0000-memory.dmp

Filesize
1.1MB

Download
memory/4244-285-0x0000000002860000-0x000000000286C000-memory.dmp

Filesize
48KB

Download
memory/4244-284-0x0000000002850000-0x000000000285C000-memory.dmp

Filesize
48KB

Download
memory/4244-286-0x0000000002870000-0x000000000287C000-memory.dmp

Filesize
48KB

Download
memory/4244-279-0x0000000000000000-mapping.dmp

Download
memory/4364-295-0x0000000000000000-mapping.dmp

Download
memory/4384-1025-0x0000000000000000-mapping.dmp

Download
memory/4400-256-0x0000000000000000-mapping.dmp

Download
memory/4568-1006-0x0000000000000000-mapping.dmp

Download
memory/4604-371-0x0000000000000000-mapping.dmp

Download
memory/4636-293-0x0000000000000000-mapping.dmp

Download
memory/4740-303-0x0000000000000000-mapping.dmp

Download
memory/4748-1034-0x0000000000000000-mapping.dmp

Download
memory/4788-1018-0x0000000000000000-mapping.dmp

Download
memory/4828-320-0x0000000000000000-mapping.dmp

Download
memory/4972-180-0x0000000000000000-mapping.dmp

Download
memory/4972-181-0x0000000077840000-0x00000000779CE000-memory.dmp

Filesize
1.6MB

Download
memory/5216-910-0x0000000000000000-mapping.dmp

Download
memory/5268-994-0x0000000000000000-mapping.dmp

Download
memory/5392-1032-0x0000000000000000-mapping.dmp

Download
memory/5468-997-0x0000000000000000-mapping.dmp

Download
memory/5476-983-0x0000000000000000-mapping.dmp

Download
memory/5676-1012-0x0000000000000000-mapping.dmp

Download
memory/5680-1016-0x0000000000000000-mapping.dmp

Download
memory/5688-1030-0x0000000000000000-mapping.dmp

Download
memory/5708-1024-0x0000000000000000-mapping.dmp

Download
memory/5720-988-0x0000000000000000-mapping.dmp

Download
memory/5804-982-0x0000000001000000-0x0000000001012000-memory.dmp

Filesize
72KB

Download
memory/5804-979-0x0000000000000000-mapping.dmp

Download
memory/5928-858-0x0000000000000000-mapping.dmp

Download
memory/5992-985-0x0000000000000000-mapping.dmp

Download
memory/6024-986-0x0000000000000000-mapping.dmp

Download
memory/6072-996-0x0000000000000000-mapping.dmp

Download
memory/6128-990-0x0000000000000000-mapping.dmp

Download