dcrat | a598accc5f2469476adf3c39ba1396558b09bea2df4d37e2c900a33e56c67559

Analysis

max time kernel
146s
max time network
146s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02-02-2023 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a598accc5f2469476adf3c39ba1396558b09bea2df4d37e2c900a33e56c67559.exe
Size

1.3MB
MD5

8d3f8c7ff79c0bce2941bf8c78388995
SHA1

93fd8a3b0803f146baa97ee0f23d4795f7e12a0c
SHA256

a598accc5f2469476adf3c39ba1396558b09bea2df4d37e2c900a33e56c67559
SHA512

3efdbfdb5f0d3fae12c75e5b7f152620929c888eebe0b6e639c9bb142ca03a94bbd49ba1e79a3b4eb633872ca2fe5f2f84c420ecf7003bb335e02a4a3c4d0900
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3216	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	164	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	3788	schtasks.exe

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/4264-282-0x0000000000020000-0x0000000000130000-memory.dmp	dcrat
C:\Program Files\Mozilla Firefox\defaults\Idle.exe	dcrat
C:\Program Files\Mozilla Firefox\defaults\Idle.exe	dcrat
C:\Program Files\Mozilla Firefox\defaults\Idle.exe	dcrat
C:\Program Files\Mozilla Firefox\defaults\Idle.exe	dcrat
C:\Program Files\Mozilla Firefox\defaults\Idle.exe	dcrat
C:\Program Files\Mozilla Firefox\defaults\Idle.exe	dcrat
C:\Program Files\Mozilla Firefox\defaults\Idle.exe	dcrat
C:\Program Files\Mozilla Firefox\defaults\Idle.exe	dcrat
C:\Program Files\Mozilla Firefox\defaults\Idle.exe	dcrat
C:\Program Files\Mozilla Firefox\defaults\Idle.exe	dcrat
C:\Program Files\Mozilla Firefox\defaults\Idle.exe	dcrat
C:\Program Files\Mozilla Firefox\defaults\Idle.exe	dcrat

Executes dropped EXE 12 IoCs

Processes:

DllCommonsvc.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exe

pid	process
4264	DllCommonsvc.exe
4868	Idle.exe
3020	Idle.exe
1220	Idle.exe
4008	Idle.exe
3192	Idle.exe
3744	Idle.exe
1628	Idle.exe
308	Idle.exe
1248	Idle.exe
3328	Idle.exe
4912	Idle.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Policies\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Policies\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Policies\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Policies\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\defaults\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\defaults\6ccacd8608530f	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

DllCommonsvc.exe

description ioc process

File created C:\Windows\bcastdvr\SearchUI.exe DllCommonsvc.exe
File created C:\Windows\bcastdvr\dab4d89cac03ec DllCommonsvc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\bcastdvr\SearchUI.exe	DllCommonsvc.exe
File created	C:\Windows\bcastdvr\dab4d89cac03ec	DllCommonsvc.exe

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4616	schtasks.exe
2204	schtasks.exe
1752	schtasks.exe
5032	schtasks.exe
3216	schtasks.exe
3292	schtasks.exe
748	schtasks.exe
3328	schtasks.exe
584	schtasks.exe
1808	schtasks.exe
3316	schtasks.exe
4584	schtasks.exe
4404	schtasks.exe
580	schtasks.exe
1432	schtasks.exe
1148	schtasks.exe
3132	schtasks.exe
4596	schtasks.exe
4412	schtasks.exe
856	schtasks.exe
512	schtasks.exe
1200	schtasks.exe
1740	schtasks.exe
640	schtasks.exe
4644	schtasks.exe
4640	schtasks.exe
5044	schtasks.exe
4008	schtasks.exe
4624	schtasks.exe
1384	schtasks.exe
1204	schtasks.exe
3332	schtasks.exe
5020	schtasks.exe
4940	schtasks.exe
4636	schtasks.exe
164	schtasks.exe
3996	schtasks.exe
4388	schtasks.exe
1628	schtasks.exe

Modifies registry class 12 IoCs

Processes:

DllCommonsvc.exeIdle.exeIdle.exea598accc5f2469476adf3c39ba1396558b09bea2df4d37e2c900a33e56c67559.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	a598accc5f2469476adf3c39ba1396558b09bea2df4d37e2c900a33e56c67559.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	Idle.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4264	DllCommonsvc.exe
4264	DllCommonsvc.exe
4264	DllCommonsvc.exe
4264	DllCommonsvc.exe
4264	DllCommonsvc.exe
4264	DllCommonsvc.exe
4264	DllCommonsvc.exe
4264	DllCommonsvc.exe
4264	DllCommonsvc.exe
220	powershell.exe
220	powershell.exe
2300	powershell.exe
2300	powershell.exe
2300	powershell.exe
220	powershell.exe
2208	powershell.exe
2208	powershell.exe
2300	powershell.exe
1952	powershell.exe
1952	powershell.exe
2208	powershell.exe
220	powershell.exe
1952	powershell.exe
1000	powershell.exe
1000	powershell.exe
2460	powershell.exe
2460	powershell.exe
1952	powershell.exe
2208	powershell.exe
2908	powershell.exe
2908	powershell.exe
3052	powershell.exe
3052	powershell.exe
2740	powershell.exe
2740	powershell.exe
2908	powershell.exe
4704	powershell.exe
4704	powershell.exe
4732	powershell.exe
4732	powershell.exe
4752	powershell.exe
4752	powershell.exe
4848	powershell.exe
4848	powershell.exe
4352	powershell.exe
4352	powershell.exe
1000	powershell.exe
2908	powershell.exe
2460	powershell.exe
3052	powershell.exe
1000	powershell.exe
2740	powershell.exe
4732	powershell.exe
4704	powershell.exe
2460	powershell.exe
4752	powershell.exe
4848	powershell.exe
4352	powershell.exe
3052	powershell.exe
2740	powershell.exe
4704	powershell.exe
4732	powershell.exe
4848	powershell.exe
4752	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4264	DllCommonsvc.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeIncreaseQuotaPrivilege	2300	powershell.exe
Token: SeSecurityPrivilege	2300	powershell.exe
Token: SeTakeOwnershipPrivilege	2300	powershell.exe
Token: SeLoadDriverPrivilege	2300	powershell.exe
Token: SeSystemProfilePrivilege	2300	powershell.exe
Token: SeSystemtimePrivilege	2300	powershell.exe
Token: SeProfSingleProcessPrivilege	2300	powershell.exe
Token: SeIncBasePriorityPrivilege	2300	powershell.exe
Token: SeCreatePagefilePrivilege	2300	powershell.exe
Token: SeBackupPrivilege	2300	powershell.exe
Token: SeRestorePrivilege	2300	powershell.exe
Token: SeShutdownPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeSystemEnvironmentPrivilege	2300	powershell.exe
Token: SeRemoteShutdownPrivilege	2300	powershell.exe
Token: SeUndockPrivilege	2300	powershell.exe
Token: SeManageVolumePrivilege	2300	powershell.exe
Token: 33	2300	powershell.exe
Token: 34	2300	powershell.exe
Token: 35	2300	powershell.exe
Token: 36	2300	powershell.exe
Token: SeIncreaseQuotaPrivilege	220	powershell.exe
Token: SeSecurityPrivilege	220	powershell.exe
Token: SeTakeOwnershipPrivilege	220	powershell.exe
Token: SeLoadDriverPrivilege	220	powershell.exe
Token: SeSystemProfilePrivilege	220	powershell.exe
Token: SeSystemtimePrivilege	220	powershell.exe
Token: SeProfSingleProcessPrivilege	220	powershell.exe
Token: SeIncBasePriorityPrivilege	220	powershell.exe
Token: SeCreatePagefilePrivilege	220	powershell.exe
Token: SeBackupPrivilege	220	powershell.exe
Token: SeRestorePrivilege	220	powershell.exe
Token: SeShutdownPrivilege	220	powershell.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeSystemEnvironmentPrivilege	220	powershell.exe
Token: SeRemoteShutdownPrivilege	220	powershell.exe
Token: SeUndockPrivilege	220	powershell.exe
Token: SeManageVolumePrivilege	220	powershell.exe
Token: 33	220	powershell.exe
Token: 34	220	powershell.exe
Token: 35	220	powershell.exe
Token: 36	220	powershell.exe
Token: SeIncreaseQuotaPrivilege	1952	powershell.exe
Token: SeSecurityPrivilege	1952	powershell.exe
Token: SeTakeOwnershipPrivilege	1952	powershell.exe
Token: SeLoadDriverPrivilege	1952	powershell.exe
Token: SeSystemProfilePrivilege	1952	powershell.exe
Token: SeSystemtimePrivilege	1952	powershell.exe
Token: SeProfSingleProcessPrivilege	1952	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a598accc5f2469476adf3c39ba1396558b09bea2df4d37e2c900a33e56c67559.exeWScript.execmd.exeDllCommonsvc.execmd.exeIdle.execmd.exeIdle.execmd.exeIdle.execmd.exeIdle.execmd.exe

description	pid	process	target process
PID 1756 wrote to memory of 3956	1756	a598accc5f2469476adf3c39ba1396558b09bea2df4d37e2c900a33e56c67559.exe	WScript.exe
PID 1756 wrote to memory of 3956	1756	a598accc5f2469476adf3c39ba1396558b09bea2df4d37e2c900a33e56c67559.exe	WScript.exe
PID 1756 wrote to memory of 3956	1756	a598accc5f2469476adf3c39ba1396558b09bea2df4d37e2c900a33e56c67559.exe	WScript.exe
PID 3956 wrote to memory of 3352	3956	WScript.exe	cmd.exe
PID 3956 wrote to memory of 3352	3956	WScript.exe	cmd.exe
PID 3956 wrote to memory of 3352	3956	WScript.exe	cmd.exe
PID 3352 wrote to memory of 4264	3352	cmd.exe	DllCommonsvc.exe
PID 3352 wrote to memory of 4264	3352	cmd.exe	DllCommonsvc.exe
PID 4264 wrote to memory of 220	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 220	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 2300	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 2300	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 2208	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 2208	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 1952	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 1952	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 1000	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 1000	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 2460	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 2460	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 2908	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 2908	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 3052	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 3052	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 2740	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 2740	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 4704	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 4704	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 4732	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 4732	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 4752	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 4752	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 4848	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 4848	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 4352	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 4352	4264	DllCommonsvc.exe	powershell.exe
PID 4264 wrote to memory of 4764	4264	DllCommonsvc.exe	cmd.exe
PID 4264 wrote to memory of 4764	4264	DllCommonsvc.exe	cmd.exe
PID 4764 wrote to memory of 4484	4764	cmd.exe	w32tm.exe
PID 4764 wrote to memory of 4484	4764	cmd.exe	w32tm.exe
PID 4764 wrote to memory of 4868	4764	cmd.exe	Idle.exe
PID 4764 wrote to memory of 4868	4764	cmd.exe	Idle.exe
PID 4868 wrote to memory of 3380	4868	Idle.exe	cmd.exe
PID 4868 wrote to memory of 3380	4868	Idle.exe	cmd.exe
PID 3380 wrote to memory of 4624	3380	cmd.exe	w32tm.exe
PID 3380 wrote to memory of 4624	3380	cmd.exe	w32tm.exe
PID 3380 wrote to memory of 3020	3380	cmd.exe	Idle.exe
PID 3380 wrote to memory of 3020	3380	cmd.exe	Idle.exe
PID 3020 wrote to memory of 1116	3020	Idle.exe	cmd.exe
PID 3020 wrote to memory of 1116	3020	Idle.exe	cmd.exe
PID 1116 wrote to memory of 4336	1116	cmd.exe	w32tm.exe
PID 1116 wrote to memory of 4336	1116	cmd.exe	w32tm.exe
PID 1116 wrote to memory of 1220	1116	cmd.exe	Idle.exe
PID 1116 wrote to memory of 1220	1116	cmd.exe	Idle.exe
PID 1220 wrote to memory of 2184	1220	Idle.exe	cmd.exe
PID 1220 wrote to memory of 2184	1220	Idle.exe	cmd.exe
PID 2184 wrote to memory of 5028	2184	cmd.exe	w32tm.exe
PID 2184 wrote to memory of 5028	2184	cmd.exe	w32tm.exe
PID 2184 wrote to memory of 4008	2184	cmd.exe	Idle.exe
PID 2184 wrote to memory of 4008	2184	cmd.exe	Idle.exe
PID 4008 wrote to memory of 3772	4008	Idle.exe	cmd.exe
PID 4008 wrote to memory of 3772	4008	Idle.exe	cmd.exe
PID 3772 wrote to memory of 4444	3772	cmd.exe	w32tm.exe
PID 3772 wrote to memory of 4444	3772	cmd.exe	w32tm.exe

C:\Users\Admin\AppData\Local\Temp\a598accc5f2469476adf3c39ba1396558b09bea2df4d37e2c900a33e56c67559.exe
"C:\Users\Admin\AppData\Local\Temp\a598accc5f2469476adf3c39ba1396558b09bea2df4d37e2c900a33e56c67559.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3352

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\csrss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Policies\services.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Policies\wininit.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\bcastdvr\SearchUI.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j8bjUD5NfX.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:4484

C:\Program Files\Mozilla Firefox\defaults\Idle.exe
"C:\Program Files\Mozilla Firefox\defaults\Idle.exe"
6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:4624

C:\Program Files\Mozilla Firefox\defaults\Idle.exe
"C:\Program Files\Mozilla Firefox\defaults\Idle.exe"
8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat"
9⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
10⤵
PID:4336

C:\Program Files\Mozilla Firefox\defaults\Idle.exe
"C:\Program Files\Mozilla Firefox\defaults\Idle.exe"
10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CooinIVsng.bat"
11⤵
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
12⤵
PID:5028

C:\Program Files\Mozilla Firefox\defaults\Idle.exe
"C:\Program Files\Mozilla Firefox\defaults\Idle.exe"
12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat"
13⤵
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
14⤵
PID:4444

C:\Program Files\Mozilla Firefox\defaults\Idle.exe
"C:\Program Files\Mozilla Firefox\defaults\Idle.exe"
14⤵
- Executes dropped EXE
- Modifies registry class
PID:3192

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p9sA7N8NGm.bat"
15⤵
PID:2308

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
16⤵
PID:2952

C:\Program Files\Mozilla Firefox\defaults\Idle.exe
"C:\Program Files\Mozilla Firefox\defaults\Idle.exe"
16⤵
- Executes dropped EXE
- Modifies registry class
PID:3744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat"
17⤵
PID:4304

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
18⤵
PID:992

C:\Program Files\Mozilla Firefox\defaults\Idle.exe
"C:\Program Files\Mozilla Firefox\defaults\Idle.exe"
18⤵
- Executes dropped EXE
- Modifies registry class
PID:1628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BjebbrynYr.bat"
19⤵
PID:3416

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
20⤵
PID:4508

C:\Program Files\Mozilla Firefox\defaults\Idle.exe
"C:\Program Files\Mozilla Firefox\defaults\Idle.exe"
20⤵
- Executes dropped EXE
- Modifies registry class
PID:308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat"
21⤵
PID:4848

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
22⤵
PID:4032

C:\Program Files\Mozilla Firefox\defaults\Idle.exe
"C:\Program Files\Mozilla Firefox\defaults\Idle.exe"
22⤵
- Executes dropped EXE
- Modifies registry class
PID:1248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat"
23⤵
PID:2204

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
24⤵
PID:1440

C:\Program Files\Mozilla Firefox\defaults\Idle.exe
"C:\Program Files\Mozilla Firefox\defaults\Idle.exe"
24⤵
- Executes dropped EXE
- Modifies registry class
PID:3328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat"
25⤵
PID:4888

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
26⤵
PID:4916

C:\Program Files\Mozilla Firefox\defaults\Idle.exe
"C:\Program Files\Mozilla Firefox\defaults\Idle.exe"
26⤵
- Executes dropped EXE
PID:4912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\Idle.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Music\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Policies\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Policies\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Policies\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Policies\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Policies\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Policies\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\defaults\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\defaults\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\odt\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\Windows\bcastdvr\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\bcastdvr\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 8 /tr "'C:\Windows\bcastdvr\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\defaults\Idle.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Mozilla Firefox\defaults\Idle.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Mozilla Firefox\defaults\Idle.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Mozilla Firefox\defaults\Idle.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Mozilla Firefox\defaults\Idle.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Mozilla Firefox\defaults\Idle.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Mozilla Firefox\defaults\Idle.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Mozilla Firefox\defaults\Idle.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Mozilla Firefox\defaults\Idle.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Mozilla Firefox\defaults\Idle.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Mozilla Firefox\defaults\Idle.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Mozilla Firefox\defaults\Idle.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log
Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
cc426d337f597f6f808484c3ac5e7ceb

SHA1
cf3de14a770f3cb17d8eacad2fcfaf360c80d6da

SHA256
5703420fc5e0801463c94871d0f29ca9702e01f45d92ee701e653bfe614db481

SHA512
40620285af304c2852e4a435dd00ec21b1c57efd8a9119e7ad384e893355aeaa0764c51c131520f4108a971610419bae3c7f1d48618be35d1cb97074615d556f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
cc426d337f597f6f808484c3ac5e7ceb

SHA1
cf3de14a770f3cb17d8eacad2fcfaf360c80d6da

SHA256
5703420fc5e0801463c94871d0f29ca9702e01f45d92ee701e653bfe614db481

SHA512
40620285af304c2852e4a435dd00ec21b1c57efd8a9119e7ad384e893355aeaa0764c51c131520f4108a971610419bae3c7f1d48618be35d1cb97074615d556f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f73565d37dae344abf4f051e66714d67

SHA1
00f02f432e9ea3d32dc724dbbc507a176e08b145

SHA256
2ac9642d0a560a7b62ef02cbde3e70ea25047bf16017b6f2c1f23a60ac6130ae

SHA512
1030000e1d2d448a850ef68d08d6f654ebe2276ba495eb0f89d7fa46dec36418b7bb02a5c3a8d3577e9649c09f454fd36faf5622ccc0e54f713fd1b929d2f4e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f73565d37dae344abf4f051e66714d67

SHA1
00f02f432e9ea3d32dc724dbbc507a176e08b145

SHA256
2ac9642d0a560a7b62ef02cbde3e70ea25047bf16017b6f2c1f23a60ac6130ae

SHA512
1030000e1d2d448a850ef68d08d6f654ebe2276ba495eb0f89d7fa46dec36418b7bb02a5c3a8d3577e9649c09f454fd36faf5622ccc0e54f713fd1b929d2f4e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
87d90c83121fc3408a7253eb5841399f

SHA1
8367fd2c75daf1b6dbf4501c2b068d7892962a0c

SHA256
c2dc34a546619ff3b34fcaca5e06bc3485661ce49acd3d219fa42f875bc2beb6

SHA512
7e96bb5f09338a34d9d1e773307979cb28ab10c7a6c1d585efe62d96352a1b7f5c39fc62b6e6d99fc689ffcd4a5af46da137f2730b4c6fd82d7043baeb026477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
87d90c83121fc3408a7253eb5841399f

SHA1
8367fd2c75daf1b6dbf4501c2b068d7892962a0c

SHA256
c2dc34a546619ff3b34fcaca5e06bc3485661ce49acd3d219fa42f875bc2beb6

SHA512
7e96bb5f09338a34d9d1e773307979cb28ab10c7a6c1d585efe62d96352a1b7f5c39fc62b6e6d99fc689ffcd4a5af46da137f2730b4c6fd82d7043baeb026477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
71e71ce7f5e9f7395078440322fef2e4

SHA1
5b1b1ceb09225486726c522a87564117a6938152

SHA256
c9c6ff232ccaf6e760ee5e650277ab9228a364e1e3646326e3a1de1527043031

SHA512
ba8cdf0d538757f6ea4fc293ad01e6dcd9a75691b24a98809b2230c68c34578d8589fa7bd511971425672feacfc9430f4f53e4e012ea6afa092ad4e33e5ce972

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
dcf3f4d84fe612d80ff2a7bd6c4fa586

SHA1
0dff84f725b0d801c184e5adb0feeb8d5ac8c1cc

SHA256
5999d92ff378693142eacb1c2daa5dfb8716bc339489d1f5114a2be409232b11

SHA512
2063e93c3feb16bfe4ff786a9120219812d42ba9fd52507e11daf98a57c0764c5b0827225cb1f6d27d43fd10d72ee9ceb510f5bab54c980a4f4fb8fb33301d40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
dcf3f4d84fe612d80ff2a7bd6c4fa586

SHA1
0dff84f725b0d801c184e5adb0feeb8d5ac8c1cc

SHA256
5999d92ff378693142eacb1c2daa5dfb8716bc339489d1f5114a2be409232b11

SHA512
2063e93c3feb16bfe4ff786a9120219812d42ba9fd52507e11daf98a57c0764c5b0827225cb1f6d27d43fd10d72ee9ceb510f5bab54c980a4f4fb8fb33301d40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d3e1e8fe47329b49da1b3b43a3e4eb08

SHA1
6ce17d33db553fe58c4af212da6bac954c6fe1bb

SHA256
8cc4e31b3dc4a06e6e5cc612844e8f42c639d65c9a74dbc41ce20fccd983dfe4

SHA512
a8d4f03aa42f0478cbfdb3e83d3f31d502beb5769915acc1eeffb04ddca53b3d9270f97f1d33c54e12a485628d79e5abf7a8a36fee0f1093733e6986842e801c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ce9acca054de4eff2594cadf93f7d41c

SHA1
74b29faf69d0f96bd4f8cdf27395972d19ac435e

SHA256
1702ea94f84dde0dc139bd89782fa86eb16819fb81f9da43f98346958bf1b53f

SHA512
89e9a9e18c6d203da1961f56fd498f43697a67ce4dafb42a7cecbc211734b97f9487cc20778e02a22fa0ad255e97b1d718c00e7dd93bf1340de30a22a6cfdb37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
75424853e907aa1dba1431d2a271b530

SHA1
d3430254d27fb36054b51a8b9133bc41c4576f9a

SHA256
1e895052fe28abecca84b76a61f1470313fcf13600fb68097631efbfad6cede8

SHA512
3ed10115acc5c727c3abd04bbdfa240cca6972112a500e085433f31558ce2cfcfdde9d3d4603be1d27b2a05a173159495114a5de2ca8e2427d5c57e146635d84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4fa1a5ed0b5a4405fd738cee04ab3ddc

SHA1
29aea989663d67ce25316f6c1ef2a7f827b919c7

SHA256
e88d533dd98636ff7d096c9e8718647b7d039e7d8a00a05651004c3d1fb153c4

SHA512
0e6f1cdafe07e675f7c01847437647ead27bf75297223ac13fa29235a77f7b2ad0fd67819e7efa150cf2b8e2233b163c07ef256cabf5883f9d99bc5487034035

Download Submit
C:\Users\Admin\AppData\Local\Temp\BjebbrynYr.bat
Filesize
215B

MD5
b4049ac2ef2490d6cdb3a96f153d8d0c

SHA1
5291e76cc428670a06ac55641e6f1056f1a5f24d

SHA256
d7ed3d79ae9e6b46e1b5060042b0a2d833188306ddaba51457c6d50b9614aafe

SHA512
74aac46c67bba8a1afe40ee99fd61bc93ff617866044189363f779a7bc5d8845cf8f10869c3812497289376e3fed25573bbd6e58f3ac94626c30835a193e6e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CooinIVsng.bat
Filesize
215B

MD5
c4e643cf3191e14f15213d6bacc7f3d4

SHA1
9981b35ec7527c577a0e724aec5dc56b8ccde5fd

SHA256
26a0ad900457382250ffc2aa8bd7196f9ec829906a15a283aaedf6c5ded501c7

SHA512
9ba653b41d03ceaacded4d523b40b8e96dbde790a7d5ce45a4e2edf859eb4df284c199ff8ff0e3314d0c19d92d76129ff3964ad41f6d090cded8409880b29166

Download Submit
C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat
Filesize
215B

MD5
5053af9e6199c9f68564e7cbf56a83cd

SHA1
e9a33a7cb199d92d12b96dba43f925b343cbae3e

SHA256
be414dab6c2e41cb2e1d2794c7178dddb4dbc5c72650364a90bfc35c00c95f0d

SHA512
58832d4a648489602d9ff634ca88cdf54725f7b5de2cbb7d9b54a2f39ee17e94e0e75a574349e0859b96706d073e0fe955e07959cfc67688b6e5f237a379259e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat
Filesize
215B

MD5
63bc4df9f4be3a060dced3f44e838c74

SHA1
3864be53c91468df57dc2fd5b82eef5a27fe626d

SHA256
5efe3108cbde06af6827af1a375b6c0deaf587fa582b5cde0c2ff4e37cfffd81

SHA512
1b0d814c365a5407a25d5729060626aa05527666a8e34a6a2cedb2d5f5082965b6dad4909f566eacd3b706bf6aa0938ba83bdb2225bbb450b9f653e17be42d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat
Filesize
215B

MD5
6f04803076f6c613e8ea2267a7be3d90

SHA1
f55166ed15951f9745ba16f14d5a1a8806798606

SHA256
8070cd94df6e77396c6d520abe188ced4e203625182c2e32c5a3de90143b108a

SHA512
31f13d4169ec19cfbadff9d0adb0870bc91c8c4fea359dbd1b441c05894478904eb76da100417d9bf9262448a6e98d35467d5ac66e5188bfac32aff621e0f395

Download Submit
C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat
Filesize
215B

MD5
82453a4bcf67de7eca9d48f2c476fe6d

SHA1
02e649f8339bec9633535fcae0e761ebb23e96da

SHA256
4054b4481a4f2c4969a98da1c7b81bff954a778039b9f2ce2792ada28b9792d9

SHA512
59b4ce6cdc37e32ed9fe516f3d647b04e2355c530df39b29e8ecaa8a2bd5252516778366e7f71d1670ecdb6dc16a602091e9c76d20c1e0c7b75fb0db99f4e9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\j8bjUD5NfX.bat
Filesize
215B

MD5
519cc71ba9640bd70c4a8a36e6bd50aa

SHA1
b17ec3f6496ba00d24e8c823bfcc60a4f607c6d2

SHA256
5cfeac6b6707ccdb4efbe1d24c3f1217627e278c48a01791ead1b2a3b7b78378

SHA512
5be5125e441792f384bda9e7ddfdf9428aa20e5e0b2cdff383eb3981ac14214762a6926a39f33bebb591a4c8db0df9ca4bcc26bc4664e7b06a7e41d4b396c1a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat
Filesize
215B

MD5
d2ee0d680378663ba55231b0a26cdb98

SHA1
13548ce03546185b101b825057564f5a06025db9

SHA256
e44dd24e4f7be3594e7ca944f56af892346821bc71a4931b29cae6c950d77243

SHA512
613a17e227fbbc67e6c3e07629470a56565b65aff7cdb24e828e235e73d0da53b61c638dbe8b469f30026ead4813125192205d4de8e9888e03ad02bc6ecf86c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat
Filesize
215B

MD5
d2ee0d680378663ba55231b0a26cdb98

SHA1
13548ce03546185b101b825057564f5a06025db9

SHA256
e44dd24e4f7be3594e7ca944f56af892346821bc71a4931b29cae6c950d77243

SHA512
613a17e227fbbc67e6c3e07629470a56565b65aff7cdb24e828e235e73d0da53b61c638dbe8b469f30026ead4813125192205d4de8e9888e03ad02bc6ecf86c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\p9sA7N8NGm.bat
Filesize
215B

MD5
5b1d76f372412b82a8b62b3401351426

SHA1
906889fb7aed3e5fd654fe858f521b51158c1394

SHA256
3a7b41b469482ba100547d8f246b12bcf83cb6286b03c8afce4986ab76404988

SHA512
ea3907918f85cd68b940f89f6655f8305c0e61fb2c456249d626d9390473eb986d31fabc644d7fd2751b95f7d2795a5bccb5623e61efafbeb4596e7700fe607f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat
Filesize
215B

MD5
c17ebdca270d1caf3bc8efffb53f88b6

SHA1
ee1f4b787adfdbbdf66a1b7dbf2d7a9733e5cc97

SHA256
69fd2bc4dcb347d0fb65d6670dbada2043520a1c0d6870f58f4278a556936295

SHA512
fb9af58db654ff4ab4dcdda0a29c2b9f905fb77da510aa91f456f44a01e590b2c837e66e7180caed509c1bab318a1926df5390357bf836774d4692af38da3a73

Download Submit
C:\providercommon\1zu9dW.bat
Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/220-287-0x0000000000000000-mapping.dmp

Download
memory/220-358-0x000001FAB7F80000-0x000001FAB7FA2000-memory.dmp

Filesize
136KB

Download
memory/308-843-0x0000000000000000-mapping.dmp

Download
memory/992-837-0x0000000000000000-mapping.dmp

Download
memory/1000-291-0x0000000000000000-mapping.dmp

Download
memory/1116-814-0x0000000000000000-mapping.dmp

Download
memory/1220-817-0x0000000000000000-mapping.dmp

Download
memory/1248-848-0x0000000000000000-mapping.dmp

Download
memory/1440-852-0x0000000000000000-mapping.dmp

Download
memory/1628-838-0x0000000000000000-mapping.dmp

Download
memory/1756-158-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-155-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-172-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-173-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-174-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-175-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-176-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-177-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-178-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-179-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-117-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-118-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-119-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-170-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-169-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-122-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-121-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-168-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-166-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-140-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-124-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-125-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-126-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-127-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-141-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-167-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-129-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-130-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-131-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-132-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-128-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-133-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-139-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-134-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-165-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-142-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-143-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-164-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-144-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-145-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-138-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-163-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-171-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-135-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-162-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-161-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-137-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-160-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-116-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-159-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-157-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-156-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-146-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-154-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-153-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-152-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-151-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-150-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-149-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-148-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-147-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1756-136-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/1952-290-0x0000000000000000-mapping.dmp

Download
memory/2184-819-0x0000000000000000-mapping.dmp

Download
memory/2204-850-0x0000000000000000-mapping.dmp

Download
memory/2208-289-0x0000000000000000-mapping.dmp

Download
memory/2300-364-0x0000025BB57C0000-0x0000025BB5836000-memory.dmp

Filesize
472KB

Download
memory/2300-288-0x0000000000000000-mapping.dmp

Download
memory/2308-830-0x0000000000000000-mapping.dmp

Download
memory/2460-292-0x0000000000000000-mapping.dmp

Download
memory/2740-297-0x0000000000000000-mapping.dmp

Download
memory/2908-293-0x0000000000000000-mapping.dmp

Download
memory/2952-832-0x0000000000000000-mapping.dmp

Download
memory/3020-811-0x0000000000000000-mapping.dmp

Download
memory/3052-295-0x0000000000000000-mapping.dmp

Download
memory/3192-828-0x0000000000000000-mapping.dmp

Download
memory/3328-853-0x0000000000000000-mapping.dmp

Download
memory/3352-256-0x0000000000000000-mapping.dmp

Download
memory/3380-808-0x0000000000000000-mapping.dmp

Download
memory/3416-840-0x0000000000000000-mapping.dmp

Download
memory/3744-833-0x0000000000000000-mapping.dmp

Download
memory/3772-825-0x0000000000000000-mapping.dmp

Download
memory/3956-181-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/3956-182-0x0000000077C40000-0x0000000077DCE000-memory.dmp

Filesize
1.6MB

Download
memory/3956-180-0x0000000000000000-mapping.dmp

Download
memory/4008-824-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

Filesize
72KB

Download
memory/4008-822-0x0000000000000000-mapping.dmp

Download
memory/4032-847-0x0000000000000000-mapping.dmp

Download
memory/4264-282-0x0000000000020000-0x0000000000130000-memory.dmp

Filesize
1.1MB

Download
memory/4264-286-0x000000001AB80000-0x000000001AB8C000-memory.dmp

Filesize
48KB

Download
memory/4264-279-0x0000000000000000-mapping.dmp

Download
memory/4264-283-0x000000001AB60000-0x000000001AB72000-memory.dmp

Filesize
72KB

Download
memory/4264-284-0x000000001AB90000-0x000000001AB9C000-memory.dmp

Filesize
48KB

Download
memory/4264-285-0x000000001AB70000-0x000000001AB7C000-memory.dmp

Filesize
48KB

Download
memory/4304-835-0x0000000000000000-mapping.dmp

Download
memory/4336-816-0x0000000000000000-mapping.dmp

Download
memory/4352-316-0x0000000000000000-mapping.dmp

Download
memory/4444-827-0x0000000000000000-mapping.dmp

Download
memory/4484-371-0x0000000000000000-mapping.dmp

Download
memory/4508-842-0x0000000000000000-mapping.dmp

Download
memory/4624-810-0x0000000000000000-mapping.dmp

Download
memory/4704-299-0x0000000000000000-mapping.dmp

Download
memory/4732-302-0x0000000000000000-mapping.dmp

Download
memory/4752-306-0x0000000000000000-mapping.dmp

Download
memory/4764-353-0x0000000000000000-mapping.dmp

Download
memory/4848-311-0x0000000000000000-mapping.dmp

Download
memory/4848-845-0x0000000000000000-mapping.dmp

Download
memory/4868-658-0x00000000009B0000-0x00000000009C2000-memory.dmp

Filesize
72KB

Download
memory/4868-627-0x0000000000000000-mapping.dmp

Download
memory/4888-855-0x0000000000000000-mapping.dmp

Download
memory/4912-858-0x0000000000000000-mapping.dmp

Download
memory/4912-860-0x00000000023C0000-0x00000000023D2000-memory.dmp

Filesize
72KB

Download
memory/4916-857-0x0000000000000000-mapping.dmp

Download
memory/5028-821-0x0000000000000000-mapping.dmp

Download