dcrat | 2dd73d79ea8f12c2680ee61fad8e227bbe132377617615a3cb34a9134fe015fe

Analysis

max time kernel
146s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2dd73d79ea8f12c2680ee61fad8e227bbe132377617615a3cb34a9134fe015fe.exe
Size

1.3MB
MD5

1e29bf48faddec4eff520f39b2aaf4c1
SHA1

fc26e3ab03cf5cc911e4898915c0e46791418924
SHA256

2dd73d79ea8f12c2680ee61fad8e227bbe132377617615a3cb34a9134fe015fe
SHA512

b78a220bb173a9f843d6c181f3a4abad2fe65fb55925afcb95368e26fca2c6d5758c947be41ab1ec70a1cdef813c7af1f58970cf9625f8044ff36dfa1d7a4f24
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3496	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	3924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	3924	schtasks.exe

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/4356-139-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
C:\odt\smss.exe	dcrat
C:\odt\smss.exe	dcrat
C:\odt\smss.exe	dcrat
C:\odt\smss.exe	dcrat
C:\odt\smss.exe	dcrat
C:\odt\smss.exe	dcrat
C:\odt\smss.exe	dcrat
C:\odt\smss.exe	dcrat
C:\odt\smss.exe	dcrat
C:\odt\smss.exe	dcrat
C:\odt\smss.exe	dcrat
C:\odt\smss.exe	dcrat
C:\odt\smss.exe	dcrat

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

smss.exesmss.exeWScript.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe2dd73d79ea8f12c2680ee61fad8e227bbe132377617615a3cb34a9134fe015fe.exesmss.exesmss.exeDllCommonsvc.exesmss.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2dd73d79ea8f12c2680ee61fad8e227bbe132377617615a3cb34a9134fe015fe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	smss.exe

Executes dropped EXE 13 IoCs

Processes:

DllCommonsvc.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

pid	process
4356	DllCommonsvc.exe
540	smss.exe
5684	smss.exe
6100	smss.exe
5132	smss.exe
2788	smss.exe
3680	smss.exe
2700	smss.exe
2964	smss.exe
2960	smss.exe
5176	smss.exe
3868	smss.exe
5680	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 12 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files\Internet Explorer\images\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Temp\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Modules\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\ee2ad38f3d4382	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Modules\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\images\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Temp\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\Registry.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
3008	schtasks.exe
2456	schtasks.exe
4180	schtasks.exe
2404	schtasks.exe
4028	schtasks.exe
3636	schtasks.exe
3496	schtasks.exe
2964	schtasks.exe
4392	schtasks.exe
5088	schtasks.exe
3500	schtasks.exe
3440	schtasks.exe
3556	schtasks.exe
3708	schtasks.exe
4968	schtasks.exe
2860	schtasks.exe
4432	schtasks.exe
2768	schtasks.exe
1184	schtasks.exe
3888	schtasks.exe
2408	schtasks.exe
4636	schtasks.exe
2376	schtasks.exe
3712	schtasks.exe
3860	schtasks.exe
4496	schtasks.exe
3120	schtasks.exe
2712	schtasks.exe
3644	schtasks.exe
3412	schtasks.exe
4716	schtasks.exe
1028	schtasks.exe
3548	schtasks.exe
1532	schtasks.exe
3112	schtasks.exe
2200	schtasks.exe
1168	schtasks.exe
3520	schtasks.exe
4464	schtasks.exe
2284	schtasks.exe
808	schtasks.exe
4540	schtasks.exe

Modifies registry class 12 IoCs

Processes:

smss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe2dd73d79ea8f12c2680ee61fad8e227bbe132377617615a3cb34a9134fe015fe.exesmss.exesmss.exesmss.exesmss.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	2dd73d79ea8f12c2680ee61fad8e227bbe132377617615a3cb34a9134fe015fe.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	smss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

pid	process
4356	DllCommonsvc.exe
4356	DllCommonsvc.exe
4356	DllCommonsvc.exe
1488	powershell.exe
1488	powershell.exe
4484	powershell.exe
4484	powershell.exe
4284	powershell.exe
4284	powershell.exe
4532	powershell.exe
4532	powershell.exe
1480	powershell.exe
1480	powershell.exe
2244	powershell.exe
3948	powershell.exe
2244	powershell.exe
3948	powershell.exe
1500	powershell.exe
1500	powershell.exe
4544	powershell.exe
4544	powershell.exe
2004	powershell.exe
2004	powershell.exe
5068	powershell.exe
5068	powershell.exe
4020	powershell.exe
4020	powershell.exe
3868	powershell.exe
3868	powershell.exe
4100	powershell.exe
4100	powershell.exe
1688	powershell.exe
1688	powershell.exe
540	smss.exe
540	smss.exe
1488	powershell.exe
1488	powershell.exe
4484	powershell.exe
4484	powershell.exe
4284	powershell.exe
4284	powershell.exe
4532	powershell.exe
1480	powershell.exe
3948	powershell.exe
2244	powershell.exe
2004	powershell.exe
1500	powershell.exe
4544	powershell.exe
5068	powershell.exe
4020	powershell.exe
3868	powershell.exe
4100	powershell.exe
1688	powershell.exe
5684	smss.exe
6100	smss.exe
5132	smss.exe
2788	smss.exe
3680	smss.exe
2700	smss.exe
2964	smss.exe
2960	smss.exe
5176	smss.exe
3868	smss.exe
5680	smss.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4356	DllCommonsvc.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	3948	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	540	smss.exe
Token: SeDebugPrivilege	5684	smss.exe
Token: SeDebugPrivilege	6100	smss.exe
Token: SeDebugPrivilege	5132	smss.exe
Token: SeDebugPrivilege	2788	smss.exe
Token: SeDebugPrivilege	3680	smss.exe
Token: SeDebugPrivilege	2700	smss.exe
Token: SeDebugPrivilege	2964	smss.exe
Token: SeDebugPrivilege	2960	smss.exe
Token: SeDebugPrivilege	5176	smss.exe
Token: SeDebugPrivilege	3868	smss.exe
Token: SeDebugPrivilege	5680	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2dd73d79ea8f12c2680ee61fad8e227bbe132377617615a3cb34a9134fe015fe.exeWScript.execmd.exeDllCommonsvc.exesmss.execmd.exesmss.execmd.exesmss.execmd.exesmss.execmd.exe

description	pid	process	target process
PID 3736 wrote to memory of 1536	3736	2dd73d79ea8f12c2680ee61fad8e227bbe132377617615a3cb34a9134fe015fe.exe	WScript.exe
PID 3736 wrote to memory of 1536	3736	2dd73d79ea8f12c2680ee61fad8e227bbe132377617615a3cb34a9134fe015fe.exe	WScript.exe
PID 3736 wrote to memory of 1536	3736	2dd73d79ea8f12c2680ee61fad8e227bbe132377617615a3cb34a9134fe015fe.exe	WScript.exe
PID 1536 wrote to memory of 4268	1536	WScript.exe	cmd.exe
PID 1536 wrote to memory of 4268	1536	WScript.exe	cmd.exe
PID 1536 wrote to memory of 4268	1536	WScript.exe	cmd.exe
PID 4268 wrote to memory of 4356	4268	cmd.exe	DllCommonsvc.exe
PID 4268 wrote to memory of 4356	4268	cmd.exe	DllCommonsvc.exe
PID 4356 wrote to memory of 1488	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 1488	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 4484	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 4484	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 4284	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 4284	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 4532	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 4532	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 1480	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 1480	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 3948	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 3948	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 2244	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 2244	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 2004	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 2004	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 4544	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 4544	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 1500	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 1500	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 5068	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 5068	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 3868	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 3868	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 4020	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 4020	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 4100	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 4100	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 1688	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 1688	4356	DllCommonsvc.exe	powershell.exe
PID 4356 wrote to memory of 540	4356	DllCommonsvc.exe	smss.exe
PID 4356 wrote to memory of 540	4356	DllCommonsvc.exe	smss.exe
PID 540 wrote to memory of 5316	540	smss.exe	cmd.exe
PID 540 wrote to memory of 5316	540	smss.exe	cmd.exe
PID 5316 wrote to memory of 5412	5316	cmd.exe	w32tm.exe
PID 5316 wrote to memory of 5412	5316	cmd.exe	w32tm.exe
PID 5316 wrote to memory of 5684	5316	cmd.exe	smss.exe
PID 5316 wrote to memory of 5684	5316	cmd.exe	smss.exe
PID 5684 wrote to memory of 5960	5684	smss.exe	cmd.exe
PID 5684 wrote to memory of 5960	5684	smss.exe	cmd.exe
PID 5960 wrote to memory of 6024	5960	cmd.exe	w32tm.exe
PID 5960 wrote to memory of 6024	5960	cmd.exe	w32tm.exe
PID 5960 wrote to memory of 6100	5960	cmd.exe	smss.exe
PID 5960 wrote to memory of 6100	5960	cmd.exe	smss.exe
PID 6100 wrote to memory of 5088	6100	smss.exe	cmd.exe
PID 6100 wrote to memory of 5088	6100	smss.exe	cmd.exe
PID 5088 wrote to memory of 3136	5088	cmd.exe	w32tm.exe
PID 5088 wrote to memory of 3136	5088	cmd.exe	w32tm.exe
PID 5088 wrote to memory of 5132	5088	cmd.exe	smss.exe
PID 5088 wrote to memory of 5132	5088	cmd.exe	smss.exe
PID 5132 wrote to memory of 4080	5132	smss.exe	cmd.exe
PID 5132 wrote to memory of 4080	5132	smss.exe	cmd.exe
PID 4080 wrote to memory of 1904	4080	cmd.exe	w32tm.exe
PID 4080 wrote to memory of 1904	4080	cmd.exe	w32tm.exe
PID 4080 wrote to memory of 2788	4080	cmd.exe	smss.exe
PID 4080 wrote to memory of 2788	4080	cmd.exe	smss.exe

C:\Users\Admin\AppData\Local\Temp\2dd73d79ea8f12c2680ee61fad8e227bbe132377617615a3cb34a9134fe015fe.exe
"C:\Users\Admin\AppData\Local\Temp\2dd73d79ea8f12c2680ee61fad8e227bbe132377617615a3cb34a9134fe015fe.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4268

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\smss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\OfficeClickToRun.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\Registry.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\csrss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\images\csrss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\OfficeClickToRun.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Temp\dllhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\cmd.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\RuntimeBroker.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\odt\smss.exe
"C:\odt\smss.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:5316

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:5412

C:\odt\smss.exe
"C:\odt\smss.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5684

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:5960

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:6024

C:\odt\smss.exe
"C:\odt\smss.exe"
9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bYn7JG6kRk.bat"
10⤵
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:3136

C:\odt\smss.exe
"C:\odt\smss.exe"
11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat"
12⤵
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
13⤵
PID:1904

C:\odt\smss.exe
"C:\odt\smss.exe"
13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat"
14⤵
PID:5288

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
15⤵
PID:224

C:\odt\smss.exe
"C:\odt\smss.exe"
15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"
16⤵
PID:2272

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
17⤵
PID:5516

C:\odt\smss.exe
"C:\odt\smss.exe"
17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat"
18⤵
PID:4908

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
19⤵
PID:2120

C:\odt\smss.exe
"C:\odt\smss.exe"
19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9kwbr7Wkdx.bat"
20⤵
PID:5192

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
21⤵
PID:2976

C:\odt\smss.exe
"C:\odt\smss.exe"
21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat"
22⤵
PID:1396

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
23⤵
PID:4092

C:\odt\smss.exe
"C:\odt\smss.exe"
23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat"
24⤵
PID:4268

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
25⤵
PID:4556

C:\odt\smss.exe
"C:\odt\smss.exe"
25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat"
26⤵
PID:4752

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
27⤵
PID:5620

C:\odt\smss.exe
"C:\odt\smss.exe"
27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\odt\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Music\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\Music\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Music\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Modules\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\Modules\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\images\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\images\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\odt\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\Temp\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\Temp\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Music\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\Music\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Music\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat
Filesize
180B

MD5
1399ebea3b64637b6151b392e01779dc

SHA1
3995c3d8c07b7188ddaf9f04ac27db5b4ddaa89f

SHA256
9e14eb953b20d8fc47b9c1f0b726332a888e85ca435de8d901f1afcd36d3182c

SHA512
a953262acb23c7a17cb7512c0f0f8085324e0d33dcddcabb9f5e04c5a3a8e96de1a59431689fac43930e63a6b609078cbd2299c5c0443b52539e14ccb11a76d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9kwbr7Wkdx.bat
Filesize
180B

MD5
9d078ef6432c5c61f76d1483e7b7f6c0

SHA1
719bc08c2855ec412ad7c1397ef4a1d09046b5e7

SHA256
cb661099f629242d44c2185c52717dcea67b968ec416fb143c0bb935d049cb1c

SHA512
8f67029ad2da0e5b8ac79701cce99e15d4c5e23c4f2b7d9f2e8001552a1632d73971f908e2ff131e10a223fbec349ae5d7dfe3c3114b487dd3f70a3929cc5537

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat
Filesize
180B

MD5
868f2831acd61ea3d4e6cec5be0b4cd3

SHA1
500655927004839b9caa3ac5c540a324465480b1

SHA256
57556d24ef176bf778972576f4be57c8b2a15885f60baf701ad7855e456d43d3

SHA512
fd03067a4c2a8d4cfebb0bab9c9d6550117af933a6771c86c36d776abfe0bf9d3158b85452542e2aa5fe994fb873aa30ba63f8d5399e9c1a3fcd6db69af64829

Download Submit
C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat
Filesize
180B

MD5
08f553887d1d7405bb0aae6922fec88a

SHA1
34465144ad4db4c94910eb9c2894bc4fc92208be

SHA256
cdae17b107846cee0e7eb5f02ce4758ece12eb70c94c0528fe0919afa32ed925

SHA512
bc5b03fc34ef8f2b7f84a122d5caf0d65d56db5fdfaed81dbc20d56fc9dceef9c0ce765fa71f352b5c8fc68e4e068751569bb683bd230a0a619b4ea26d7b8f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat
Filesize
180B

MD5
f5b7e17fb5a52e41982efb62ed1d72b4

SHA1
e1db6b3f41ecea9e0107a9e3ed89f18e1524d420

SHA256
4d353e286b97f0345256e72c2330d6505267c9c0515c1522ab46c27ef22febbb

SHA512
622561669be2d9233a0a022687b7050f3bd2a986a20c152115ae5ceaacb1d5b14b53051c689d54fb5df8e1474aa5d1757c257f9c9b3b15f70ef8414e499f171e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat
Filesize
180B

MD5
02bf1aac7dc0c23fb8d73ef41a171f92

SHA1
676e002e3f37947a7beff872d83b9e16c26bb497

SHA256
a0859fc55263896d5b5378d3da5048d584b28bb7b94b7621f1ad291600809d54

SHA512
97d7ea477b1e4847c490973c027ef50d0a952e0c4418fdd5a1065915178c3d272ae40660614e5a2f3053c3174614ca905b3432ef2134ec754b749271cc9d0fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat
Filesize
180B

MD5
fce258395d2972ff33f9afb54bbe7577

SHA1
9fa61cbf7eda9304d71fa76a49a4ba9341a27494

SHA256
a90ab113eca7d83c5377232a5eee2d6d8fb613e86cf2e17f97bdab5966bf7623

SHA512
680ca04626da307c676b4068b607c012bf32e7d135a929fcaa9b83f2e86a1522a920abc7d68291eef3362ef9b19ccdf4d76becd700b2e52c195ee9541cdf3628

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYn7JG6kRk.bat
Filesize
180B

MD5
4bd9ecc972a65a2e62c8bcc9c50fe9b7

SHA1
b7d1005f9c739d9ff2aa3dcec535e4c13b4f6172

SHA256
0e4de7659ebd2f3ededf403381a6ecb57ae7c9cde1030f903c985877528a83c0

SHA512
92cfed978d60c631070dc06a0bcc10e7d86483d1d2a726b996b3a4af13ea0ae3814d64d5d137f8c8c0cc350f9196262117eeeb463beaaa548e9ba0007fdd394e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat
Filesize
180B

MD5
54fd52f9d88a51d70754614f7fd88cc1

SHA1
67f9e172c53e91ed19f2550de00653b1a95b11e8

SHA256
85a2268a5bf38d71bc8d09301c17b95714a649ed1973dc74ee55fb2965430f0a

SHA512
411a9a4a77168a034ba73117b04e76731f4aa72af22878fa5ad8338da1daefd06964e933ca03ffcb19a1fee142645b3dd97232bbbc0587c693bf79550c489adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat
Filesize
180B

MD5
12373d107c2235b5c03720e58f961b59

SHA1
a3192241f46dde212cace2fbef48045fe10da31c

SHA256
bc092cd715a68d980a8acf03fc720682334598b58090222716ff5d233c98f0aa

SHA512
7ed512aa32831d1378957f8ffe1f1f4e6f8e118e7cfa766649c1dad2da13d731e3b7814a767a301cee13523d149797634c26fc2d78d3b8aa9a091a77a1cd96b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat
Filesize
180B

MD5
152e26ab93dc142a29e26e78ce491d33

SHA1
4b687a013fa560fcf72134534dfb2b3841d7a62e

SHA256
bed2cb13b559fd3615b669946a20fc3e0761e2f53a459c5b42ac12613f406a5e

SHA512
936d6524d05dd75d55bea58fc960f4814aa77dacb81194bf38309c49ca116828b557af251acbdb098581f38ffcc9a1f5e537514ddb8463942b51e767bfe3a5fc

Download Submit
C:\odt\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat
Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/224-238-0x0000000000000000-mapping.dmp

Download
memory/540-176-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/540-161-0x0000000000000000-mapping.dmp

Download
memory/540-178-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/1396-264-0x0000000000000000-mapping.dmp

Download
memory/1480-159-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/1480-145-0x0000000000000000-mapping.dmp

Download
memory/1480-191-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/1488-160-0x00000217DDF40000-0x00000217DDF62000-memory.dmp

Filesize
136KB

Download
memory/1488-184-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/1488-153-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/1488-141-0x0000000000000000-mapping.dmp

Download
memory/1500-167-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/1500-150-0x0000000000000000-mapping.dmp

Download
memory/1500-199-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/1536-132-0x0000000000000000-mapping.dmp

Download
memory/1688-206-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/1688-156-0x0000000000000000-mapping.dmp

Download
memory/1688-170-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/1904-232-0x0000000000000000-mapping.dmp

Download
memory/2004-148-0x0000000000000000-mapping.dmp

Download
memory/2004-173-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/2004-204-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/2120-252-0x0000000000000000-mapping.dmp

Download
memory/2244-172-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/2244-147-0x0000000000000000-mapping.dmp

Download
memory/2244-196-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/2272-243-0x0000000000000000-mapping.dmp

Download
memory/2700-247-0x0000000000000000-mapping.dmp

Download
memory/2700-249-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/2700-253-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/2788-235-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/2788-239-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/2788-233-0x0000000000000000-mapping.dmp

Download
memory/2960-267-0x00007FF984C90000-0x00007FF985751000-memory.dmp

Filesize
10.8MB

Download
memory/2960-263-0x00007FF984C90000-0x00007FF985751000-memory.dmp

Filesize
10.8MB

Download
memory/2960-261-0x0000000000000000-mapping.dmp

Download
memory/2964-260-0x00007FF984C90000-0x00007FF985751000-memory.dmp

Filesize
10.8MB

Download
memory/2964-254-0x0000000000000000-mapping.dmp

Download
memory/2964-256-0x00007FF984C90000-0x00007FF985751000-memory.dmp

Filesize
10.8MB

Download
memory/2976-259-0x0000000000000000-mapping.dmp

Download
memory/3136-225-0x0000000000000000-mapping.dmp

Download
memory/3680-246-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/3680-240-0x0000000000000000-mapping.dmp

Download
memory/3680-242-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/3868-152-0x0000000000000000-mapping.dmp

Download
memory/3868-169-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/3868-275-0x0000000000000000-mapping.dmp

Download
memory/3868-277-0x00007FF984C90000-0x00007FF985751000-memory.dmp

Filesize
10.8MB

Download
memory/3868-210-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/3868-281-0x00007FF984C90000-0x00007FF985751000-memory.dmp

Filesize
10.8MB

Download
memory/3948-162-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/3948-146-0x0000000000000000-mapping.dmp

Download
memory/3948-193-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/4020-205-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/4020-168-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/4020-154-0x0000000000000000-mapping.dmp

Download
memory/4080-229-0x0000000000000000-mapping.dmp

Download
memory/4092-266-0x0000000000000000-mapping.dmp

Download
memory/4100-175-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/4100-209-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/4100-155-0x0000000000000000-mapping.dmp

Download
memory/4268-135-0x0000000000000000-mapping.dmp

Download
memory/4268-271-0x0000000000000000-mapping.dmp

Download
memory/4284-143-0x0000000000000000-mapping.dmp

Download
memory/4284-158-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/4284-186-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/4356-166-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/4356-136-0x0000000000000000-mapping.dmp

Download
memory/4356-139-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/4356-140-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/4484-142-0x0000000000000000-mapping.dmp

Download
memory/4484-157-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/4484-185-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/4532-192-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/4532-171-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/4532-144-0x0000000000000000-mapping.dmp

Download
memory/4544-165-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/4544-149-0x0000000000000000-mapping.dmp

Download
memory/4544-202-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/4556-273-0x0000000000000000-mapping.dmp

Download
memory/4752-278-0x0000000000000000-mapping.dmp

Download
memory/4908-250-0x0000000000000000-mapping.dmp

Download
memory/5068-200-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/5068-151-0x0000000000000000-mapping.dmp

Download
memory/5068-174-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/5088-222-0x0000000000000000-mapping.dmp

Download
memory/5132-230-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/5132-228-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/5132-226-0x0000000000000000-mapping.dmp

Download
memory/5176-270-0x00007FF984C90000-0x00007FF985751000-memory.dmp

Filesize
10.8MB

Download
memory/5176-274-0x00007FF984C90000-0x00007FF985751000-memory.dmp

Filesize
10.8MB

Download
memory/5176-268-0x0000000000000000-mapping.dmp

Download
memory/5192-257-0x0000000000000000-mapping.dmp

Download
memory/5288-236-0x0000000000000000-mapping.dmp

Download
memory/5316-177-0x0000000000000000-mapping.dmp

Download
memory/5412-180-0x0000000000000000-mapping.dmp

Download
memory/5516-245-0x0000000000000000-mapping.dmp

Download
memory/5620-280-0x0000000000000000-mapping.dmp

Download
memory/5680-284-0x00007FF985370000-0x00007FF985E31000-memory.dmp

Filesize
10.8MB

Download
memory/5680-282-0x0000000000000000-mapping.dmp

Download
memory/5684-214-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/5684-218-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/5684-211-0x0000000000000000-mapping.dmp

Download
memory/5960-215-0x0000000000000000-mapping.dmp

Download
memory/6024-217-0x0000000000000000-mapping.dmp

Download
memory/6100-223-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/6100-221-0x00007FF984770000-0x00007FF985231000-memory.dmp

Filesize
10.8MB

Download
memory/6100-219-0x0000000000000000-mapping.dmp

Download