dcrat | 911070e32e23fffa7454f9ede0a7ac8bab328947e925e1319ed0c0a761c01f6a

Analysis

max time kernel
146s
max time network
144s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
03-02-2023 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

911070e32e23fffa7454f9ede0a7ac8bab328947e925e1319ed0c0a761c01f6a.exe
Size

1.3MB
MD5

41ca82152298906aa3012dc60d7d76aa
SHA1

0949342c7ff25f7a3ac2b19bbded00b580ed83cb
SHA256

911070e32e23fffa7454f9ede0a7ac8bab328947e925e1319ed0c0a761c01f6a
SHA512

7cd3c8358eabc1efadd135d4624a3bb027df7410ce2658a92c7bba0f0dd859bb38b96ac37d236fc970e0d57eb963e34fbe951a16ecf71b7f283f0a6877a7c733
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	504	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3160	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	204	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3324	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	5088	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	5088	schtasks.exe

DCRat payload 17 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/4248-286-0x0000000000010000-0x0000000000120000-memory.dmp	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
C:\odt\services.exe	dcrat
C:\odt\services.exe	dcrat
C:\odt\services.exe	dcrat
C:\odt\services.exe	dcrat
C:\odt\services.exe	dcrat
C:\odt\services.exe	dcrat
C:\odt\services.exe	dcrat
C:\odt\services.exe	dcrat
C:\odt\services.exe	dcrat
C:\odt\services.exe	dcrat
C:\odt\services.exe	dcrat
C:\odt\services.exe	dcrat
C:\odt\services.exe	dcrat
C:\odt\services.exe	dcrat

Executes dropped EXE 14 IoCs

Processes:

DllCommonsvc.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe

pid	process
4248	DllCommonsvc.exe
4064	services.exe
5416	services.exe
5604	services.exe
5784	services.exe
5964	services.exe
6140	services.exe
4256	services.exe
4736	services.exe
1460	services.exe
4528	services.exe
196	services.exe
1564	services.exe
3756	services.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 8 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files\Windows Photo Viewer\it-IT\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\SearchUI.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\dab4d89cac03ec	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\SoftwareDistribution\DataStore\Logs\services.exe	DllCommonsvc.exe
File created	C:\Windows\SoftwareDistribution\DataStore\Logs\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1188	schtasks.exe
3160	schtasks.exe
1756	schtasks.exe
1620	schtasks.exe
1172	schtasks.exe
3324	schtasks.exe
3336	schtasks.exe
4724	schtasks.exe
4716	schtasks.exe
4016	schtasks.exe
4904	schtasks.exe
4848	schtasks.exe
4828	schtasks.exe
1700	schtasks.exe
900	schtasks.exe
4712	schtasks.exe
4688	schtasks.exe
380	schtasks.exe
652	schtasks.exe
3352	schtasks.exe
4252	schtasks.exe
3084	schtasks.exe
2820	schtasks.exe
4796	schtasks.exe
1476	schtasks.exe
3208	schtasks.exe
3348	schtasks.exe
204	schtasks.exe
4212	schtasks.exe
3204	schtasks.exe
1048	schtasks.exe
504	schtasks.exe
1080	schtasks.exe
1588	schtasks.exe
4896	schtasks.exe
2280	schtasks.exe
4204	schtasks.exe
3068	schtasks.exe
4884	schtasks.exe
1260	schtasks.exe
1464	schtasks.exe
2172	schtasks.exe

Modifies registry class 14 IoCs

Processes:

services.exeservices.exeservices.exeservices.exe911070e32e23fffa7454f9ede0a7ac8bab328947e925e1319ed0c0a761c01f6a.exeservices.exeservices.exeservices.exeservices.exeDllCommonsvc.exeservices.exeservices.exeservices.exeservices.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	911070e32e23fffa7454f9ede0a7ac8bab328947e925e1319ed0c0a761c01f6a.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	services.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
4248	DllCommonsvc.exe
2212	powershell.exe
2212	powershell.exe
2212	powershell.exe
2268	powershell.exe
2268	powershell.exe
2268	powershell.exe
3904	powershell.exe
3904	powershell.exe
3904	powershell.exe
2212	powershell.exe
2268	powershell.exe
1460	powershell.exe
1460	powershell.exe
2880	powershell.exe
2880	powershell.exe
1460	powershell.exe
1444	powershell.exe
1444	powershell.exe
3904	powershell.exe
2660	powershell.exe
2660	powershell.exe
2396	powershell.exe
2396	powershell.exe
1020	powershell.exe
1020	powershell.exe
4952	powershell.exe
4952	powershell.exe
4984	powershell.exe
4984	powershell.exe
1460	powershell.exe
3716	powershell.exe
3716	powershell.exe
4424	powershell.exe
4424	powershell.exe
1284	powershell.exe
1284	powershell.exe
3624	powershell.exe
3624	powershell.exe
1444	powershell.exe
2396	powershell.exe
2880	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4248	DllCommonsvc.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeIncreaseQuotaPrivilege	2212	powershell.exe
Token: SeSecurityPrivilege	2212	powershell.exe
Token: SeTakeOwnershipPrivilege	2212	powershell.exe
Token: SeLoadDriverPrivilege	2212	powershell.exe
Token: SeSystemProfilePrivilege	2212	powershell.exe
Token: SeSystemtimePrivilege	2212	powershell.exe
Token: SeProfSingleProcessPrivilege	2212	powershell.exe
Token: SeIncBasePriorityPrivilege	2212	powershell.exe
Token: SeCreatePagefilePrivilege	2212	powershell.exe
Token: SeBackupPrivilege	2212	powershell.exe
Token: SeRestorePrivilege	2212	powershell.exe
Token: SeShutdownPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeSystemEnvironmentPrivilege	2212	powershell.exe
Token: SeRemoteShutdownPrivilege	2212	powershell.exe
Token: SeUndockPrivilege	2212	powershell.exe
Token: SeManageVolumePrivilege	2212	powershell.exe
Token: 33	2212	powershell.exe
Token: 34	2212	powershell.exe
Token: 35	2212	powershell.exe
Token: 36	2212	powershell.exe
Token: SeIncreaseQuotaPrivilege	2268	powershell.exe
Token: SeSecurityPrivilege	2268	powershell.exe
Token: SeTakeOwnershipPrivilege	2268	powershell.exe
Token: SeLoadDriverPrivilege	2268	powershell.exe
Token: SeSystemProfilePrivilege	2268	powershell.exe
Token: SeSystemtimePrivilege	2268	powershell.exe
Token: SeProfSingleProcessPrivilege	2268	powershell.exe
Token: SeIncBasePriorityPrivilege	2268	powershell.exe
Token: SeCreatePagefilePrivilege	2268	powershell.exe
Token: SeBackupPrivilege	2268	powershell.exe
Token: SeRestorePrivilege	2268	powershell.exe
Token: SeShutdownPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeSystemEnvironmentPrivilege	2268	powershell.exe
Token: SeRemoteShutdownPrivilege	2268	powershell.exe
Token: SeUndockPrivilege	2268	powershell.exe
Token: SeManageVolumePrivilege	2268	powershell.exe
Token: 33	2268	powershell.exe
Token: 34	2268	powershell.exe
Token: 35	2268	powershell.exe
Token: 36	2268	powershell.exe
Token: SeIncreaseQuotaPrivilege	3904	powershell.exe
Token: SeSecurityPrivilege	3904	powershell.exe
Token: SeTakeOwnershipPrivilege	3904	powershell.exe
Token: SeLoadDriverPrivilege	3904	powershell.exe
Token: SeSystemProfilePrivilege	3904	powershell.exe
Token: SeSystemtimePrivilege	3904	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

911070e32e23fffa7454f9ede0a7ac8bab328947e925e1319ed0c0a761c01f6a.exeWScript.execmd.exeDllCommonsvc.execmd.exeservices.execmd.exeservices.execmd.exeservices.execmd.exeservices.exe

description	pid	process	target process
PID 2916 wrote to memory of 3388	2916	911070e32e23fffa7454f9ede0a7ac8bab328947e925e1319ed0c0a761c01f6a.exe	WScript.exe
PID 2916 wrote to memory of 3388	2916	911070e32e23fffa7454f9ede0a7ac8bab328947e925e1319ed0c0a761c01f6a.exe	WScript.exe
PID 2916 wrote to memory of 3388	2916	911070e32e23fffa7454f9ede0a7ac8bab328947e925e1319ed0c0a761c01f6a.exe	WScript.exe
PID 3388 wrote to memory of 4596	3388	WScript.exe	cmd.exe
PID 3388 wrote to memory of 4596	3388	WScript.exe	cmd.exe
PID 3388 wrote to memory of 4596	3388	WScript.exe	cmd.exe
PID 4596 wrote to memory of 4248	4596	cmd.exe	DllCommonsvc.exe
PID 4596 wrote to memory of 4248	4596	cmd.exe	DllCommonsvc.exe
PID 4248 wrote to memory of 2268	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 2268	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 2212	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 2212	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 3904	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 3904	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 1460	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 1460	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 1444	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 1444	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 2880	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 2880	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 2660	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 2660	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 2396	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 2396	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 1020	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 1020	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 4952	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 4952	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 4984	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 4984	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 3716	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 3716	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 3624	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 3624	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 4424	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 4424	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 1284	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 1284	4248	DllCommonsvc.exe	powershell.exe
PID 4248 wrote to memory of 4228	4248	DllCommonsvc.exe	cmd.exe
PID 4248 wrote to memory of 4228	4248	DllCommonsvc.exe	cmd.exe
PID 4228 wrote to memory of 1272	4228	cmd.exe	w32tm.exe
PID 4228 wrote to memory of 1272	4228	cmd.exe	w32tm.exe
PID 4228 wrote to memory of 4064	4228	cmd.exe	services.exe
PID 4228 wrote to memory of 4064	4228	cmd.exe	services.exe
PID 4064 wrote to memory of 5184	4064	services.exe	cmd.exe
PID 4064 wrote to memory of 5184	4064	services.exe	cmd.exe
PID 5184 wrote to memory of 5240	5184	cmd.exe	w32tm.exe
PID 5184 wrote to memory of 5240	5184	cmd.exe	w32tm.exe
PID 5184 wrote to memory of 5416	5184	cmd.exe	services.exe
PID 5184 wrote to memory of 5416	5184	cmd.exe	services.exe
PID 5416 wrote to memory of 5528	5416	services.exe	cmd.exe
PID 5416 wrote to memory of 5528	5416	services.exe	cmd.exe
PID 5528 wrote to memory of 5584	5528	cmd.exe	w32tm.exe
PID 5528 wrote to memory of 5584	5528	cmd.exe	w32tm.exe
PID 5528 wrote to memory of 5604	5528	cmd.exe	services.exe
PID 5528 wrote to memory of 5604	5528	cmd.exe	services.exe
PID 5604 wrote to memory of 5704	5604	services.exe	cmd.exe
PID 5604 wrote to memory of 5704	5604	services.exe	cmd.exe
PID 5704 wrote to memory of 5760	5704	cmd.exe	w32tm.exe
PID 5704 wrote to memory of 5760	5704	cmd.exe	w32tm.exe
PID 5704 wrote to memory of 5784	5704	cmd.exe	services.exe
PID 5704 wrote to memory of 5784	5704	cmd.exe	services.exe
PID 5784 wrote to memory of 5888	5784	services.exe	cmd.exe
PID 5784 wrote to memory of 5888	5784	services.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\911070e32e23fffa7454f9ede0a7ac8bab328947e925e1319ed0c0a761c01f6a.exe
"C:\Users\Admin\AppData\Local\Temp\911070e32e23fffa7454f9ede0a7ac8bab328947e925e1319ed0c0a761c01f6a.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\it-IT\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\Source Engine\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\DataStore\Logs\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tNEyebdJS9.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4228
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1272
      - C:\odt\services.exe
        
        "C:\odt\services.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:5240
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:5584
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:5760
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat"
        13⤵
        
        PID:5888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:5944
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"
        15⤵
        
        PID:6064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:6120
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat"
        17⤵
        
        PID:5204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3892
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UxOjVeUiuv.bat"
        19⤵
        
        PID:2136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4668
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat"
        21⤵
        
        PID:5276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:912
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"
        23⤵
        
        PID:2316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4268
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat"
        25⤵
        
        PID:5320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4304
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat"
        27⤵
        
        PID:4996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:5140
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjtq3MYUh4.bat"
        29⤵
        
        PID:5376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:1296
        
        C:\odt\services.exe
        
        "C:\odt\services.exe"
        30⤵
        Executes dropped EXE
        
        PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\microsoft shared\Source Engine\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\microsoft shared\Source Engine\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\Source Engine\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Templates\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Templates\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Templates\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\odt\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6b9365ac6e2678fc11ffc230c4e2f2f6

SHA1
1f9ed8a42f8804f6524eb1abe383451aa33aa71f

SHA256
072a8303d5a991e30c8735ab118910383bff15621ffaf195ad48550008a988b6

SHA512
d21481c5420f50f835963748417cf39508b85fdc094687d6a53bd50619935e3c4910284b66a6b07b0edf20d70042a9b0ce358fa615d0c9c6defe32c16ca1a083

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6b9365ac6e2678fc11ffc230c4e2f2f6

SHA1
1f9ed8a42f8804f6524eb1abe383451aa33aa71f

SHA256
072a8303d5a991e30c8735ab118910383bff15621ffaf195ad48550008a988b6

SHA512
d21481c5420f50f835963748417cf39508b85fdc094687d6a53bd50619935e3c4910284b66a6b07b0edf20d70042a9b0ce358fa615d0c9c6defe32c16ca1a083

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6b9365ac6e2678fc11ffc230c4e2f2f6

SHA1
1f9ed8a42f8804f6524eb1abe383451aa33aa71f

SHA256
072a8303d5a991e30c8735ab118910383bff15621ffaf195ad48550008a988b6

SHA512
d21481c5420f50f835963748417cf39508b85fdc094687d6a53bd50619935e3c4910284b66a6b07b0edf20d70042a9b0ce358fa615d0c9c6defe32c16ca1a083

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0b5b34c1ee6a21e00fc23271807bfe95

SHA1
cc745985f0898af62a674ce71fe359db2f192ab8

SHA256
673c3bfd2af4c26177d0098baae502827c0abdeb7b8ae7e45b0d467561d27bfc

SHA512
053a3408511e6b6b2e761c1afb7af7002caa3efef02fde958dbf194840f4363582b3a0191f85c590d5e47f2bcecf2b8a0ef63237cb225a5df3701b2023fad29c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0b5b34c1ee6a21e00fc23271807bfe95

SHA1
cc745985f0898af62a674ce71fe359db2f192ab8

SHA256
673c3bfd2af4c26177d0098baae502827c0abdeb7b8ae7e45b0d467561d27bfc

SHA512
053a3408511e6b6b2e761c1afb7af7002caa3efef02fde958dbf194840f4363582b3a0191f85c590d5e47f2bcecf2b8a0ef63237cb225a5df3701b2023fad29c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7dad1ff2d0c8fa5d8cc2f8c9581fe10e

SHA1
cdcb9a4318640fb27dad590430c38d2fe845a82a

SHA256
c027a9c57325ac19ac36b107a16d22f43c1ca100a624f9b31858271ea0b26728

SHA512
8e75db72eeb13388fcbb3772a640fb25ce12961ef50d7ef5c014cb7fbd0add71e74ddc5a04b82f0b1054625825749f05270f4d9b900f8b2076a8095f15120554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0b5b34c1ee6a21e00fc23271807bfe95

SHA1
cc745985f0898af62a674ce71fe359db2f192ab8

SHA256
673c3bfd2af4c26177d0098baae502827c0abdeb7b8ae7e45b0d467561d27bfc

SHA512
053a3408511e6b6b2e761c1afb7af7002caa3efef02fde958dbf194840f4363582b3a0191f85c590d5e47f2bcecf2b8a0ef63237cb225a5df3701b2023fad29c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7dad1ff2d0c8fa5d8cc2f8c9581fe10e

SHA1
cdcb9a4318640fb27dad590430c38d2fe845a82a

SHA256
c027a9c57325ac19ac36b107a16d22f43c1ca100a624f9b31858271ea0b26728

SHA512
8e75db72eeb13388fcbb3772a640fb25ce12961ef50d7ef5c014cb7fbd0add71e74ddc5a04b82f0b1054625825749f05270f4d9b900f8b2076a8095f15120554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3003b692276a462246bd778c3b774f04

SHA1
736cff1463ee6c791c5d378d865324347f3af631

SHA256
b620fa994e4b9dc827d6a7a5559d7e74a509114f063c00d44afcf89c56a13e19

SHA512
299bb720debefe3b6633e8b3b51e4b9fe3b370644aba80d108a0d3903232742129dc77ed5c409f9c5ff687770e4d9728f240b3a873549f838d186fc984ae1baf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
71241cb63397769f300f6a8045d6b04f

SHA1
e1854560548ddcd6e96ed919a7077a89b632ad6b

SHA256
4e2a352652262bbe86e17a8edf16e0b903fdd67f3ea4043156b25c45aa434c1d

SHA512
b8322cc252114dbfedb31c1af36566cd91b5c76fa62a65ca68f65aea1ab585629fb68d3381a8120824d6fca2eb56771478e8d7c15bb8e88b0cc54a4a089631b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
71241cb63397769f300f6a8045d6b04f

SHA1
e1854560548ddcd6e96ed919a7077a89b632ad6b

SHA256
4e2a352652262bbe86e17a8edf16e0b903fdd67f3ea4043156b25c45aa434c1d

SHA512
b8322cc252114dbfedb31c1af36566cd91b5c76fa62a65ca68f65aea1ab585629fb68d3381a8120824d6fca2eb56771478e8d7c15bb8e88b0cc54a4a089631b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
be4748260f3fac496b472befd1ccc693

SHA1
bc3756ac966f26eec0e7d20b80bf79c4f672297a

SHA256
19f997a05731000fdc80068bb6429e2b420768299f1f21b6d390e3d1fed57e11

SHA512
7a2a8de59110e116cd5ef163f2e77220537cf48d346e8cc84363e8e0a24996e6cab9ed22d0ac8cdc7167c43ac533ddf488983f175cc6bc896da5d5241dc06f85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
be4748260f3fac496b472befd1ccc693

SHA1
bc3756ac966f26eec0e7d20b80bf79c4f672297a

SHA256
19f997a05731000fdc80068bb6429e2b420768299f1f21b6d390e3d1fed57e11

SHA512
7a2a8de59110e116cd5ef163f2e77220537cf48d346e8cc84363e8e0a24996e6cab9ed22d0ac8cdc7167c43ac533ddf488983f175cc6bc896da5d5241dc06f85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ebc4c8342d5ddbeaf016de10114ce3da

SHA1
6e437c863335f95383973bf2f88f15c31ecd7dff

SHA256
edcbbe0849cd7450d0797b183f80e7dd7c02b0258d34fbba15fe454454083c7b

SHA512
eb20dc557ba4cbacf604371246a4efa7762d0a6f6962bf3e4bdb145001b45ea9d85e31683f8dc4d70bfdadf85992172ffe10dff5e7f3b861d9ab0753fb9b1a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat

Filesize
184B

MD5
f397d9c5ae5827ce672896da2a31677e

SHA1
179691b0fdb80b52a8b6b7d6c9f1da87e4933feb

SHA256
3854045ad8e6a7daa225da156046a66fee0ee07b4f06add3960e6cb78363148b

SHA512
3c790463b1946f93e9ed00777393e1a3b83d66ec3d9a432addb259314c48398fd7bcc658eb6692bf887b7d21a34da517a250190a3b2fb17d8b041e6c3462ad9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat

Filesize
184B

MD5
0abb6a19738545909cc1bbc695790ee9

SHA1
b5fc00219928cd55d4116ba4f94a795e88da5ff3

SHA256
dc09ac8c7b79d5975eda34b7c4b99e7add3780317dfefb6dafe3382d2ebc545d

SHA512
0da588c62244fc745d809fe86914554e165e59aac99fc3ab840dbb7ef107502e099835e6245b3fb50b0aabd9a4bdcdca5781f6c575f4d984218719871d9cc98b

Download Submit
C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat

Filesize
184B

MD5
b9a1aa4e4f00aaadb75b8dee75468ee6

SHA1
feb170fb9be6bda7c2f4bc98605d46ba7e4606d1

SHA256
20fff52a8345adc1e3acf7967046b8c9f18afaaa1a56d7f1275aaaa1e7088567

SHA512
2b3a112ba9202429306df23b96e1bfb6e99f92114f5a68fbad7fa96fcff5b116bbd87dc0de717774381a240f1791b4c3c2ec45d7e0ace8d75566e13febd6fde1

Download Submit
C:\Users\Admin\AppData\Local\Temp\UxOjVeUiuv.bat

Filesize
184B

MD5
f4586c8522c94c5ca8a02550d4018d64

SHA1
46b158a47dd9b2d998cede89b0b90c178224f049

SHA256
138b1ed653238209462f236cbe31ffb8f09715e38eff58fea0c6e0df53aaaf10

SHA512
99919709dc9710776215c4d64f1e3ca948f1c623ac650d5855cd69a36df3ed179963e2ee9b9de6294498334feea263b6b45b5389482c985e5d9dabcf688701ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat

Filesize
184B

MD5
31c12806dbda8d8e7c3b153d2bdaaf9d

SHA1
5103cc8264aaf5e6e5a03504d30c085b7fccb87f

SHA256
7c891412f394eac45549195b5876ef92b056b1f3c791a76ceb632cb3821de7f6

SHA512
e2507160c6597488f78e343c22e5b1b24e5e99ed396a35ac382591721ae5aefc1a0ab5c35542999926c6e1fc201bf1f0aa9a34ec1210d7d43d4e5ef6364ef708

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat

Filesize
184B

MD5
11bae346f7b9dbd7300b79aaa8ce2821

SHA1
35459804aea9e1d6e1463f448c887d6d20250b7f

SHA256
88a77cb16ce69e6f476cf137b4dd4b6c25ff2a6c95721427e0a4007144013d61

SHA512
3ab3e1cbd2754f5ca94596c97cba237fcc3007c783b0c46896539db6feb4707f2b4966ba1b71f5eae0be499ec87fb37a1b4437ed0665bea3d2283fb4ea524e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat

Filesize
184B

MD5
11bae346f7b9dbd7300b79aaa8ce2821

SHA1
35459804aea9e1d6e1463f448c887d6d20250b7f

SHA256
88a77cb16ce69e6f476cf137b4dd4b6c25ff2a6c95721427e0a4007144013d61

SHA512
3ab3e1cbd2754f5ca94596c97cba237fcc3007c783b0c46896539db6feb4707f2b4966ba1b71f5eae0be499ec87fb37a1b4437ed0665bea3d2283fb4ea524e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjtq3MYUh4.bat

Filesize
184B

MD5
8ceace546595334534df94306c68db0f

SHA1
0ab256f7084721dde1ea2e6ccebce79d3ad0b427

SHA256
9e78468fb303759dcea3b452d4fde6bbf6221e94cb5050c37a13526b32aff66b

SHA512
98a086c76daaf1e10db027ebe38eea852bca3e8097c45fce07b744cb81cf3d7dd9dd43bf03dea1a7c992da9561299f33a29fa1c8cc2ce0f4d86badaf653af992

Download Submit
C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat

Filesize
184B

MD5
41feb686876308b49eca18077e591913

SHA1
06526478ee1df75d2cbb49c4df269e540a9bfd5f

SHA256
d6154c47f3f2b4b57d1c38ad9a597001cf4757c888b7c16135f89715215697e3

SHA512
fbc7b144569c52216ffa5a3a911e7366fba99ccd1b93481c0721c99e771900c2835824f844643c632caf5efae3ead3fd1f739ea77c64f5e2975bb303b8f6fdaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat

Filesize
184B

MD5
d54e5682b79831ac976410c86bbbd30f

SHA1
1c77d33cf7ebb47bae40f499c607b9a9eb6742d6

SHA256
edb8a4b331c007fafb19735a84ec40505a01847d0f6025cfc9d72e291fe07c26

SHA512
46efabdaa9b5dd77dd9c63cbb456aadf10f0cf6f33d9bdbf7d78b56b9ebf78e96518725b8eee867430bcb39f4153c3360267bd604965a86e69f65ca9d50efd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat

Filesize
184B

MD5
034f30cd5d4c65f5e23dcb59454c4dfa

SHA1
509e9ea1f96136d8729b9cff157bb0502ee7ce25

SHA256
ad9bfb7f550914a844ff58fe1d131d57018c69dcd24141e6c0c761fdd152f207

SHA512
1b72e5fb70a7c021aa3a768e6171b72283ebc3bcddf6ad22b2be2cc699ddce87fdcb96aaea05b176272ea748511b6705368c40e65b3a6679f849f63547e504df

Download Submit
C:\Users\Admin\AppData\Local\Temp\tNEyebdJS9.bat

Filesize
184B

MD5
e66a71c42f0926fdcc8ef0268d3efcf9

SHA1
e4b223331cef691960ac66d782168d01a26025ab

SHA256
cc26fcfea5b49f5ddaa13e4302cc3b2ee7c29ed66ce57f977e179561ec2a3602

SHA512
cce3c70ad728e5362f1b15c15ef5ea27dfd7ec80b2f7ff6cf2ef4b5062eb09ae167210d2b093a5fdbfcc42c853accf78030d0096cd7691d64b9ab84c51aa0ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat

Filesize
184B

MD5
ed6b90bb17250283c59176e268cae8ca

SHA1
0772a0b8bc7dfd4b94fd83ee3739cb978b0ed601

SHA256
5251585af0e4d6eb3be14064746b9b00d6a7fdc422e340d92a6cd0afaae06674

SHA512
0140ab225095813e548455fa3e7a906d21d5b85908d155ffa2cd07f578e73ba83d1c8eb50cc814a6d8c9d480263a43a351b4ac600bd3063a7f6f5c19176f8890

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\services.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/196-880-0x0000000000000000-mapping.dmp

Download
memory/196-882-0x00000000011E0000-0x00000000011F2000-memory.dmp

Filesize
72KB

Download
memory/912-868-0x0000000000000000-mapping.dmp

Download
memory/1020-300-0x0000000000000000-mapping.dmp

Download
memory/1272-376-0x0000000000000000-mapping.dmp

Download
memory/1284-321-0x0000000000000000-mapping.dmp

Download
memory/1296-891-0x0000000000000000-mapping.dmp

Download
memory/1444-295-0x0000000000000000-mapping.dmp

Download
memory/1460-869-0x0000000000000000-mapping.dmp

Download
memory/1460-294-0x0000000000000000-mapping.dmp

Download
memory/1564-888-0x0000000000BE0000-0x0000000000BF2000-memory.dmp

Filesize
72KB

Download
memory/1564-886-0x0000000000000000-mapping.dmp

Download
memory/2136-860-0x0000000000000000-mapping.dmp

Download
memory/2212-366-0x000001AEB0D10000-0x000001AEB0D32000-memory.dmp

Filesize
136KB

Download
memory/2212-371-0x000001AEC93F0000-0x000001AEC9466000-memory.dmp

Filesize
472KB

Download
memory/2212-292-0x0000000000000000-mapping.dmp

Download
memory/2268-291-0x0000000000000000-mapping.dmp

Download
memory/2316-871-0x0000000000000000-mapping.dmp

Download
memory/2396-298-0x0000000000000000-mapping.dmp

Download
memory/2660-297-0x0000000000000000-mapping.dmp

Download
memory/2880-296-0x0000000000000000-mapping.dmp

Download
memory/2916-168-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-160-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-141-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-139-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-142-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-144-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-146-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-147-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-138-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-145-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-137-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-136-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-183-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-181-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-182-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-179-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-121-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-180-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-143-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-135-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-148-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-134-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-177-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-178-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-149-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-176-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-175-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-172-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-133-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-174-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-173-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-150-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-122-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-169-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-123-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-170-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-171-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-120-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-167-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-165-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-166-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-164-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-158-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-140-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-161-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-163-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-162-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-159-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-157-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-156-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-125-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-154-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-155-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-126-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-128-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-153-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-129-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-130-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-152-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-131-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-151-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/2916-132-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/3388-184-0x0000000000000000-mapping.dmp

Download
memory/3388-186-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/3388-185-0x0000000077570000-0x00000000776FE000-memory.dmp

Filesize
1.6MB

Download
memory/3624-313-0x0000000000000000-mapping.dmp

Download
memory/3716-309-0x0000000000000000-mapping.dmp

Download
memory/3756-892-0x0000000000000000-mapping.dmp

Download
memory/3892-856-0x0000000000000000-mapping.dmp

Download
memory/3904-293-0x0000000000000000-mapping.dmp

Download
memory/4064-708-0x00000000012F0000-0x0000000001302000-memory.dmp

Filesize
72KB

Download
memory/4064-659-0x0000000000000000-mapping.dmp

Download
memory/4228-367-0x0000000000000000-mapping.dmp

Download
memory/4248-288-0x0000000002270000-0x000000000227C000-memory.dmp

Filesize
48KB

Download
memory/4248-287-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/4248-283-0x0000000000000000-mapping.dmp

Download
memory/4248-286-0x0000000000010000-0x0000000000120000-memory.dmp

Filesize
1.1MB

Download
memory/4248-289-0x00000000008A0000-0x00000000008AC000-memory.dmp

Filesize
48KB

Download
memory/4248-290-0x0000000002260000-0x000000000226C000-memory.dmp

Filesize
48KB

Download
memory/4256-857-0x0000000000000000-mapping.dmp

Download
memory/4256-859-0x00000000010F0000-0x0000000001102000-memory.dmp

Filesize
72KB

Download
memory/4268-873-0x0000000000000000-mapping.dmp

Download
memory/4304-879-0x0000000000000000-mapping.dmp

Download
memory/4424-316-0x0000000000000000-mapping.dmp

Download
memory/4528-874-0x0000000000000000-mapping.dmp

Download
memory/4528-876-0x00000000007F0000-0x0000000000802000-memory.dmp

Filesize
72KB

Download
memory/4596-260-0x0000000000000000-mapping.dmp

Download
memory/4668-862-0x0000000000000000-mapping.dmp

Download
memory/4736-865-0x0000000001050000-0x0000000001062000-memory.dmp

Filesize
72KB

Download
memory/4736-863-0x0000000000000000-mapping.dmp

Download
memory/4952-303-0x0000000000000000-mapping.dmp

Download
memory/4984-307-0x0000000000000000-mapping.dmp

Download
memory/4996-883-0x0000000000000000-mapping.dmp

Download
memory/5140-885-0x0000000000000000-mapping.dmp

Download
memory/5184-795-0x0000000000000000-mapping.dmp

Download
memory/5204-854-0x0000000000000000-mapping.dmp

Download
memory/5240-797-0x0000000000000000-mapping.dmp

Download
memory/5276-866-0x0000000000000000-mapping.dmp

Download
memory/5320-877-0x0000000000000000-mapping.dmp

Download
memory/5376-889-0x0000000000000000-mapping.dmp

Download
memory/5416-831-0x0000000000790000-0x00000000007A2000-memory.dmp

Filesize
72KB

Download
memory/5416-828-0x0000000000000000-mapping.dmp

Download
memory/5528-832-0x0000000000000000-mapping.dmp

Download
memory/5584-834-0x0000000000000000-mapping.dmp

Download
memory/5604-835-0x0000000000000000-mapping.dmp

Download
memory/5704-837-0x0000000000000000-mapping.dmp

Download
memory/5760-839-0x0000000000000000-mapping.dmp

Download
memory/5784-840-0x0000000000000000-mapping.dmp

Download
memory/5784-842-0x0000000000CF0000-0x0000000000D02000-memory.dmp

Filesize
72KB

Download
memory/5888-843-0x0000000000000000-mapping.dmp

Download
memory/5944-845-0x0000000000000000-mapping.dmp

Download
memory/5964-846-0x0000000000000000-mapping.dmp

Download
memory/5964-848-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/6064-849-0x0000000000000000-mapping.dmp

Download
memory/6120-851-0x0000000000000000-mapping.dmp

Download
memory/6140-852-0x0000000000000000-mapping.dmp

Download