dcrat | e14de37d492112c36e0c659ce843efa28c9780774c659a7fe691a220ba4df257

Analysis

max time kernel
149s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e14de37d492112c36e0c659ce843efa28c9780774c659a7fe691a220ba4df257.exe
Size

1.3MB
MD5

2f299f9030fc9125e3b3c6ec353de326
SHA1

05e5a91c2cb0ec9bbe8e77f58ab4ded6db921826
SHA256

e14de37d492112c36e0c659ce843efa28c9780774c659a7fe691a220ba4df257
SHA512

e7312763315eca0d89ed59f4f4b3b40bde1add11867eb099170daa579d9eb7f876eb922da70f04609f005d3ffa9749d4305528c84ce680b1f820708ecab9d42f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3768	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	5048	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	5048	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001abbf-284.dat	dcrat
behavioral1/files/0x000800000001abbf-285.dat	dcrat
behavioral1/memory/2276-286-0x0000000000DB0000-0x0000000000EC0000-memory.dmp	dcrat
behavioral1/files/0x000600000001abd0-358.dat	dcrat
behavioral1/files/0x000600000001abd0-359.dat	dcrat
behavioral1/files/0x000600000001abd0-930.dat	dcrat
behavioral1/files/0x000600000001abd0-937.dat	dcrat
behavioral1/files/0x000600000001abd0-942.dat	dcrat
behavioral1/files/0x000600000001abd0-948.dat	dcrat
behavioral1/files/0x000600000001abd0-953.dat	dcrat
behavioral1/files/0x000600000001abd0-958.dat	dcrat
behavioral1/files/0x000600000001abd0-964.dat	dcrat
behavioral1/files/0x000600000001abd0-970.dat	dcrat
behavioral1/files/0x000600000001abd0-975.dat	dcrat
behavioral1/files/0x000600000001abd0-980.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
2276	DllCommonsvc.exe
4648	lsass.exe
5676	lsass.exe
5884	lsass.exe
6100	lsass.exe
6048	lsass.exe
5224	lsass.exe
1860	lsass.exe
3800	lsass.exe
2436	lsass.exe
4660	lsass.exe
3516	lsass.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\System\fr-FR\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\System\fr-FR\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\cc11b995f2a76d	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\DeliveryOptimization\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\SoftwareDistribution\DeliveryOptimization\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\es-ES\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\es-ES\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Windows\appcompat\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\appcompat\6203df4a6bafc7	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2436	schtasks.exe
1664	schtasks.exe
660	schtasks.exe
4760	schtasks.exe
4952	schtasks.exe
3768	schtasks.exe
4300	schtasks.exe
2068	schtasks.exe
4396	schtasks.exe
532	schtasks.exe
3076	schtasks.exe
4380	schtasks.exe
4560	schtasks.exe
4416	schtasks.exe
3816	schtasks.exe
2708	schtasks.exe
324	schtasks.exe
4940	schtasks.exe
2736	schtasks.exe
1688	schtasks.exe
4720	schtasks.exe
1856	schtasks.exe
676	schtasks.exe
4184	schtasks.exe
4628	schtasks.exe
1712	schtasks.exe
220	schtasks.exe
4608	schtasks.exe
4552	schtasks.exe
3044	schtasks.exe
2156	schtasks.exe
1800	schtasks.exe
1904	schtasks.exe
2356	schtasks.exe
4764	schtasks.exe
4976	schtasks.exe
4384	schtasks.exe
1612	schtasks.exe
3156	schtasks.exe
228	schtasks.exe
1460	schtasks.exe
612	schtasks.exe
328	schtasks.exe
4740	schtasks.exe
3260	schtasks.exe
4500	schtasks.exe
2664	schtasks.exe
2444	schtasks.exe
5084	schtasks.exe
4524	schtasks.exe
2220	schtasks.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	e14de37d492112c36e0c659ce843efa28c9780774c659a7fe691a220ba4df257.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
4800	powershell.exe
4800	powershell.exe
1040	powershell.exe
1040	powershell.exe
4532	powershell.exe
4532	powershell.exe
1468	powershell.exe
1468	powershell.exe
440	powershell.exe
440	powershell.exe
1568	powershell.exe
1568	powershell.exe
1728	powershell.exe
1728	powershell.exe
4888	powershell.exe
4888	powershell.exe
3808	powershell.exe
3808	powershell.exe
3808	powershell.exe
4056	powershell.exe
4056	powershell.exe
4884	powershell.exe
4884	powershell.exe
3460	powershell.exe
3460	powershell.exe
1376	powershell.exe
1376	powershell.exe
4372	powershell.exe
4372	powershell.exe
1468	powershell.exe
3460	powershell.exe
3428	powershell.exe
3428	powershell.exe
4460	powershell.exe
4460	powershell.exe
4888	powershell.exe
5108	powershell.exe
5108	powershell.exe
820	powershell.exe
820	powershell.exe
4648	lsass.exe
4648	lsass.exe
3428	powershell.exe
1040	powershell.exe
1040	powershell.exe
4800	powershell.exe
4800	powershell.exe
440	powershell.exe
1568	powershell.exe
3808	powershell.exe
1468	powershell.exe
4532	powershell.exe
3460	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	DllCommonsvc.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	440	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	3808	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	4648	lsass.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeDebugPrivilege	3428	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeIncreaseQuotaPrivilege	1468	powershell.exe
Token: SeSecurityPrivilege	1468	powershell.exe
Token: SeTakeOwnershipPrivilege	1468	powershell.exe
Token: SeLoadDriverPrivilege	1468	powershell.exe
Token: SeSystemProfilePrivilege	1468	powershell.exe
Token: SeSystemtimePrivilege	1468	powershell.exe
Token: SeProfSingleProcessPrivilege	1468	powershell.exe
Token: SeIncBasePriorityPrivilege	1468	powershell.exe
Token: SeCreatePagefilePrivilege	1468	powershell.exe
Token: SeBackupPrivilege	1468	powershell.exe
Token: SeRestorePrivilege	1468	powershell.exe
Token: SeShutdownPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeSystemEnvironmentPrivilege	1468	powershell.exe
Token: SeRemoteShutdownPrivilege	1468	powershell.exe
Token: SeUndockPrivilege	1468	powershell.exe
Token: SeManageVolumePrivilege	1468	powershell.exe
Token: 33	1468	powershell.exe
Token: 34	1468	powershell.exe
Token: 35	1468	powershell.exe
Token: 36	1468	powershell.exe
Token: SeIncreaseQuotaPrivilege	3808	powershell.exe
Token: SeSecurityPrivilege	3808	powershell.exe
Token: SeTakeOwnershipPrivilege	3808	powershell.exe
Token: SeLoadDriverPrivilege	3808	powershell.exe
Token: SeSystemProfilePrivilege	3808	powershell.exe
Token: SeSystemtimePrivilege	3808	powershell.exe
Token: SeProfSingleProcessPrivilege	3808	powershell.exe
Token: SeIncBasePriorityPrivilege	3808	powershell.exe
Token: SeCreatePagefilePrivilege	3808	powershell.exe
Token: SeBackupPrivilege	3808	powershell.exe
Token: SeRestorePrivilege	3808	powershell.exe
Token: SeShutdownPrivilege	3808	powershell.exe
Token: SeDebugPrivilege	3808	powershell.exe
Token: SeSystemEnvironmentPrivilege	3808	powershell.exe
Token: SeRemoteShutdownPrivilege	3808	powershell.exe
Token: SeUndockPrivilege	3808	powershell.exe
Token: SeManageVolumePrivilege	3808	powershell.exe
Token: 33	3808	powershell.exe
Token: 34	3808	powershell.exe
Token: 35	3808	powershell.exe
Token: 36	3808	powershell.exe
Token: SeIncreaseQuotaPrivilege	3460	powershell.exe
Token: SeSecurityPrivilege	3460	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2928	2240	e14de37d492112c36e0c659ce843efa28c9780774c659a7fe691a220ba4df257.exe	66
PID 2240 wrote to memory of 2928	2240	e14de37d492112c36e0c659ce843efa28c9780774c659a7fe691a220ba4df257.exe	66
PID 2240 wrote to memory of 2928	2240	e14de37d492112c36e0c659ce843efa28c9780774c659a7fe691a220ba4df257.exe	66
PID 2928 wrote to memory of 4832	2928	WScript.exe	67
PID 2928 wrote to memory of 4832	2928	WScript.exe	67
PID 2928 wrote to memory of 4832	2928	WScript.exe	67
PID 4832 wrote to memory of 2276	4832	cmd.exe	69
PID 4832 wrote to memory of 2276	4832	cmd.exe	69
PID 2276 wrote to memory of 1040	2276	DllCommonsvc.exe	122
PID 2276 wrote to memory of 1040	2276	DllCommonsvc.exe	122
PID 2276 wrote to memory of 4800	2276	DllCommonsvc.exe	123
PID 2276 wrote to memory of 4800	2276	DllCommonsvc.exe	123
PID 2276 wrote to memory of 440	2276	DllCommonsvc.exe	129
PID 2276 wrote to memory of 440	2276	DllCommonsvc.exe	129
PID 2276 wrote to memory of 1568	2276	DllCommonsvc.exe	128
PID 2276 wrote to memory of 1568	2276	DllCommonsvc.exe	128
PID 2276 wrote to memory of 1468	2276	DllCommonsvc.exe	126
PID 2276 wrote to memory of 1468	2276	DllCommonsvc.exe	126
PID 2276 wrote to memory of 4532	2276	DllCommonsvc.exe	130
PID 2276 wrote to memory of 4532	2276	DllCommonsvc.exe	130
PID 2276 wrote to memory of 3808	2276	DllCommonsvc.exe	132
PID 2276 wrote to memory of 3808	2276	DllCommonsvc.exe	132
PID 2276 wrote to memory of 1728	2276	DllCommonsvc.exe	135
PID 2276 wrote to memory of 1728	2276	DllCommonsvc.exe	135
PID 2276 wrote to memory of 4884	2276	DllCommonsvc.exe	158
PID 2276 wrote to memory of 4884	2276	DllCommonsvc.exe	158
PID 2276 wrote to memory of 4056	2276	DllCommonsvc.exe	138
PID 2276 wrote to memory of 4056	2276	DllCommonsvc.exe	138
PID 2276 wrote to memory of 3460	2276	DllCommonsvc.exe	139
PID 2276 wrote to memory of 3460	2276	DllCommonsvc.exe	139
PID 2276 wrote to memory of 4372	2276	DllCommonsvc.exe	140
PID 2276 wrote to memory of 4372	2276	DllCommonsvc.exe	140
PID 2276 wrote to memory of 4888	2276	DllCommonsvc.exe	141
PID 2276 wrote to memory of 4888	2276	DllCommonsvc.exe	141
PID 2276 wrote to memory of 4460	2276	DllCommonsvc.exe	142
PID 2276 wrote to memory of 4460	2276	DllCommonsvc.exe	142
PID 2276 wrote to memory of 1376	2276	DllCommonsvc.exe	153
PID 2276 wrote to memory of 1376	2276	DllCommonsvc.exe	153
PID 2276 wrote to memory of 5108	2276	DllCommonsvc.exe	144
PID 2276 wrote to memory of 5108	2276	DllCommonsvc.exe	144
PID 2276 wrote to memory of 3428	2276	DllCommonsvc.exe	145
PID 2276 wrote to memory of 3428	2276	DllCommonsvc.exe	145
PID 2276 wrote to memory of 820	2276	DllCommonsvc.exe	147
PID 2276 wrote to memory of 820	2276	DllCommonsvc.exe	147
PID 2276 wrote to memory of 4648	2276	DllCommonsvc.exe	151
PID 2276 wrote to memory of 4648	2276	DllCommonsvc.exe	151
PID 4648 wrote to memory of 5348	4648	lsass.exe	160
PID 4648 wrote to memory of 5348	4648	lsass.exe	160
PID 5348 wrote to memory of 2456	5348	cmd.exe	162
PID 5348 wrote to memory of 2456	5348	cmd.exe	162
PID 5348 wrote to memory of 5676	5348	cmd.exe	163
PID 5348 wrote to memory of 5676	5348	cmd.exe	163
PID 5676 wrote to memory of 5808	5676	lsass.exe	164
PID 5676 wrote to memory of 5808	5676	lsass.exe	164
PID 5808 wrote to memory of 5844	5808	cmd.exe	166
PID 5808 wrote to memory of 5844	5808	cmd.exe	166
PID 5808 wrote to memory of 5884	5808	cmd.exe	167
PID 5808 wrote to memory of 5884	5808	cmd.exe	167
PID 5884 wrote to memory of 5984	5884	lsass.exe	168
PID 5884 wrote to memory of 5984	5884	lsass.exe	168
PID 5984 wrote to memory of 6068	5984	cmd.exe	170
PID 5984 wrote to memory of 6068	5984	cmd.exe	170
PID 5984 wrote to memory of 6100	5984	cmd.exe	171
PID 5984 wrote to memory of 6100	5984	cmd.exe	171

C:\Users\Admin\AppData\Local\Temp\e14de37d492112c36e0c659ce843efa28c9780774c659a7fe691a220ba4df257.exe
"C:\Users\Admin\AppData\Local\Temp\e14de37d492112c36e0c659ce843efa28c9780774c659a7fe691a220ba4df257.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\appcompat\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\DeliveryOptimization\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.8.0_66\db\lib\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:820
    - - C:\Windows\appcompat\lsass.exe
        
        "C:\Windows\appcompat\lsass.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4648
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBiR4PpyYA.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2456
        
        C:\Windows\appcompat\lsass.exe
        
        "C:\Windows\appcompat\lsass.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5844
        
        C:\Windows\appcompat\lsass.exe
        
        "C:\Windows\appcompat\lsass.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rhkc0SdEF2.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:6068
        
        C:\Windows\appcompat\lsass.exe
        
        "C:\Windows\appcompat\lsass.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat"
        12⤵
        
        PID:5180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:6088
        
        C:\Windows\appcompat\lsass.exe
        
        "C:\Windows\appcompat\lsass.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat"
        14⤵
        
        PID:4568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2776
        
        C:\Windows\appcompat\lsass.exe
        
        "C:\Windows\appcompat\lsass.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat"
        16⤵
        
        PID:1468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:772
        
        C:\Windows\appcompat\lsass.exe
        
        "C:\Windows\appcompat\lsass.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat"
        18⤵
        
        PID:5520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4664
        
        C:\Windows\appcompat\lsass.exe
        
        "C:\Windows\appcompat\lsass.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"
        20⤵
        
        PID:5408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:5576
        
        C:\Windows\appcompat\lsass.exe
        
        "C:\Windows\appcompat\lsass.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat"
        22⤵
        
        PID:4876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2272
        
        C:\Windows\appcompat\lsass.exe
        
        "C:\Windows\appcompat\lsass.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat"
        24⤵
        
        PID:2108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4332
        
        C:\Windows\appcompat\lsass.exe
        
        "C:\Windows\appcompat\lsass.exe"
        25⤵
        Executes dropped EXE
        
        PID:3516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\fr-FR\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Templates\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\appcompat\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\appcompat\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\appcompat\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\odt\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\DeliveryOptimization\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\DeliveryOptimization\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\DeliveryOptimization\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.8.0_66\db\lib\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.8.0_66\db\lib\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jdk1.8.0_66\db\lib\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\System\fr-FR\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\System\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\es-ES\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\odt\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
da564a0ea3c211ce7c446c58b2f76083

SHA1
aa29de419ef259cff94d66a5730fde2b11f238ae

SHA256
b0bb9597bdb44794b0fc95c7dc4d113c25df37fa0ad2b549dcd50a2619805e90

SHA512
ba340cceef4ea814fa449813aeb06f4519047c333223d89758b0885333436ba1348ecdbe80b8f2ed260e7717c726694a41eb9bdca710ead4d6067b0ace830e31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
da564a0ea3c211ce7c446c58b2f76083

SHA1
aa29de419ef259cff94d66a5730fde2b11f238ae

SHA256
b0bb9597bdb44794b0fc95c7dc4d113c25df37fa0ad2b549dcd50a2619805e90

SHA512
ba340cceef4ea814fa449813aeb06f4519047c333223d89758b0885333436ba1348ecdbe80b8f2ed260e7717c726694a41eb9bdca710ead4d6067b0ace830e31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
83d6d1137d9a65206b7947b23c3cbc4a

SHA1
e0053b6f4d4c7faceea3ee8d197ebb4e2b74dc58

SHA256
6cfaa87f48b3d15a3c9c221aca61439c8a3a52d7999f6af6530e30280008f235

SHA512
90186766d0b0d7df6a58af9d0380de38f6b9591138b98dea5ca0d21e751eb2442125906ba1e1d17c0b4cf6f0ba8f63eaee8b746b3bfcde8baea1b57ef150408d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
205c58da05434e7c04bbc264adfd6c06

SHA1
b300188cef167edd54149dbf266e03862356229e

SHA256
f52b6de6796898ed4575325a21232cbe369179ca064f715ffe4768790f4ce4e2

SHA512
6d80339148adbb1ed53ebfbf5524d036799c9c96641893708a308c8f8153bde48d2513087521c6891cec29aa0a37685ac0ab7b6ebf8464d04b7ae229bf5ead56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cbe988e2af33c62f53f13ce10edb154e

SHA1
347eef46bd33e9dabe782574beaa6a31be18ca1c

SHA256
68bb83adac352fa666b6aad88f6b3a4a3e23762396741b4a22673ac7e7c8bdbe

SHA512
044ef3922288d099823251170535c255f6371d21cda9b8b4793e796ecbd32d988a3741cb4f7ebb001a65e5b4e17964dc7c04c54c2edddaf3f0138e8008b9bc49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1bb0fd82f43ccee72befa3f341bfbcdd

SHA1
5eabba154fc04234db60e125a4eff756b5bdd9b8

SHA256
c182275074d1164e3e95e2b909c8f5f610d4a04fe3a5dece440c5cdb06f00731

SHA512
2c2fa484f710217b350620bc96377d1ec36081963236d90cdd8c96fd2fb4fd45563ad2fca78570f8f75ee8ef68e5adb22fb1e639180808c95f9272e6ff2941ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a09c1030104c7d2b45bf698247907649

SHA1
5c87e8c03fc45e28572c03a80328fe4aceec358c

SHA256
51f093cdfc24e694f8547367095826bb6c1e74df45f5a79f459933fdfe2dcca8

SHA512
4273561193da16f735fa05eb36ce154f07ef42b0d00df8add8772d094c497e2e76c7e3d57627239d6dd26237fc66988875727bd92c6abe460629981b7a600931

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
471f86b4a0b6c7c333e830c3ea53ae13

SHA1
2254732fef24a7971ce5d5fd222ac47af1aea31e

SHA256
2eafe606374013673690819877771c1ca65b4e31a3c7bf643923eb01fdbdab77

SHA512
f36dbf171116efb43758c1e00fde602f8d931509e61eff9ef27227f43cfcdd4ca541b8d94d770e2ca7445b5aa36cb2456eb1ed1b36f345a6ce8f1682bbabf3c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
22e11d1486471cd325375e64020b18b6

SHA1
b7dcdd3d6b3324a91ac6a84ce43a8cbcf2d4d618

SHA256
2224bed6dce20a7baf6a376b1337de4170d575e57840ba3c50573ed260d9b051

SHA512
4713e9a5e913f12653107501683c82ea9c0cb1c7d46ae8352d1f78ae0994ceadc9fc2e31484c4499d11c121de5625d28149d796092a7e23021ed6cd61651ccb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
22e11d1486471cd325375e64020b18b6

SHA1
b7dcdd3d6b3324a91ac6a84ce43a8cbcf2d4d618

SHA256
2224bed6dce20a7baf6a376b1337de4170d575e57840ba3c50573ed260d9b051

SHA512
4713e9a5e913f12653107501683c82ea9c0cb1c7d46ae8352d1f78ae0994ceadc9fc2e31484c4499d11c121de5625d28149d796092a7e23021ed6cd61651ccb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c7093b261f96cc8c93a0171df4e9aaff

SHA1
3ce0e09f6958c30c61942c90dd0de4083c8d20d7

SHA256
ad57e65faeeab27f78ef90f0b431dfe65ef3282fe680cb40fff108d2d82f998a

SHA512
da44aceaf68c9ced504237a3d0ccef0f3b6c6bd23539f325a00cee022151b09e144526ef957c932bf1a8c8715ab195abaa215dbd3d2995ba1a4530deb825da70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8a60fdab1f449b6b281e406ad251f782

SHA1
20e03e7f702ff4016bb5c01a0442284901394b73

SHA256
531a17514777ee98f36f7e0672e68b822d8c964e32e81602ed53c44b26947ef4

SHA512
aa012fc87cc1c21102a9fdcf43de9e2d7350bca9dc7377776ed29d8cac851d1d0ed6658031902ee212967d051769ca3df390b3967b664db22a10ea1f815de2c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8a60fdab1f449b6b281e406ad251f782

SHA1
20e03e7f702ff4016bb5c01a0442284901394b73

SHA256
531a17514777ee98f36f7e0672e68b822d8c964e32e81602ed53c44b26947ef4

SHA512
aa012fc87cc1c21102a9fdcf43de9e2d7350bca9dc7377776ed29d8cac851d1d0ed6658031902ee212967d051769ca3df390b3967b664db22a10ea1f815de2c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0a8beabe1e7eddf20d6d6b56711b74b7

SHA1
71ed39c4e36e17b52b440b55603b8de718f1230d

SHA256
70959f5f9cccfd73c95a5c6ad3d69db0643cde9b989a103b959b67712172f03b

SHA512
157427cc2616ac3da2fc18ee573a399f9d32138911c971aa9d49571cf02cb450ace007f5174439812ee8aa4f00f31011da5dad5b89e93b35e643eb057e4f0ab6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
526d1589675ac43a321caa5527fb58eb

SHA1
d76ea7f7dc75b8a5bfafaf36e16efc522ebb96b5

SHA256
ee79b3b183b9ea521ff8029492b7804cca3dbb88ddb601dc25bfa3540672f359

SHA512
c40560d11a28404d8ca25c79d28d779a0c56a9d3c9cc1caff9c8e26a9fb2839c45cfe6b49ccdad7d225c3ee773efcef5ebf1b865d1e6b3b5cfb5d931daa2acc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ff03f47850c575d0c3c63fd87c69ff01

SHA1
f534062687f1cd8ab7b03708d691058075f1d3b6

SHA256
a9ec5fabcc6a0c031aac466eea86ea17730a0eaaf400b8d0d6f37d8e0010dc13

SHA512
c5ab408896c4839e3fc893ec59b466e012a53ac00608a7528568617b18680ebbc9ac3f8d80fcc269d6b82b9efb22e86a9705262e07e17137d4cc035be020ace5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat

Filesize
195B

MD5
4d0aaa662c56a43409032bebe9bff442

SHA1
5e7c2d0538ac385e4c5178c5e2a7b7c5bdf95b8b

SHA256
b7832060f4c50d53a8a48df2fcca78f7240318da2724f5d7100ec7dbbc37c0de

SHA512
3776c9ba70c44bc00e08e565d6f65b7aba31333683662d30533609ab56e9ae67d2af1501eef5e8ff81d5783e972a8e061e62809f7435835e9d07ebc213bed020

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBiR4PpyYA.bat

Filesize
195B

MD5
19c40f9eb64c02bb7c40852b8b127d62

SHA1
e9023cf1408cbba07cf565b22e2d2a181c41e3ee

SHA256
66ec5a8cd13c7cfa37e748c48a412285bf57a622a043d2c2213336f676d260ec

SHA512
cf2faa3e8c89d9df705c43c3e7a9cda9dd684e0c2ce05c306f1c7350ef2f44570265795f43291083a7624ccd0e2f5ab36ce324afdd3e60f58292501f4b1082de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat

Filesize
195B

MD5
6e14181074d66cba7cbce318176cedfe

SHA1
2e845341412bd5f98991e43f9ce4d86ae1d7ea1b

SHA256
6eb42665428f587e2c97e4e7316084b36ff5e1235208e311e12ac0508e67e31b

SHA512
c277381ca8df043e94cf88bdd36b6fc0781cc1578404d9b1efb6e5aa8ab51e2b4b5ff07dea98f12534dfd0632d454d8a639597dec32c44db0f09a898d9084c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat

Filesize
195B

MD5
1bac2a02ecd02d6bc83c19ec61f1e994

SHA1
53ae29007e76b7bd5004a226f9f7e8651a77a1c3

SHA256
15f4e084d6ba9c0eecff9980abaea230692825b497b19a3d1b7d1c94487a5d11

SHA512
fc4d28eb802f93bb1035bbf7b2030b5d026aa67126ea537517eda86122a4c331474e11b84bd4edea3f14861f403f36c40fb3ab0b09e9249cf7962ea59ad39166

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rhkc0SdEF2.bat

Filesize
195B

MD5
3ededc0fdd700b4ec6c722216d5625c9

SHA1
79a9039c28019ba8f68b2774b43db14407a51406

SHA256
a6c5c2271452cc1396a533f8a381536e5d5ef4a2e03cbf2ea79644235221ccd7

SHA512
17df9d5087c279b3717d007e6778a7db3c6069f1a236e955009e753f8f3fcf524c6d7bb503cef7839f124a356b0e47d70f93895c2e95099ed709ffe71d187689

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat

Filesize
195B

MD5
0190dafc2394d10f4653ea0b7d9ba7e7

SHA1
a2edffa8e4c6bb703be93ae8600afd321708fed5

SHA256
a0766964b618b4db4d929a7aa1dd79f797af6be662d0fda2f0e3ce9b64368ae5

SHA512
6f262ff3d03d100daad4c5a334aa5ee7921861003a385acfaf9343810f598c69a53be8419545f81ff5d254d0bec1d2190cbfeafa78b6ae2693e48f46db071927

Download Submit
C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat

Filesize
195B

MD5
bc6fc1441ca9c6ac8e6200639e721192

SHA1
fb77573024f4a423f057368501dce712b724ac89

SHA256
7e20879f691c1998a78de1e337223bc93f102d4c194e395465fad51273aa9672

SHA512
12eb06d34f004a06c84cf44ed184ca446303b416d5f3e0953703ae3dc11890d1b89d77d215204754ee9f614b684d2d32cd502dff280b0254537368caefbb1dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat

Filesize
195B

MD5
bc6fc1441ca9c6ac8e6200639e721192

SHA1
fb77573024f4a423f057368501dce712b724ac89

SHA256
7e20879f691c1998a78de1e337223bc93f102d4c194e395465fad51273aa9672

SHA512
12eb06d34f004a06c84cf44ed184ca446303b416d5f3e0953703ae3dc11890d1b89d77d215204754ee9f614b684d2d32cd502dff280b0254537368caefbb1dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat

Filesize
195B

MD5
b789c8da7b09f3d34e0590e35a1492d8

SHA1
23c07902dd5432da67c5daccf4168e86a8f2a18c

SHA256
09505e8afdaec4a73b011fedceb5f2e959ce973a067f5ef9b65a68e0ad4764b9

SHA512
b2f57cd08fbef80544bcd1047fe5854168636c8c194458beb1f6417ed3370608b8b67490afeb5ebdeacc03e84593fc6c7e12ca990fc6ef228d41a0b01e72f169

Download Submit
C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat

Filesize
195B

MD5
d5b6772fdd971103604601ce0c6a15f1

SHA1
3077bccb7188055fe87a5135cb977184e0570f55

SHA256
379d94a474198ae8c4522dc17e50787cbfde91f27789dcd7646d3aae6188e632

SHA512
9a05b95599c6ea352e46dbe982d0e668253b5f18a31ca6e97fb5e387c9254beadd785b713aced473e331c9b76c1aae4922dbf10d22e0db8a150f4020a912a70e

Download Submit
C:\Windows\appcompat\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\appcompat\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\appcompat\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\appcompat\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\appcompat\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\appcompat\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\appcompat\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\appcompat\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\appcompat\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\appcompat\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\appcompat\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\appcompat\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/440-377-0x000001C4CDBF0000-0x000001C4CDC12000-memory.dmp

Filesize
136KB

Download
memory/1468-390-0x0000021F78A80000-0x0000021F78AF6000-memory.dmp

Filesize
472KB

Download
memory/1860-959-0x0000000000F40000-0x0000000000F52000-memory.dmp

Filesize
72KB

Download
memory/2240-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-177-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-182-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-183-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-122-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-172-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-125-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-173-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-180-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-161-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-158-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-175-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-174-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2276-290-0x0000000002F30000-0x0000000002F3C000-memory.dmp

Filesize
48KB

Download
memory/2276-289-0x00000000014F0000-0x00000000014FC000-memory.dmp

Filesize
48KB

Download
memory/2276-286-0x0000000000DB0000-0x0000000000EC0000-memory.dmp

Filesize
1.1MB

Download
memory/2276-288-0x00000000014E0000-0x00000000014EC000-memory.dmp

Filesize
48KB

Download
memory/2276-287-0x00000000014C0000-0x00000000014D2000-memory.dmp

Filesize
72KB

Download
memory/2928-185-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2928-186-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-981-0x0000000001480000-0x0000000001492000-memory.dmp

Filesize
72KB

Download
memory/3800-965-0x0000000000CD0000-0x0000000000CE2000-memory.dmp

Filesize
72KB

Download
memory/4648-385-0x00000000009A0000-0x00000000009B2000-memory.dmp

Filesize
72KB

Download
memory/5676-932-0x00000000010C0000-0x00000000010D2000-memory.dmp

Filesize
72KB

Download
memory/6100-943-0x0000000001450000-0x0000000001462000-memory.dmp

Filesize
72KB

Download