dcrat | 85baea97b49a1e26950fd1afdb42e7f087d6e89c2a007359c477083ad01afae1

Analysis

max time kernel
149s
max time network
152s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
02-02-2023 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85baea97b49a1e26950fd1afdb42e7f087d6e89c2a007359c477083ad01afae1.exe
Size

1.3MB
MD5

7dd9309123742a5b434a05cfc9ed808c
SHA1

4931d31b2f4882669c151701d5ef4394c838d580
SHA256

85baea97b49a1e26950fd1afdb42e7f087d6e89c2a007359c477083ad01afae1
SHA512

aef0f563dad3446e518d9fdf8f777bb68105514d20913a3c1b8e6fb708e92b8b8e34cbc7d3c2febb34565ccc1839c353493fc8e1d124071912812feef1eba18c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	5084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	5084	schtasks.exe

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/3976-283-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
C:\Program Files\Microsoft Office\PackageManifests\lsass.exe	dcrat
C:\Program Files\Microsoft Office\PackageManifests\lsass.exe	dcrat
C:\Program Files\Microsoft Office\PackageManifests\lsass.exe	dcrat
C:\Program Files\Microsoft Office\PackageManifests\lsass.exe	dcrat
C:\Program Files\Microsoft Office\PackageManifests\lsass.exe	dcrat
C:\Program Files\Microsoft Office\PackageManifests\lsass.exe	dcrat
C:\Program Files\Microsoft Office\PackageManifests\lsass.exe	dcrat
C:\Program Files\Microsoft Office\PackageManifests\lsass.exe	dcrat
C:\Program Files\Microsoft Office\PackageManifests\lsass.exe	dcrat
C:\Program Files\Microsoft Office\PackageManifests\lsass.exe	dcrat
C:\Program Files\Microsoft Office\PackageManifests\lsass.exe	dcrat
C:\Program Files\Microsoft Office\PackageManifests\lsass.exe	dcrat
C:\Program Files\Microsoft Office\PackageManifests\lsass.exe	dcrat

Executes dropped EXE 13 IoCs

Processes:

DllCommonsvc.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe

pid	process
3976	DllCommonsvc.exe
4264	lsass.exe
764	lsass.exe
3356	lsass.exe
3564	lsass.exe
4904	lsass.exe
4632	lsass.exe
372	lsass.exe
232	lsass.exe
3360	lsass.exe
4060	lsass.exe
1664	lsass.exe
4420	lsass.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 8 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\27d1bcfc3c54e0	DllCommonsvc.exe

Drops file in Windows directory 8 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\security\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\taskhostw.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Windows\rescache\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Windows\SchCache\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\SchCache\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Windows\servicing\ja-JP\sihost.exe	DllCommonsvc.exe
File created	C:\Windows\security\spoolsv.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4824	schtasks.exe
3136	schtasks.exe
1892	schtasks.exe
2192	schtasks.exe
4744	schtasks.exe
4676	schtasks.exe
1212	schtasks.exe
3288	schtasks.exe
2288	schtasks.exe
4056	schtasks.exe
4624	schtasks.exe
604	schtasks.exe
1796	schtasks.exe
216	schtasks.exe
4476	schtasks.exe
4504	schtasks.exe
4160	schtasks.exe
4156	schtasks.exe
1636	schtasks.exe
4500	schtasks.exe
4864	schtasks.exe
836	schtasks.exe
448	schtasks.exe
1692	schtasks.exe
4712	schtasks.exe
4652	schtasks.exe
1032	schtasks.exe
2140	schtasks.exe
3292	schtasks.exe
4740	schtasks.exe
4664	schtasks.exe
2260	schtasks.exe
4484	schtasks.exe
1472	schtasks.exe
1372	schtasks.exe
1324	schtasks.exe
332	schtasks.exe
328	schtasks.exe
4472	schtasks.exe
1800	schtasks.exe
4696	schtasks.exe
3304	schtasks.exe

Modifies registry class 13 IoCs

Processes:

lsass.exe85baea97b49a1e26950fd1afdb42e7f087d6e89c2a007359c477083ad01afae1.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exelsass.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	85baea97b49a1e26950fd1afdb42e7f087d6e89c2a007359c477083ad01afae1.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	lsass.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exelsass.exepowershell.exepowershell.exe

pid	process
3976	DllCommonsvc.exe
3976	DllCommonsvc.exe
3976	DllCommonsvc.exe
3976	DllCommonsvc.exe
3976	DllCommonsvc.exe
3976	DllCommonsvc.exe
3976	DllCommonsvc.exe
3976	DllCommonsvc.exe
3976	DllCommonsvc.exe
3976	DllCommonsvc.exe
3976	DllCommonsvc.exe
3976	DllCommonsvc.exe
3976	DllCommonsvc.exe
3976	DllCommonsvc.exe
3976	DllCommonsvc.exe
3976	DllCommonsvc.exe
3976	DllCommonsvc.exe
3976	DllCommonsvc.exe
3976	DllCommonsvc.exe
3976	DllCommonsvc.exe
3976	DllCommonsvc.exe
3976	DllCommonsvc.exe
3976	DllCommonsvc.exe
3976	DllCommonsvc.exe
1812	powershell.exe
1812	powershell.exe
2276	powershell.exe
2276	powershell.exe
2372	powershell.exe
2372	powershell.exe
932	powershell.exe
932	powershell.exe
5036	powershell.exe
5036	powershell.exe
2864	powershell.exe
2864	powershell.exe
2628	powershell.exe
2628	powershell.exe
4636	powershell.exe
4636	powershell.exe
2504	powershell.exe
2504	powershell.exe
4732	powershell.exe
4732	powershell.exe
4368	powershell.exe
4368	powershell.exe
2748	powershell.exe
2748	powershell.exe
1412	powershell.exe
1412	powershell.exe
4636	powershell.exe
4264	lsass.exe
4264	lsass.exe
5016	powershell.exe
5016	powershell.exe
2336	powershell.exe
2336	powershell.exe
932	powershell.exe
2276	powershell.exe
1812	powershell.exe
5036	powershell.exe
2372	powershell.exe
2504	powershell.exe
2864	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exelsass.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3976	DllCommonsvc.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	4264	lsass.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeIncreaseQuotaPrivilege	4636	powershell.exe
Token: SeSecurityPrivilege	4636	powershell.exe
Token: SeTakeOwnershipPrivilege	4636	powershell.exe
Token: SeLoadDriverPrivilege	4636	powershell.exe
Token: SeSystemProfilePrivilege	4636	powershell.exe
Token: SeSystemtimePrivilege	4636	powershell.exe
Token: SeProfSingleProcessPrivilege	4636	powershell.exe
Token: SeIncBasePriorityPrivilege	4636	powershell.exe
Token: SeCreatePagefilePrivilege	4636	powershell.exe
Token: SeBackupPrivilege	4636	powershell.exe
Token: SeRestorePrivilege	4636	powershell.exe
Token: SeShutdownPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeSystemEnvironmentPrivilege	4636	powershell.exe
Token: SeRemoteShutdownPrivilege	4636	powershell.exe
Token: SeUndockPrivilege	4636	powershell.exe
Token: SeManageVolumePrivilege	4636	powershell.exe
Token: 33	4636	powershell.exe
Token: 34	4636	powershell.exe
Token: 35	4636	powershell.exe
Token: 36	4636	powershell.exe
Token: SeIncreaseQuotaPrivilege	932	powershell.exe
Token: SeSecurityPrivilege	932	powershell.exe
Token: SeTakeOwnershipPrivilege	932	powershell.exe
Token: SeLoadDriverPrivilege	932	powershell.exe
Token: SeSystemProfilePrivilege	932	powershell.exe
Token: SeSystemtimePrivilege	932	powershell.exe
Token: SeProfSingleProcessPrivilege	932	powershell.exe
Token: SeIncBasePriorityPrivilege	932	powershell.exe
Token: SeCreatePagefilePrivilege	932	powershell.exe
Token: SeBackupPrivilege	932	powershell.exe
Token: SeRestorePrivilege	932	powershell.exe
Token: SeShutdownPrivilege	932	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeSystemEnvironmentPrivilege	932	powershell.exe
Token: SeRemoteShutdownPrivilege	932	powershell.exe
Token: SeUndockPrivilege	932	powershell.exe
Token: SeManageVolumePrivilege	932	powershell.exe
Token: 33	932	powershell.exe
Token: 34	932	powershell.exe
Token: 35	932	powershell.exe
Token: 36	932	powershell.exe
Token: SeIncreaseQuotaPrivilege	2276	powershell.exe
Token: SeSecurityPrivilege	2276	powershell.exe
Token: SeTakeOwnershipPrivilege	2276	powershell.exe
Token: SeLoadDriverPrivilege	2276	powershell.exe
Token: SeSystemProfilePrivilege	2276	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

85baea97b49a1e26950fd1afdb42e7f087d6e89c2a007359c477083ad01afae1.exeWScript.execmd.exeDllCommonsvc.exelsass.execmd.exelsass.execmd.exelsass.execmd.exelsass.execmd.exe

description	pid	process	target process
PID 3496 wrote to memory of 4540	3496	85baea97b49a1e26950fd1afdb42e7f087d6e89c2a007359c477083ad01afae1.exe	WScript.exe
PID 3496 wrote to memory of 4540	3496	85baea97b49a1e26950fd1afdb42e7f087d6e89c2a007359c477083ad01afae1.exe	WScript.exe
PID 3496 wrote to memory of 4540	3496	85baea97b49a1e26950fd1afdb42e7f087d6e89c2a007359c477083ad01afae1.exe	WScript.exe
PID 4540 wrote to memory of 3232	4540	WScript.exe	cmd.exe
PID 4540 wrote to memory of 3232	4540	WScript.exe	cmd.exe
PID 4540 wrote to memory of 3232	4540	WScript.exe	cmd.exe
PID 3232 wrote to memory of 3976	3232	cmd.exe	DllCommonsvc.exe
PID 3232 wrote to memory of 3976	3232	cmd.exe	DllCommonsvc.exe
PID 3976 wrote to memory of 2276	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 2276	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 5036	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 5036	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 1812	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 1812	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 2372	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 2372	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 932	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 932	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 2504	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 2504	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 2864	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 2864	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 2628	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 2628	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 2748	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 2748	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 4636	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 4636	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 4732	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 4732	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 2336	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 2336	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 4368	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 4368	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 1412	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 1412	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 5016	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 5016	3976	DllCommonsvc.exe	powershell.exe
PID 3976 wrote to memory of 4264	3976	DllCommonsvc.exe	lsass.exe
PID 3976 wrote to memory of 4264	3976	DllCommonsvc.exe	lsass.exe
PID 4264 wrote to memory of 4516	4264	lsass.exe	cmd.exe
PID 4264 wrote to memory of 4516	4264	lsass.exe	cmd.exe
PID 4516 wrote to memory of 3644	4516	cmd.exe	w32tm.exe
PID 4516 wrote to memory of 3644	4516	cmd.exe	w32tm.exe
PID 4516 wrote to memory of 764	4516	cmd.exe	lsass.exe
PID 4516 wrote to memory of 764	4516	cmd.exe	lsass.exe
PID 764 wrote to memory of 4828	764	lsass.exe	cmd.exe
PID 764 wrote to memory of 4828	764	lsass.exe	cmd.exe
PID 4828 wrote to memory of 3336	4828	cmd.exe	w32tm.exe
PID 4828 wrote to memory of 3336	4828	cmd.exe	w32tm.exe
PID 4828 wrote to memory of 3356	4828	cmd.exe	lsass.exe
PID 4828 wrote to memory of 3356	4828	cmd.exe	lsass.exe
PID 3356 wrote to memory of 1028	3356	lsass.exe	cmd.exe
PID 3356 wrote to memory of 1028	3356	lsass.exe	cmd.exe
PID 1028 wrote to memory of 3272	1028	cmd.exe	w32tm.exe
PID 1028 wrote to memory of 3272	1028	cmd.exe	w32tm.exe
PID 1028 wrote to memory of 3564	1028	cmd.exe	lsass.exe
PID 1028 wrote to memory of 3564	1028	cmd.exe	lsass.exe
PID 3564 wrote to memory of 4400	3564	lsass.exe	cmd.exe
PID 3564 wrote to memory of 4400	3564	lsass.exe	cmd.exe
PID 4400 wrote to memory of 1180	4400	cmd.exe	w32tm.exe
PID 4400 wrote to memory of 1180	4400	cmd.exe	w32tm.exe
PID 4400 wrote to memory of 4904	4400	cmd.exe	lsass.exe
PID 4400 wrote to memory of 4904	4400	cmd.exe	lsass.exe

C:\Users\Admin\AppData\Local\Temp\85baea97b49a1e26950fd1afdb42e7f087d6e89c2a007359c477083ad01afae1.exe
"C:\Users\Admin\AppData\Local\Temp\85baea97b49a1e26950fd1afdb42e7f087d6e89c2a007359c477083ad01afae1.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3232

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\dllhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\csrss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\spoolsv.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\PackageManifests\lsass.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\taskhostw.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchUI.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5016

C:\Program Files\Microsoft Office\PackageManifests\lsass.exe
"C:\Program Files\Microsoft Office\PackageManifests\lsass.exe"
5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:3644

C:\Program Files\Microsoft Office\PackageManifests\lsass.exe
"C:\Program Files\Microsoft Office\PackageManifests\lsass.exe"
7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:3336

C:\Program Files\Microsoft Office\PackageManifests\lsass.exe
"C:\Program Files\Microsoft Office\PackageManifests\lsass.exe"
9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat"
10⤵
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:3272

C:\Program Files\Microsoft Office\PackageManifests\lsass.exe
"C:\Program Files\Microsoft Office\PackageManifests\lsass.exe"
11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat"
12⤵
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
13⤵
PID:1180

C:\Program Files\Microsoft Office\PackageManifests\lsass.exe
"C:\Program Files\Microsoft Office\PackageManifests\lsass.exe"
13⤵
- Executes dropped EXE
- Modifies registry class
PID:4904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat"
14⤵
PID:1572

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
15⤵
PID:3756

C:\Program Files\Microsoft Office\PackageManifests\lsass.exe
"C:\Program Files\Microsoft Office\PackageManifests\lsass.exe"
15⤵
- Executes dropped EXE
- Modifies registry class
PID:4632

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat"
16⤵
PID:2864

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
17⤵
PID:672

C:\Program Files\Microsoft Office\PackageManifests\lsass.exe
"C:\Program Files\Microsoft Office\PackageManifests\lsass.exe"
17⤵
- Executes dropped EXE
- Modifies registry class
PID:372

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat"
18⤵
PID:3088

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
19⤵
PID:1216

C:\Program Files\Microsoft Office\PackageManifests\lsass.exe
"C:\Program Files\Microsoft Office\PackageManifests\lsass.exe"
19⤵
- Executes dropped EXE
- Modifies registry class
PID:232

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat"
20⤵
PID:604

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
21⤵
PID:5008

C:\Program Files\Microsoft Office\PackageManifests\lsass.exe
"C:\Program Files\Microsoft Office\PackageManifests\lsass.exe"
21⤵
- Executes dropped EXE
- Modifies registry class
PID:3360

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat"
22⤵
PID:4876

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
23⤵
PID:2272

C:\Program Files\Microsoft Office\PackageManifests\lsass.exe
"C:\Program Files\Microsoft Office\PackageManifests\lsass.exe"
23⤵
- Executes dropped EXE
- Modifies registry class
PID:4060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\61cJPf1Vjg.bat"
24⤵
PID:4456

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
25⤵
PID:3556

C:\Program Files\Microsoft Office\PackageManifests\lsass.exe
"C:\Program Files\Microsoft Office\PackageManifests\lsass.exe"
25⤵
- Executes dropped EXE
- Modifies registry class
PID:1664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat"
26⤵
PID:4836

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
27⤵
PID:4912

C:\Program Files\Microsoft Office\PackageManifests\lsass.exe
"C:\Program Files\Microsoft Office\PackageManifests\lsass.exe"
27⤵
- Executes dropped EXE
- Modifies registry class
PID:4420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat"
28⤵
PID:2484

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
29⤵
PID:5076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\cmd.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\dwm.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Security\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\SchCache\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\SchCache\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\SchCache\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\security\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\security\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\security\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\PackageManifests\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\PackageManifests\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\WTR\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Windows\Migration\WTR\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 12 /tr "'C:\providercommon\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 12 /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\PackageManifests\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office\PackageManifests\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office\PackageManifests\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office\PackageManifests\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office\PackageManifests\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office\PackageManifests\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office\PackageManifests\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office\PackageManifests\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office\PackageManifests\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office\PackageManifests\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office\PackageManifests\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office\PackageManifests\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office\PackageManifests\lsass.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1c3693bfea814d1c2e241c9fb2448d90

SHA1
86f8361ddcda93ed9dfb1a10ab10b975ba1f57fd

SHA256
20bc2223929e25a6be626a5bb1b9f7a3aa0b22a970d9674ee57942399ae49400

SHA512
c34c15824c5eeff0db9e3b6f9d47830d1e4cd8c89910928626088e2d13b51ce9a2e97e64081deeb8c258fb0648ba1f64a46a68e97e4054e5ef0a2b1e4a02d770

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
66f20ff783255211529d4558e96b12f2

SHA1
6a5bd191bd4a7da6812abce689a9397f9be21327

SHA256
c13d1e56ef8fd34e9f3ba15e7cd27a88eef20b747db7216fae8c0c48c10ea4df

SHA512
faa653564b4a363e219a07f3f4b20f4f7e727b45dc0b436a77494dde2c23d9d3ee13b9dd6c01cb15f43d5b0b9938a4db643b7b4c3fe730dd4ad6f2a1b2ca04e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
66f20ff783255211529d4558e96b12f2

SHA1
6a5bd191bd4a7da6812abce689a9397f9be21327

SHA256
c13d1e56ef8fd34e9f3ba15e7cd27a88eef20b747db7216fae8c0c48c10ea4df

SHA512
faa653564b4a363e219a07f3f4b20f4f7e727b45dc0b436a77494dde2c23d9d3ee13b9dd6c01cb15f43d5b0b9938a4db643b7b4c3fe730dd4ad6f2a1b2ca04e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a6977bf950bc492418e6f13f1101c4c4

SHA1
65c9a54e4c73fbed6ee91dfb634031dbb99e8f5b

SHA256
49c34512a80bb3ce171b55b213d4f57bf417155101672008093bb0568f772f7c

SHA512
6a672d183791cbe7261560942fc3ae36b561045852d401b5c3f1c981f4efa37c384d4a2246a34c65208ade2643db5ae7713031b625aa54f4d3a30130db0b2a95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2bd551ea7b267da59208f77cb4dc581d

SHA1
587362d0e14e196a7f550cbceae32aaf4736a4ab

SHA256
2e4923dc0d2f3fb8d061ecf3c5c14aaf92c0e7ae477c2cc68027bb7341072f90

SHA512
f203e26206a8454c7af5d19982eb4de5511b1b32d20b2fcd269908c4cba730e6147d2c5282119f05167de4b15606c83022ee7ab88ba72f8fda645c4d3f50b744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2bd551ea7b267da59208f77cb4dc581d

SHA1
587362d0e14e196a7f550cbceae32aaf4736a4ab

SHA256
2e4923dc0d2f3fb8d061ecf3c5c14aaf92c0e7ae477c2cc68027bb7341072f90

SHA512
f203e26206a8454c7af5d19982eb4de5511b1b32d20b2fcd269908c4cba730e6147d2c5282119f05167de4b15606c83022ee7ab88ba72f8fda645c4d3f50b744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2bd551ea7b267da59208f77cb4dc581d

SHA1
587362d0e14e196a7f550cbceae32aaf4736a4ab

SHA256
2e4923dc0d2f3fb8d061ecf3c5c14aaf92c0e7ae477c2cc68027bb7341072f90

SHA512
f203e26206a8454c7af5d19982eb4de5511b1b32d20b2fcd269908c4cba730e6147d2c5282119f05167de4b15606c83022ee7ab88ba72f8fda645c4d3f50b744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2bd551ea7b267da59208f77cb4dc581d

SHA1
587362d0e14e196a7f550cbceae32aaf4736a4ab

SHA256
2e4923dc0d2f3fb8d061ecf3c5c14aaf92c0e7ae477c2cc68027bb7341072f90

SHA512
f203e26206a8454c7af5d19982eb4de5511b1b32d20b2fcd269908c4cba730e6147d2c5282119f05167de4b15606c83022ee7ab88ba72f8fda645c4d3f50b744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7165fc8db99a005d363e50fdb745944a

SHA1
7ed4fd10e4fd48d0d2228ae3db219c9224e96f49

SHA256
7a46486410e67092f67395dba94cc5e41157d07f1cb700de44ac12073a96c226

SHA512
1d388087f8dc3ecff3cfaea3770293ddb5edb4be7cddae8e11fc222caefaeb8ae12242fc474ce2b2b12d3237febc4f1f45af430a3912712fcfbc4947703c775a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7165fc8db99a005d363e50fdb745944a

SHA1
7ed4fd10e4fd48d0d2228ae3db219c9224e96f49

SHA256
7a46486410e67092f67395dba94cc5e41157d07f1cb700de44ac12073a96c226

SHA512
1d388087f8dc3ecff3cfaea3770293ddb5edb4be7cddae8e11fc222caefaeb8ae12242fc474ce2b2b12d3237febc4f1f45af430a3912712fcfbc4947703c775a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7165fc8db99a005d363e50fdb745944a

SHA1
7ed4fd10e4fd48d0d2228ae3db219c9224e96f49

SHA256
7a46486410e67092f67395dba94cc5e41157d07f1cb700de44ac12073a96c226

SHA512
1d388087f8dc3ecff3cfaea3770293ddb5edb4be7cddae8e11fc222caefaeb8ae12242fc474ce2b2b12d3237febc4f1f45af430a3912712fcfbc4947703c775a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7165fc8db99a005d363e50fdb745944a

SHA1
7ed4fd10e4fd48d0d2228ae3db219c9224e96f49

SHA256
7a46486410e67092f67395dba94cc5e41157d07f1cb700de44ac12073a96c226

SHA512
1d388087f8dc3ecff3cfaea3770293ddb5edb4be7cddae8e11fc222caefaeb8ae12242fc474ce2b2b12d3237febc4f1f45af430a3912712fcfbc4947703c775a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38570b750dd055e53f7f3a1a1c9a9b8d

SHA1
8790b7e28d9006e7509a2f9cb5a08e4d2c77dc29

SHA256
78c11f734452bc535f5788dbf4dac84af3a19fa08199c4a4a3de60fe39c6b709

SHA512
a8fd940c1987d6a49a4b887180b212f9baad7dea92608e4764a71d4459cd7b56674b005e5d88c223a577269ace690709850490244da616920a3744061b5e72ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f8d309710d37b00804e56aae04b9b8d1

SHA1
42455e2046025d6a9ff0560f91945c52b1b85236

SHA256
a1db2f7e3e308a21b91a7fc2746281514e6e3b6a36594c5f31185189f72b870f

SHA512
f41bca535cd55bb6869d67590a526ca992c98d1c77caf25f4c175034f4aecd67ea62ff578a5312e40eb3f614a68c011d973d1d4c203ac8b4cc7c29f45580f690

Download Submit
C:\Users\Admin\AppData\Local\Temp\61cJPf1Vjg.bat

Filesize
225B

MD5
88e442a715225cd0ffe95f437795f08a

SHA1
ea8ef3c36a1de5d2b563163b38757fb26c9ca484

SHA256
4196d74a2150cfb4aeb7ff59c2ec5bf77234059b77869d4c2fda7e2e4fe021c2

SHA512
04e6c55008a2674546592c9977108811656507df55e86fea5e27bd4c045cedc22b9886b0df173a7d2f24fbd24d0441ff097012a18316595f14570cae40f53bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat

Filesize
225B

MD5
7133da2dee4474ca35e02b3afc6565e6

SHA1
257e57220074a73570955a12672d4d8bf9422981

SHA256
3d9818f060960ff69f424dd414ac803d5cefc6d1eae9d3710249c14f0c728feb

SHA512
d81769829666fb03dee0085c570039667c27859e175942016930ebe6e834bfcd6b5cf0ec6a81790523289678bcdbec9765bb8cd9ffb15f99c6dbb968d5d0de35

Download Submit
C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat

Filesize
225B

MD5
fed7b2ec167dd603590efe03305c10fb

SHA1
d527f99fa1828cee35dc76ae09160866cad65882

SHA256
4e0aa56faf712e3c9b04ecfb22676a8b165980721974f6676526996a9e103c4d

SHA512
57e8225af3e8760573b6d0d0815846d9348c096a0f87b372fe74916a5022887eb422ae191a1e95c8cee237081f74d403f23758cf83a27181ab2160da1a3b7545

Download Submit
C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat

Filesize
225B

MD5
2c3df0a15c8871d18df0578e4efc5a45

SHA1
0ca120cc44b821dd0792505843d50027a696531f

SHA256
b6f2ad5ba9f32ef370b8e8c1f8b125a270d58c86c3774b758483cefe2aba9fc9

SHA512
46bc75adcea4d1c8e775152333b1b4b66955585ddc25014239ea9042ef6b5d226bdee01c32854579180f42725aa8cbc415996d04efc5506e33d80464d86bbafc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat

Filesize
225B

MD5
e00436d71a8de5e93dceaf88c7bfade8

SHA1
64148f4f415051c1cf13fc5e3f26d80eef8b62fc

SHA256
343c7d5e42632fad51649ee71ebe1a255d73a4b1bd33c67166b68b5782f463db

SHA512
459e4fa10bbf71a2ca06017b803a7980305b501409258014098a34290416500448b2ffee3261521ef1ff1ed3177abbd8eae7b59023e94592c3bceb3103bbe61a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat

Filesize
225B

MD5
328d6f0788b77800692329dc3f17ea76

SHA1
de1bf8ae8de9b4ccdaee95b0e966e45b727dc452

SHA256
0324a19a6ba15d2c755703e3b2a8236cf9a350bf9591bbbff29738390d6e0981

SHA512
98e5fe849b651ed104787677734bb962f5c846cf2685836a1b6e14a9efadd0ef3861cbdd8dcfac62812363e9abbb70e2b8e6487b23a2545e7ba7a3441a9e43b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat

Filesize
225B

MD5
0acf2447f748dfcb183b09d3c7841b24

SHA1
f8e37fd1ecffc8cfd7b97b6c319b367b9a735df3

SHA256
de286cc2b8d5339fc13cd0ac4bdfc1a107b9ca81032f74aefa80332cfade37da

SHA512
c2802c35ab78c2a20c7b28a64582df0231ad3b44fd0d553f66cbefd30f3f7b28847251260fbdd90189ff0868962cb7c120cde6b56e86e43e8e56f69bb173b488

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat

Filesize
225B

MD5
d4248f85655b5552748c01c52a1ea3dc

SHA1
9a036a615b5af5e971074676d31172f0166af8d6

SHA256
288529c3fa25ef008ad51e1924d39f4f5981139e4259ff1c2e437401b8e01b7b

SHA512
e0a7cab7d3545d5c9a5b992da27007365c57affbb7e50baa46182f3f71bf27290f43490cbb7f0b35f41ce3a09d4479fcfcd7f1820fd233def55794423cba4df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat

Filesize
225B

MD5
fe09405adcc54ce98de5f08a7bbd08dc

SHA1
3678d4125368aba776a9261874fd30a340d32a76

SHA256
af4c9ce8061f43e9196480c580216c02a14f63e24b2c8c2db3dab2d0a0ab85e3

SHA512
8874af9c07c81cedd54212074f73c289a828d264f76fc19dd40a0dc3c2dddb2b43f770cc6bf2bfb845a855cba47975385dab8b890de6263228a712b979835cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat

Filesize
225B

MD5
9253b89e9d3f11c3a10e21cfbdd4206a

SHA1
03acc2ca7139c331e3854695b7d97d8a2492237d

SHA256
fa0cf839f07d724dcb7df7265530e3b3b6536e35bfde1050a377f38f71e8b727

SHA512
201437250ce19aaea1bd7822bb2478ebe4ea297dc3f5bad62bdc6d04c157a70c495b33d1e62ec49bc8a54a16953ea8bdc0d746c9ad8646b9150d7b6fee5da172

Download Submit
C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat

Filesize
225B

MD5
a568d5fd27a575ba1f139c87b40948d8

SHA1
73999183c203b9dbd1e00eb421b1ee1752cdf3bb

SHA256
b7663bcb4edf8ee1c3ecb606346edb384307ffc294512444eeb9b1da58864055

SHA512
4e4994b2647e714eaf7f8f5d125a8060515a4ceddc03284795b63cc81761c688a47d17815854a5a2a324abf7279d262d96a4cc81dc3147fd9de13a8115573c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat

Filesize
225B

MD5
29a4131f6de7b4cc30a902eb1fb1fb35

SHA1
53c0e9bd261c38c4f3f57a17b959231de9b5b103

SHA256
0f854f8652e832e4a8d2a7bf4762c946062c723d093fd34ede656d264bb0128c

SHA512
8ed5cf071cf21dd0fa5d89633f5f8a1a7311aee927db02761afcb1c06743fa15b794486ad67285b0ab318ff20a724e9f12b4a4196a8d7f8294caf5ae7bb57a64

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/232-884-0x0000000000000000-mapping.dmp

Download
memory/372-878-0x0000000000000000-mapping.dmp

Download
memory/372-880-0x0000000000D20000-0x0000000000D32000-memory.dmp

Filesize
72KB

Download
memory/604-886-0x0000000000000000-mapping.dmp

Download
memory/672-877-0x0000000000000000-mapping.dmp

Download
memory/764-849-0x0000000000000000-mapping.dmp

Download
memory/932-292-0x0000000000000000-mapping.dmp

Download
memory/1028-857-0x0000000000000000-mapping.dmp

Download
memory/1180-865-0x0000000000000000-mapping.dmp

Download
memory/1216-883-0x0000000000000000-mapping.dmp

Download
memory/1412-314-0x0000000000000000-mapping.dmp

Download
memory/1572-869-0x0000000000000000-mapping.dmp

Download
memory/1664-902-0x0000000000900000-0x0000000000912000-memory.dmp

Filesize
72KB

Download
memory/1664-900-0x0000000000000000-mapping.dmp

Download
memory/1812-290-0x0000000000000000-mapping.dmp

Download
memory/2272-894-0x0000000000000000-mapping.dmp

Download
memory/2276-365-0x00000258E7630000-0x00000258E7652000-memory.dmp

Filesize
136KB

Download
memory/2276-288-0x0000000000000000-mapping.dmp

Download
memory/2336-303-0x0000000000000000-mapping.dmp

Download
memory/2372-291-0x0000000000000000-mapping.dmp

Download
memory/2484-908-0x0000000000000000-mapping.dmp

Download
memory/2504-293-0x0000000000000000-mapping.dmp

Download
memory/2628-295-0x0000000000000000-mapping.dmp

Download
memory/2748-296-0x0000000000000000-mapping.dmp

Download
memory/2864-294-0x0000000000000000-mapping.dmp

Download
memory/2864-875-0x0000000000000000-mapping.dmp

Download
memory/3088-881-0x0000000000000000-mapping.dmp

Download
memory/3232-257-0x0000000000000000-mapping.dmp

Download
memory/3272-859-0x0000000000000000-mapping.dmp

Download
memory/3336-854-0x0000000000000000-mapping.dmp

Download
memory/3356-855-0x0000000000000000-mapping.dmp

Download
memory/3360-891-0x0000000000EE0000-0x0000000000EF2000-memory.dmp

Filesize
72KB

Download
memory/3360-889-0x0000000000000000-mapping.dmp

Download
memory/3496-137-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-164-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-118-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-119-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-120-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-122-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-123-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-149-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-179-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-125-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-178-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-117-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-177-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-176-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-126-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-175-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-174-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-173-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-127-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-128-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-172-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-129-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-171-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-170-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-167-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-169-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-168-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-166-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-165-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-130-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-163-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-162-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-161-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-160-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-158-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-159-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-157-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-156-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-155-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-154-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-132-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-153-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-131-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-152-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-133-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-151-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-150-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-134-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-135-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-180-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-136-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-138-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-148-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-147-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-146-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-139-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-140-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-145-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-144-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-141-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-142-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3496-143-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3556-899-0x0000000000000000-mapping.dmp

Download
memory/3564-860-0x0000000000000000-mapping.dmp

Download
memory/3564-862-0x0000000000CD0000-0x0000000000CE2000-memory.dmp

Filesize
72KB

Download
memory/3644-777-0x0000000000000000-mapping.dmp

Download
memory/3756-871-0x0000000000000000-mapping.dmp

Download
memory/3976-283-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/3976-280-0x0000000000000000-mapping.dmp

Download
memory/3976-284-0x0000000000880000-0x0000000000892000-memory.dmp

Filesize
72KB

Download
memory/3976-286-0x00000000022A0000-0x00000000022AC000-memory.dmp

Filesize
48KB

Download
memory/3976-287-0x00000000022B0000-0x00000000022BC000-memory.dmp

Filesize
48KB

Download
memory/3976-285-0x0000000000890000-0x000000000089C000-memory.dmp

Filesize
48KB

Download
memory/4060-895-0x0000000000000000-mapping.dmp

Download
memory/4264-337-0x0000000000000000-mapping.dmp

Download
memory/4264-373-0x0000000001550000-0x0000000001562000-memory.dmp

Filesize
72KB

Download
memory/4368-308-0x0000000000000000-mapping.dmp

Download
memory/4400-863-0x0000000000000000-mapping.dmp

Download
memory/4420-906-0x0000000000000000-mapping.dmp

Download
memory/4456-897-0x0000000000000000-mapping.dmp

Download
memory/4516-484-0x0000000000000000-mapping.dmp

Download
memory/4540-182-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4540-181-0x0000000000000000-mapping.dmp

Download
memory/4540-183-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/4632-874-0x00000000011E0000-0x00000000011F2000-memory.dmp

Filesize
72KB

Download
memory/4632-872-0x0000000000000000-mapping.dmp

Download
memory/4636-299-0x0000000000000000-mapping.dmp

Download
memory/4636-385-0x000002842BCE0000-0x000002842BD56000-memory.dmp

Filesize
472KB

Download
memory/4732-300-0x0000000000000000-mapping.dmp

Download
memory/4828-852-0x0000000000000000-mapping.dmp

Download
memory/4836-903-0x0000000000000000-mapping.dmp

Download
memory/4876-892-0x0000000000000000-mapping.dmp

Download
memory/4904-866-0x0000000000000000-mapping.dmp

Download
memory/4904-868-0x00000000013F0000-0x0000000001402000-memory.dmp

Filesize
72KB

Download
memory/4912-905-0x0000000000000000-mapping.dmp

Download
memory/5008-888-0x0000000000000000-mapping.dmp

Download
memory/5016-318-0x0000000000000000-mapping.dmp

Download
memory/5036-289-0x0000000000000000-mapping.dmp

Download
memory/5076-910-0x0000000000000000-mapping.dmp

Download