dcrat | b82f23ee8617e7ad47d7513fe175e7211564eed5442002927a415d7a035da5cf

Resubmissions

26-12-2022 00:04

221226-acrmcafe2y 10

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:02

26-12-2022 00:01

Analysis

max time kernel
10s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-12-2022 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe
Size

1.3MB
MD5

e1e945f04fbbeab2efa06d16d21e4c22
SHA1

54037b5b03272d255ab875b5791f87902c5b9457
SHA256

0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69
SHA512

61dfbe4d1803ba11f7318b1338343529be925bd84ba107bccb9d7c3f8175a012ea877a613946419f8486cd1c1606d7433c07342278a8c670a5013e999308ae41
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	728	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	1428	schtasks.exe

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
\providercommon\DllCommonsvc.exe	dcrat
behavioral2/memory/864-65-0x00000000012B0000-0x00000000013C0000-memory.dmp	dcrat
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe	dcrat
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe	dcrat
behavioral2/memory/2836-117-0x0000000001270000-0x0000000001380000-memory.dmp	dcrat
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe	dcrat
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe	dcrat
behavioral2/memory/2512-219-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe	dcrat
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe	dcrat
behavioral2/memory/2720-226-0x00000000009D0000-0x0000000000AE0000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

DllCommonsvc.exe

pid process

864 DllCommonsvc.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1232 cmd.exe
1232 cmd.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
864	DllCommonsvc.exe

pid	process
1232	cmd.exe
1232	cmd.exe

Drops file in Program Files directory 4 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft.NET\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\101b941d020240	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\addins\Idle.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\addins\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\addins\6ccacd8608530f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1184	schtasks.exe
1124	schtasks.exe
1328	schtasks.exe
612	schtasks.exe
1476	schtasks.exe
636	schtasks.exe
1624	schtasks.exe
1096	schtasks.exe
1692	schtasks.exe
956	schtasks.exe
1196	schtasks.exe
1096	schtasks.exe
1048	schtasks.exe
2024	schtasks.exe
1552	schtasks.exe
1320	schtasks.exe
728	schtasks.exe
1484	schtasks.exe
1864	schtasks.exe
564	schtasks.exe
1708	schtasks.exe
2028	schtasks.exe
1972	schtasks.exe
1660	schtasks.exe
536	schtasks.exe
1152	schtasks.exe
1680	schtasks.exe
1948	schtasks.exe
1976	schtasks.exe
1760	schtasks.exe
1596	schtasks.exe
1636	schtasks.exe
1604	schtasks.exe
1848	schtasks.exe
1912	schtasks.exe
1380	schtasks.exe
1472	schtasks.exe
1012	schtasks.exe
1764	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

DllCommonsvc.exe

pid process

864 DllCommonsvc.exe
864 DllCommonsvc.exe
864 DllCommonsvc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DllCommonsvc.exe

description pid process

Token: SeDebugPrivilege 864 DllCommonsvc.exe

pid	process
864	DllCommonsvc.exe
864	DllCommonsvc.exe
864	DllCommonsvc.exe

description	pid	process
Token: SeDebugPrivilege	864	DllCommonsvc.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exeWScript.execmd.exeDllCommonsvc.exe

description	pid	process	target process
PID 1440 wrote to memory of 1920	1440	0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe	WScript.exe
PID 1440 wrote to memory of 1920	1440	0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe	WScript.exe
PID 1440 wrote to memory of 1920	1440	0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe	WScript.exe
PID 1440 wrote to memory of 1920	1440	0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe	WScript.exe
PID 1920 wrote to memory of 1232	1920	WScript.exe	cmd.exe
PID 1920 wrote to memory of 1232	1920	WScript.exe	cmd.exe
PID 1920 wrote to memory of 1232	1920	WScript.exe	cmd.exe
PID 1920 wrote to memory of 1232	1920	WScript.exe	cmd.exe
PID 1232 wrote to memory of 864	1232	cmd.exe	DllCommonsvc.exe
PID 1232 wrote to memory of 864	1232	cmd.exe	DllCommonsvc.exe
PID 1232 wrote to memory of 864	1232	cmd.exe	DllCommonsvc.exe
PID 1232 wrote to memory of 864	1232	cmd.exe	DllCommonsvc.exe
PID 864 wrote to memory of 336	864	DllCommonsvc.exe	powershell.exe
PID 864 wrote to memory of 336	864	DllCommonsvc.exe	powershell.exe
PID 864 wrote to memory of 336	864	DllCommonsvc.exe	powershell.exe
PID 864 wrote to memory of 1420	864	DllCommonsvc.exe	powershell.exe
PID 864 wrote to memory of 1420	864	DllCommonsvc.exe	powershell.exe
PID 864 wrote to memory of 1420	864	DllCommonsvc.exe	powershell.exe
PID 864 wrote to memory of 2060	864	DllCommonsvc.exe	powershell.exe
PID 864 wrote to memory of 2060	864	DllCommonsvc.exe	powershell.exe
PID 864 wrote to memory of 2060	864	DllCommonsvc.exe	powershell.exe
PID 864 wrote to memory of 2084	864	DllCommonsvc.exe	powershell.exe
PID 864 wrote to memory of 2084	864	DllCommonsvc.exe	powershell.exe
PID 864 wrote to memory of 2084	864	DllCommonsvc.exe	powershell.exe
PID 864 wrote to memory of 2108	864	DllCommonsvc.exe	powershell.exe
PID 864 wrote to memory of 2108	864	DllCommonsvc.exe	powershell.exe
PID 864 wrote to memory of 2108	864	DllCommonsvc.exe	powershell.exe
PID 864 wrote to memory of 2132	864	DllCommonsvc.exe	powershell.exe
PID 864 wrote to memory of 2132	864	DllCommonsvc.exe	powershell.exe
PID 864 wrote to memory of 2132	864	DllCommonsvc.exe	powershell.exe
PID 864 wrote to memory of 2156	864	DllCommonsvc.exe	powershell.exe
PID 864 wrote to memory of 2156	864	DllCommonsvc.exe	powershell.exe
PID 864 wrote to memory of 2156	864	DllCommonsvc.exe	powershell.exe
PID 864 wrote to memory of 2180	864	DllCommonsvc.exe	powershell.exe
PID 864 wrote to memory of 2180	864	DllCommonsvc.exe	powershell.exe
PID 864 wrote to memory of 2180	864	DllCommonsvc.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe
"C:\Users\Admin\AppData\Local\Temp\0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1232

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
PID:336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\Idle.exe'
5⤵
PID:1420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WMIADAP.exe'
5⤵
PID:2060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
5⤵
PID:2084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'
5⤵
PID:2108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\conhost.exe'
5⤵
PID:2156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'
5⤵
PID:2132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
5⤵
PID:2180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
5⤵
PID:2244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
5⤵
PID:2308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\es-ES\lsm.exe'
5⤵
PID:2392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
5⤵
PID:2260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'
5⤵
PID:2456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'
5⤵
PID:2504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SI9vLNdmL8.bat"
5⤵
PID:2672

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:2808

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe
"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe"
6⤵
PID:2836

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat"
7⤵
PID:2960

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:2996

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe
"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe"
8⤵
PID:2296

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcPyovVCSH.bat"
9⤵
PID:956

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
10⤵
PID:112

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe
"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe"
10⤵
PID:1816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"
11⤵
PID:2912

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
12⤵
PID:2960

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe
"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe"
12⤵
PID:2512

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3fa1oyizme.bat"
13⤵
PID:1932

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
14⤵
PID:2428

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe
"C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe"
14⤵
PID:2720

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat"
15⤵
PID:1532

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
16⤵
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fa1oyizme.bat
Filesize
237B

MD5
f0aa943d694e351c528e185c273c4bcc

SHA1
a7e86e5e5309d4c7ba577f02fc914256e69d5e74

SHA256
c7c4aa651250c2d4f0726118708b11d93e99a85989347f03020fd0d198e3feb6

SHA512
d7caeec9651d4f3957be22cae8b778138aea5700299889350937321c77e81134661a538e347326c9c414016afcd444a854a0d96c7997c0af73fabd1404de5b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcPyovVCSH.bat
Filesize
237B

MD5
51c155c633de10a04f1eb37be0727b74

SHA1
9f4d8491e9537e2a9cf918f65db2cf2250eb79ee

SHA256
bba5ca2f48a5e5e42d83c21c87442e2e47c713caa59a884728acc97e861cf379

SHA512
8a148527ad5b8f61054eb1e4685772ffefda0b8bd36c5b1193e424f6298e1e76921124fe345b13c9aef041771243307663d9ac62979cef43fb88c5b95852d731

Download Submit
C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat
Filesize
237B

MD5
1b6a46e507567e1070e8836607e24bf6

SHA1
27cfd8ba8a5c95dbc7d5a5f8a17eb037783de0c7

SHA256
f6f3b2d96e9e007370a59738b2abd2c49bdc2d49f5296a1785c9610a8f08dc02

SHA512
9bbe1d992d2f99b5de89ad94be7dd6d4095bf9625a3c8a846d55feae66d4bf883a94df02073a3bde77037839c38d3fa55e9fec1400a0dd1b2a2e09f3779994c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SI9vLNdmL8.bat
Filesize
237B

MD5
416aa47a867b1971587e5d73f5581b05

SHA1
dad9c95e2e6e6ae29c091838322088d54fb4221d

SHA256
6e637c578e744d5ef7cc6a920c940fd1fabbd7ac85da12c3c701c73b307e1afa

SHA512
4e716563d0fd3cf967b99f193696ec6cd6e8e4a1243e05528511ae29963fcebcfd456478a9c2cd3ad3fbb3c65ffbeaafbe573a7191b76b74a6e2930aac838da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat
Filesize
237B

MD5
d445728ad2948a16e1bd03fba78d2012

SHA1
a286f4336c7562fe56280c8e9db355e2d6f5fdcf

SHA256
8143d7e5eaf56b257ce4b089ba151c72d342950f5f132b68b359bef834db3ae1

SHA512
1aada411019cae7536e27dc0db7705a60ec12bc7750b83ecf3a33cb384fca5697d33adadb3cbca2728a9a357a017c7976867b98fbc46b1d92d2676b52e0f0d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat
Filesize
237B

MD5
bac9e8e737700534de839c40f3d333ca

SHA1
dcd1925e66fb613515f8a1d61d0b84f8c5b7bf5b

SHA256
fe01d56a2dd8ab7cb57a52dcb3e3329192b5500f9a120a15095708f77f521061

SHA512
70b2c67c261cb8f673870fb8cb43f64437825178ce437b6f730c1cc6f0a6ef3dcd841b2f4bd9e564009fa5b74cea55f93db523f22582953533dde874d3c17625

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
924736fc1b7383594381e000807b9227

SHA1
cf9daea2cc141d3c49796ebbf2857fd3294110a1

SHA256
115a13c39ff75ad78af20d530917be5dfab9872f9079b90fbb0c622e2d0fb933

SHA512
30cbfe5b1bce18fa3a9c56472eebb3fa2d895b72028bf8318b549dda48e8f73b464e5d36a416b4c6ddefa8daa049b5912c0850ed04c77e9d129fab7734174066

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
924736fc1b7383594381e000807b9227

SHA1
cf9daea2cc141d3c49796ebbf2857fd3294110a1

SHA256
115a13c39ff75ad78af20d530917be5dfab9872f9079b90fbb0c622e2d0fb933

SHA512
30cbfe5b1bce18fa3a9c56472eebb3fa2d895b72028bf8318b549dda48e8f73b464e5d36a416b4c6ddefa8daa049b5912c0850ed04c77e9d129fab7734174066

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
924736fc1b7383594381e000807b9227

SHA1
cf9daea2cc141d3c49796ebbf2857fd3294110a1

SHA256
115a13c39ff75ad78af20d530917be5dfab9872f9079b90fbb0c622e2d0fb933

SHA512
30cbfe5b1bce18fa3a9c56472eebb3fa2d895b72028bf8318b549dda48e8f73b464e5d36a416b4c6ddefa8daa049b5912c0850ed04c77e9d129fab7734174066

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
924736fc1b7383594381e000807b9227

SHA1
cf9daea2cc141d3c49796ebbf2857fd3294110a1

SHA256
115a13c39ff75ad78af20d530917be5dfab9872f9079b90fbb0c622e2d0fb933

SHA512
30cbfe5b1bce18fa3a9c56472eebb3fa2d895b72028bf8318b549dda48e8f73b464e5d36a416b4c6ddefa8daa049b5912c0850ed04c77e9d129fab7734174066

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
924736fc1b7383594381e000807b9227

SHA1
cf9daea2cc141d3c49796ebbf2857fd3294110a1

SHA256
115a13c39ff75ad78af20d530917be5dfab9872f9079b90fbb0c622e2d0fb933

SHA512
30cbfe5b1bce18fa3a9c56472eebb3fa2d895b72028bf8318b549dda48e8f73b464e5d36a416b4c6ddefa8daa049b5912c0850ed04c77e9d129fab7734174066

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
924736fc1b7383594381e000807b9227

SHA1
cf9daea2cc141d3c49796ebbf2857fd3294110a1

SHA256
115a13c39ff75ad78af20d530917be5dfab9872f9079b90fbb0c622e2d0fb933

SHA512
30cbfe5b1bce18fa3a9c56472eebb3fa2d895b72028bf8318b549dda48e8f73b464e5d36a416b4c6ddefa8daa049b5912c0850ed04c77e9d129fab7734174066

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
924736fc1b7383594381e000807b9227

SHA1
cf9daea2cc141d3c49796ebbf2857fd3294110a1

SHA256
115a13c39ff75ad78af20d530917be5dfab9872f9079b90fbb0c622e2d0fb933

SHA512
30cbfe5b1bce18fa3a9c56472eebb3fa2d895b72028bf8318b549dda48e8f73b464e5d36a416b4c6ddefa8daa049b5912c0850ed04c77e9d129fab7734174066

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
924736fc1b7383594381e000807b9227

SHA1
cf9daea2cc141d3c49796ebbf2857fd3294110a1

SHA256
115a13c39ff75ad78af20d530917be5dfab9872f9079b90fbb0c622e2d0fb933

SHA512
30cbfe5b1bce18fa3a9c56472eebb3fa2d895b72028bf8318b549dda48e8f73b464e5d36a416b4c6ddefa8daa049b5912c0850ed04c77e9d129fab7734174066

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
924736fc1b7383594381e000807b9227

SHA1
cf9daea2cc141d3c49796ebbf2857fd3294110a1

SHA256
115a13c39ff75ad78af20d530917be5dfab9872f9079b90fbb0c622e2d0fb933

SHA512
30cbfe5b1bce18fa3a9c56472eebb3fa2d895b72028bf8318b549dda48e8f73b464e5d36a416b4c6ddefa8daa049b5912c0850ed04c77e9d129fab7734174066

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
924736fc1b7383594381e000807b9227

SHA1
cf9daea2cc141d3c49796ebbf2857fd3294110a1

SHA256
115a13c39ff75ad78af20d530917be5dfab9872f9079b90fbb0c622e2d0fb933

SHA512
30cbfe5b1bce18fa3a9c56472eebb3fa2d895b72028bf8318b549dda48e8f73b464e5d36a416b4c6ddefa8daa049b5912c0850ed04c77e9d129fab7734174066

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
924736fc1b7383594381e000807b9227

SHA1
cf9daea2cc141d3c49796ebbf2857fd3294110a1

SHA256
115a13c39ff75ad78af20d530917be5dfab9872f9079b90fbb0c622e2d0fb933

SHA512
30cbfe5b1bce18fa3a9c56472eebb3fa2d895b72028bf8318b549dda48e8f73b464e5d36a416b4c6ddefa8daa049b5912c0850ed04c77e9d129fab7734174066

Download Submit
C:\providercommon\1zu9dW.bat
Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/112-173-0x0000000000000000-mapping.dmp

Download
memory/336-70-0x0000000000000000-mapping.dmp

Download
memory/336-199-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/336-84-0x000007FEECB80000-0x000007FEED5A3000-memory.dmp

Filesize
10.1MB

Download
memory/336-156-0x000007FEF60E0000-0x000007FEF6C3D000-memory.dmp

Filesize
11.4MB

Download
memory/336-181-0x000000001B890000-0x000000001BB8F000-memory.dmp

Filesize
3.0MB

Download
memory/336-78-0x000007FEFC621000-0x000007FEFC623000-memory.dmp

Filesize
8KB

Download
memory/336-198-0x000000000252B000-0x000000000254A000-memory.dmp

Filesize
124KB

Download
memory/336-141-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/336-164-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/864-67-0x0000000000980000-0x000000000098C000-memory.dmp

Filesize
48KB

Download
memory/864-69-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

Filesize
48KB

Download
memory/864-68-0x0000000000A10000-0x0000000000A1C000-memory.dmp

Filesize
48KB

Download
memory/864-66-0x0000000000970000-0x0000000000982000-memory.dmp

Filesize
72KB

Download
memory/864-65-0x00000000012B0000-0x00000000013C0000-memory.dmp

Filesize
1.1MB

Download
memory/864-63-0x0000000000000000-mapping.dmp

Download
memory/956-171-0x0000000000000000-mapping.dmp

Download
memory/1012-229-0x0000000000000000-mapping.dmp

Download
memory/1232-59-0x0000000000000000-mapping.dmp

Download
memory/1420-71-0x0000000000000000-mapping.dmp

Download
memory/1420-205-0x0000000002754000-0x0000000002757000-memory.dmp

Filesize
12KB

Download
memory/1420-118-0x000007FEECB80000-0x000007FEED5A3000-memory.dmp

Filesize
10.1MB

Download
memory/1420-154-0x000007FEF60E0000-0x000007FEF6C3D000-memory.dmp

Filesize
11.4MB

Download
memory/1420-185-0x000000001B820000-0x000000001BB1F000-memory.dmp

Filesize
3.0MB

Download
memory/1420-169-0x0000000002754000-0x0000000002757000-memory.dmp

Filesize
12KB

Download
memory/1420-145-0x0000000002754000-0x0000000002757000-memory.dmp

Filesize
12KB

Download
memory/1420-203-0x000000000275B000-0x000000000277A000-memory.dmp

Filesize
124KB

Download
memory/1440-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1532-227-0x0000000000000000-mapping.dmp

Download
memory/1816-177-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1816-175-0x0000000000000000-mapping.dmp

Download
memory/1920-55-0x0000000000000000-mapping.dmp

Download
memory/1932-221-0x0000000000000000-mapping.dmp

Download
memory/2060-192-0x000000000254B000-0x000000000256A000-memory.dmp

Filesize
124KB

Download
memory/2060-72-0x0000000000000000-mapping.dmp

Download
memory/2060-162-0x0000000002544000-0x0000000002547000-memory.dmp

Filesize
12KB

Download
memory/2060-193-0x0000000002544000-0x0000000002547000-memory.dmp

Filesize
12KB

Download
memory/2060-127-0x000007FEECB80000-0x000007FEED5A3000-memory.dmp

Filesize
10.1MB

Download
memory/2060-151-0x000007FEF60E0000-0x000007FEF6C3D000-memory.dmp

Filesize
11.4MB

Download
memory/2060-139-0x0000000002544000-0x0000000002547000-memory.dmp

Filesize
12KB

Download
memory/2060-179-0x000000001B950000-0x000000001BC4F000-memory.dmp

Filesize
3.0MB

Download
memory/2060-189-0x000000000254B000-0x000000000256A000-memory.dmp

Filesize
124KB

Download
memory/2084-150-0x000007FEF60E0000-0x000007FEF6C3D000-memory.dmp

Filesize
11.4MB

Download
memory/2084-163-0x0000000002014000-0x0000000002017000-memory.dmp

Filesize
12KB

Download
memory/2084-73-0x0000000000000000-mapping.dmp

Download
memory/2084-140-0x0000000002014000-0x0000000002017000-memory.dmp

Filesize
12KB

Download
memory/2084-178-0x000000001B900000-0x000000001BBFF000-memory.dmp

Filesize
3.0MB

Download
memory/2084-194-0x0000000002014000-0x0000000002017000-memory.dmp

Filesize
12KB

Download
memory/2084-195-0x000000000201B000-0x000000000203A000-memory.dmp

Filesize
124KB

Download
memory/2084-120-0x000007FEECB80000-0x000007FEED5A3000-memory.dmp

Filesize
10.1MB

Download
memory/2108-184-0x000000001B880000-0x000000001BB7F000-memory.dmp

Filesize
3.0MB

Download
memory/2108-74-0x0000000000000000-mapping.dmp

Download
memory/2108-204-0x000000000284B000-0x000000000286A000-memory.dmp

Filesize
124KB

Download
memory/2108-95-0x000007FEECB80000-0x000007FEED5A3000-memory.dmp

Filesize
10.1MB

Download
memory/2108-206-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/2108-155-0x000007FEF60E0000-0x000007FEF6C3D000-memory.dmp

Filesize
11.4MB

Download
memory/2108-146-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/2108-170-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/2132-75-0x0000000000000000-mapping.dmp

Download
memory/2132-209-0x0000000002454000-0x0000000002457000-memory.dmp

Filesize
12KB

Download
memory/2132-158-0x000007FEF60E0000-0x000007FEF6C3D000-memory.dmp

Filesize
11.4MB

Download
memory/2132-174-0x0000000002454000-0x0000000002457000-memory.dmp

Filesize
12KB

Download
memory/2132-211-0x000000000245B000-0x000000000247A000-memory.dmp

Filesize
124KB

Download
memory/2132-119-0x000007FEECB80000-0x000007FEED5A3000-memory.dmp

Filesize
10.1MB

Download
memory/2132-183-0x000000001B860000-0x000000001BB5F000-memory.dmp

Filesize
3.0MB

Download
memory/2132-147-0x0000000002454000-0x0000000002457000-memory.dmp

Filesize
12KB

Download
memory/2156-166-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/2156-76-0x0000000000000000-mapping.dmp

Download
memory/2156-208-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/2156-143-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/2156-153-0x000007FEF60E0000-0x000007FEF6C3D000-memory.dmp

Filesize
11.4MB

Download
memory/2156-132-0x000007FEECB80000-0x000007FEED5A3000-memory.dmp

Filesize
10.1MB

Download
memory/2156-180-0x000000001B850000-0x000000001BB4F000-memory.dmp

Filesize
3.0MB

Download
memory/2156-207-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download
memory/2180-77-0x0000000000000000-mapping.dmp

Download
memory/2244-130-0x000007FEF60E0000-0x000007FEF6C3D000-memory.dmp

Filesize
11.4MB

Download
memory/2244-80-0x0000000000000000-mapping.dmp

Download
memory/2244-126-0x000007FEECB80000-0x000007FEED5A3000-memory.dmp

Filesize
10.1MB

Download
memory/2244-188-0x00000000023EB000-0x000000000240A000-memory.dmp

Filesize
124KB

Download
memory/2244-161-0x00000000023E4000-0x00000000023E7000-memory.dmp

Filesize
12KB

Download
memory/2244-148-0x000000001B7C0000-0x000000001BABF000-memory.dmp

Filesize
3.0MB

Download
memory/2244-138-0x00000000023E4000-0x00000000023E7000-memory.dmp

Filesize
12KB

Download
memory/2244-187-0x00000000023E4000-0x00000000023E7000-memory.dmp

Filesize
12KB

Download
memory/2260-129-0x000007FEF60E0000-0x000007FEF6C3D000-memory.dmp

Filesize
11.4MB

Download
memory/2260-137-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/2260-160-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/2260-197-0x00000000027FB000-0x000000000281A000-memory.dmp

Filesize
124KB

Download
memory/2260-196-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/2260-124-0x000007FEECB80000-0x000007FEED5A3000-memory.dmp

Filesize
10.1MB

Download
memory/2260-82-0x0000000000000000-mapping.dmp

Download
memory/2296-134-0x0000000000000000-mapping.dmp

Download
memory/2308-85-0x0000000000000000-mapping.dmp

Download
memory/2392-135-0x00000000026F4000-0x00000000026F7000-memory.dmp

Filesize
12KB

Download
memory/2392-125-0x000007FEECB80000-0x000007FEED5A3000-memory.dmp

Filesize
10.1MB

Download
memory/2392-128-0x000007FEF60E0000-0x000007FEF6C3D000-memory.dmp

Filesize
11.4MB

Download
memory/2392-149-0x000000001B8E0000-0x000000001BBDF000-memory.dmp

Filesize
3.0MB

Download
memory/2392-190-0x00000000026FB000-0x000000000271A000-memory.dmp

Filesize
124KB

Download
memory/2392-191-0x00000000026F4000-0x00000000026F7000-memory.dmp

Filesize
12KB

Download
memory/2392-91-0x0000000000000000-mapping.dmp

Download
memory/2392-159-0x00000000026F4000-0x00000000026F7000-memory.dmp

Filesize
12KB

Download
memory/2428-223-0x0000000000000000-mapping.dmp

Download
memory/2456-93-0x0000000000000000-mapping.dmp

Download
memory/2456-200-0x000000000235B000-0x000000000237A000-memory.dmp

Filesize
124KB

Download
memory/2456-201-0x000000000235B000-0x000000000237A000-memory.dmp

Filesize
124KB

Download
memory/2456-202-0x0000000002354000-0x0000000002357000-memory.dmp

Filesize
12KB

Download
memory/2456-165-0x0000000002354000-0x0000000002357000-memory.dmp

Filesize
12KB

Download
memory/2456-182-0x000000001B930000-0x000000001BC2F000-memory.dmp

Filesize
3.0MB

Download
memory/2456-152-0x000007FEF60E0000-0x000007FEF6C3D000-memory.dmp

Filesize
11.4MB

Download
memory/2456-131-0x000007FEECB80000-0x000007FEED5A3000-memory.dmp

Filesize
10.1MB

Download
memory/2456-142-0x0000000002354000-0x0000000002357000-memory.dmp

Filesize
12KB

Download
memory/2504-210-0x000000000270B000-0x000000000272A000-memory.dmp

Filesize
124KB

Download
memory/2504-157-0x000007FEF60E0000-0x000007FEF6C3D000-memory.dmp

Filesize
11.4MB

Download
memory/2504-212-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/2504-133-0x000007FEECB80000-0x000007FEED5A3000-memory.dmp

Filesize
10.1MB

Download
memory/2504-168-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/2504-144-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/2504-97-0x0000000000000000-mapping.dmp

Download
memory/2504-186-0x000000001B8A0000-0x000000001BB9F000-memory.dmp

Filesize
3.0MB

Download
memory/2512-220-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2512-219-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/2512-217-0x0000000000000000-mapping.dmp

Download
memory/2672-106-0x0000000000000000-mapping.dmp

Download
memory/2720-224-0x0000000000000000-mapping.dmp

Download
memory/2720-226-0x00000000009D0000-0x0000000000AE0000-memory.dmp

Filesize
1.1MB

Download
memory/2808-113-0x0000000000000000-mapping.dmp

Download
memory/2836-117-0x0000000001270000-0x0000000001380000-memory.dmp

Filesize
1.1MB

Download
memory/2836-115-0x0000000000000000-mapping.dmp

Download
memory/2912-214-0x0000000000000000-mapping.dmp

Download
memory/2960-121-0x0000000000000000-mapping.dmp

Download
memory/2960-216-0x0000000000000000-mapping.dmp

Download
memory/2996-123-0x0000000000000000-mapping.dmp

Download