dcrat | a700b59bddfd56731dfd9bb7a1a2b7370ef321106be4d25cf64aee75caf9edfe

Analysis

max time kernel
145s
max time network
145s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a700b59bddfd56731dfd9bb7a1a2b7370ef321106be4d25cf64aee75caf9edfe.exe
Size

1.3MB
MD5

370ff729b6b3b887d545a496303a412a
SHA1

c23cac694d581f2f456dfcad5aeea05d1523159e
SHA256

a700b59bddfd56731dfd9bb7a1a2b7370ef321106be4d25cf64aee75caf9edfe
SHA512

b83a00f35eac783135326a94bff101e7cb29130cacefc77ea04e5c7a658757056110b543f49bd0f1843a7220c2af75c4b7f4577a98ba946da001e0830a3334d6
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	496	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2924	schtasks.exe	35

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001949d-12.dat	dcrat
behavioral1/memory/2752-13-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
behavioral1/memory/496-150-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/2200-210-0x0000000000800000-0x0000000000910000-memory.dmp	dcrat
behavioral1/memory/2680-270-0x0000000000CF0000-0x0000000000E00000-memory.dmp	dcrat
behavioral1/memory/1444-330-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/3016-390-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/1788-450-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat
behavioral1/memory/2028-628-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/2120-688-0x00000000003E0000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/memory/1052-748-0x00000000011F0000-0x0000000001300000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1720	powershell.exe
2272	powershell.exe
2784	powershell.exe
2748	powershell.exe
948	powershell.exe
1528	powershell.exe
2588	powershell.exe
2652	powershell.exe
2776	powershell.exe
2660	powershell.exe
2416	powershell.exe
2292	powershell.exe
2300	powershell.exe
2208	powershell.exe
1228	powershell.exe
1512	powershell.exe
2388	powershell.exe
2836	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2752	DllCommonsvc.exe
496	OSPPSVC.exe
2200	OSPPSVC.exe
2680	OSPPSVC.exe
1444	OSPPSVC.exe
3016	OSPPSVC.exe
1788	OSPPSVC.exe
1012	OSPPSVC.exe
2460	OSPPSVC.exe
2028	OSPPSVC.exe
2120	OSPPSVC.exe
1052	OSPPSVC.exe

Loads dropped DLL 2 IoCs

pid	Process
1796	cmd.exe
1796	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
20	raw.githubusercontent.com
34	raw.githubusercontent.com
41	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Networking-MPSSVC-Svc\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Networking-MPSSVC-Svc\6203df4a6bafc7	DllCommonsvc.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\it-IT\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\it-IT\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\fr-FR\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\fr-FR\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\fr-FR\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\fr-FR\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\75a57c1bdf437c	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_display.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8b846aed56c71c55\WmiPrvSE.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a700b59bddfd56731dfd9bb7a1a2b7370ef321106be4d25cf64aee75caf9edfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2940	schtasks.exe
1312	schtasks.exe
1604	schtasks.exe
2424	schtasks.exe
1740	schtasks.exe
2348	schtasks.exe
2528	schtasks.exe
1812	schtasks.exe
2276	schtasks.exe
1164	schtasks.exe
872	schtasks.exe
1632	schtasks.exe
1396	schtasks.exe
1856	schtasks.exe
2992	schtasks.exe
2640	schtasks.exe
3064	schtasks.exe
3004	schtasks.exe
2072	schtasks.exe
2328	schtasks.exe
1240	schtasks.exe
308	schtasks.exe
2184	schtasks.exe
1088	schtasks.exe
2464	schtasks.exe
2044	schtasks.exe
2580	schtasks.exe
496	schtasks.exe
2224	schtasks.exe
2392	schtasks.exe
2936	schtasks.exe
2460	schtasks.exe
2012	schtasks.exe
2616	schtasks.exe
2216	schtasks.exe
2020	schtasks.exe
2472	schtasks.exe
3024	schtasks.exe
1236	schtasks.exe
1276	schtasks.exe
1872	schtasks.exe
1600	schtasks.exe
1640	schtasks.exe
1876	schtasks.exe
1444	schtasks.exe
2668	schtasks.exe
1664	schtasks.exe
1496	schtasks.exe
2676	schtasks.exe
2180	schtasks.exe
612	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
1528	powershell.exe
2292	powershell.exe
2300	powershell.exe
2836	powershell.exe
2784	powershell.exe
2388	powershell.exe
1228	powershell.exe
2416	powershell.exe
2748	powershell.exe
1720	powershell.exe
2588	powershell.exe
2652	powershell.exe
948	powershell.exe
2272	powershell.exe
2660	powershell.exe
2776	powershell.exe
1512	powershell.exe
2208	powershell.exe
496	OSPPSVC.exe
2200	OSPPSVC.exe
2680	OSPPSVC.exe
1444	OSPPSVC.exe
3016	OSPPSVC.exe
1788	OSPPSVC.exe
1012	OSPPSVC.exe
2460	OSPPSVC.exe
2028	OSPPSVC.exe
2120	OSPPSVC.exe
1052	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	DllCommonsvc.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	496	OSPPSVC.exe
Token: SeDebugPrivilege	2200	OSPPSVC.exe
Token: SeDebugPrivilege	2680	OSPPSVC.exe
Token: SeDebugPrivilege	1444	OSPPSVC.exe
Token: SeDebugPrivilege	3016	OSPPSVC.exe
Token: SeDebugPrivilege	1788	OSPPSVC.exe
Token: SeDebugPrivilege	1012	OSPPSVC.exe
Token: SeDebugPrivilege	2460	OSPPSVC.exe
Token: SeDebugPrivilege	2028	OSPPSVC.exe
Token: SeDebugPrivilege	2120	OSPPSVC.exe
Token: SeDebugPrivilege	1052	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2300	2292	JaffaCakes118_a700b59bddfd56731dfd9bb7a1a2b7370ef321106be4d25cf64aee75caf9edfe.exe	31
PID 2292 wrote to memory of 2300	2292	JaffaCakes118_a700b59bddfd56731dfd9bb7a1a2b7370ef321106be4d25cf64aee75caf9edfe.exe	31
PID 2292 wrote to memory of 2300	2292	JaffaCakes118_a700b59bddfd56731dfd9bb7a1a2b7370ef321106be4d25cf64aee75caf9edfe.exe	31
PID 2292 wrote to memory of 2300	2292	JaffaCakes118_a700b59bddfd56731dfd9bb7a1a2b7370ef321106be4d25cf64aee75caf9edfe.exe	31
PID 2300 wrote to memory of 1796	2300	WScript.exe	32
PID 2300 wrote to memory of 1796	2300	WScript.exe	32
PID 2300 wrote to memory of 1796	2300	WScript.exe	32
PID 2300 wrote to memory of 1796	2300	WScript.exe	32
PID 1796 wrote to memory of 2752	1796	cmd.exe	34
PID 1796 wrote to memory of 2752	1796	cmd.exe	34
PID 1796 wrote to memory of 2752	1796	cmd.exe	34
PID 1796 wrote to memory of 2752	1796	cmd.exe	34
PID 2752 wrote to memory of 1512	2752	DllCommonsvc.exe	87
PID 2752 wrote to memory of 1512	2752	DllCommonsvc.exe	87
PID 2752 wrote to memory of 1512	2752	DllCommonsvc.exe	87
PID 2752 wrote to memory of 1720	2752	DllCommonsvc.exe	88
PID 2752 wrote to memory of 1720	2752	DllCommonsvc.exe	88
PID 2752 wrote to memory of 1720	2752	DllCommonsvc.exe	88
PID 2752 wrote to memory of 2292	2752	DllCommonsvc.exe	89
PID 2752 wrote to memory of 2292	2752	DllCommonsvc.exe	89
PID 2752 wrote to memory of 2292	2752	DllCommonsvc.exe	89
PID 2752 wrote to memory of 2272	2752	DllCommonsvc.exe	90
PID 2752 wrote to memory of 2272	2752	DllCommonsvc.exe	90
PID 2752 wrote to memory of 2272	2752	DllCommonsvc.exe	90
PID 2752 wrote to memory of 2588	2752	DllCommonsvc.exe	91
PID 2752 wrote to memory of 2588	2752	DllCommonsvc.exe	91
PID 2752 wrote to memory of 2588	2752	DllCommonsvc.exe	91
PID 2752 wrote to memory of 1228	2752	DllCommonsvc.exe	92
PID 2752 wrote to memory of 1228	2752	DllCommonsvc.exe	92
PID 2752 wrote to memory of 1228	2752	DllCommonsvc.exe	92
PID 2752 wrote to memory of 1528	2752	DllCommonsvc.exe	93
PID 2752 wrote to memory of 1528	2752	DllCommonsvc.exe	93
PID 2752 wrote to memory of 1528	2752	DllCommonsvc.exe	93
PID 2752 wrote to memory of 2208	2752	DllCommonsvc.exe	94
PID 2752 wrote to memory of 2208	2752	DllCommonsvc.exe	94
PID 2752 wrote to memory of 2208	2752	DllCommonsvc.exe	94
PID 2752 wrote to memory of 2300	2752	DllCommonsvc.exe	95
PID 2752 wrote to memory of 2300	2752	DllCommonsvc.exe	95
PID 2752 wrote to memory of 2300	2752	DllCommonsvc.exe	95
PID 2752 wrote to memory of 2388	2752	DllCommonsvc.exe	96
PID 2752 wrote to memory of 2388	2752	DllCommonsvc.exe	96
PID 2752 wrote to memory of 2388	2752	DllCommonsvc.exe	96
PID 2752 wrote to memory of 2784	2752	DllCommonsvc.exe	97
PID 2752 wrote to memory of 2784	2752	DllCommonsvc.exe	97
PID 2752 wrote to memory of 2784	2752	DllCommonsvc.exe	97
PID 2752 wrote to memory of 2748	2752	DllCommonsvc.exe	98
PID 2752 wrote to memory of 2748	2752	DllCommonsvc.exe	98
PID 2752 wrote to memory of 2748	2752	DllCommonsvc.exe	98
PID 2752 wrote to memory of 2836	2752	DllCommonsvc.exe	99
PID 2752 wrote to memory of 2836	2752	DllCommonsvc.exe	99
PID 2752 wrote to memory of 2836	2752	DllCommonsvc.exe	99
PID 2752 wrote to memory of 948	2752	DllCommonsvc.exe	100
PID 2752 wrote to memory of 948	2752	DllCommonsvc.exe	100
PID 2752 wrote to memory of 948	2752	DllCommonsvc.exe	100
PID 2752 wrote to memory of 2776	2752	DllCommonsvc.exe	101
PID 2752 wrote to memory of 2776	2752	DllCommonsvc.exe	101
PID 2752 wrote to memory of 2776	2752	DllCommonsvc.exe	101
PID 2752 wrote to memory of 2416	2752	DllCommonsvc.exe	102
PID 2752 wrote to memory of 2416	2752	DllCommonsvc.exe	102
PID 2752 wrote to memory of 2416	2752	DllCommonsvc.exe	102
PID 2752 wrote to memory of 2660	2752	DllCommonsvc.exe	105
PID 2752 wrote to memory of 2660	2752	DllCommonsvc.exe	105
PID 2752 wrote to memory of 2660	2752	DllCommonsvc.exe	105
PID 2752 wrote to memory of 2652	2752	DllCommonsvc.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a700b59bddfd56731dfd9bb7a1a2b7370ef321106be4d25cf64aee75caf9edfe.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a700b59bddfd56731dfd9bb7a1a2b7370ef321106be4d25cf64aee75caf9edfe.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\fr-FR\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\migwiz\dlmanifests\Networking-MPSSVC-Svc\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\it-IT\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\fr-FR\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\fr-FR\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zj5cV41Lma.bat"
        5⤵
        
        PID:2564
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:672
      - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"
        7⤵
        
        PID:3032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1692
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat"
        9⤵
        
        PID:1324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:572
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6M87tNVNy8.bat"
        11⤵
        
        PID:2208
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:756
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"
        13⤵
        
        PID:2984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2820
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mTJ33xL03H.bat"
        15⤵
        
        PID:2756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2792
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"
        17⤵
        
        PID:2940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1512
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1hmmkqxEk5.bat"
        19⤵
        
        PID:1580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2424
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat"
        21⤵
        
        PID:3068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2624
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JJ2zQTaq6h.bat"
        23⤵
        
        PID:2852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1200
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat"
        25⤵
        
        PID:1344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2400
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat"
        27⤵
        
        PID:3036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SendTo\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\SendTo\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Links\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\Links\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Links\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\NetHood\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\NetHood\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Documents\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Documents\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Documents\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\SysWOW64\migwiz\dlmanifests\Networking-MPSSVC-Svc\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\SysWOW64\migwiz\dlmanifests\Networking-MPSSVC-Svc\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\SysWOW64\migwiz\dlmanifests\Networking-MPSSVC-Svc\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\it-IT\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\fr-FR\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ca15b219218705582388805507c9b47

SHA1
2a2c2be2a48544b695646ce4f286f4bc5d79b127

SHA256
3fc8269e3a01e2d504106c8176b9071c5332244acbba01553ff78f9f48c7796e

SHA512
9846d3aff49495da44bd07bc39de88655539db1bb24c2392b1bba96446fe6afc8ed838856db67982e31f05b6a300eddf0017b2e8f805fcfee7529300e86c426e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc6e6350a0df0844951b4bf9f5fc4450

SHA1
4c401c93085ca9d10a4e246e06ec2bab2cf0125e

SHA256
a5e7e22aa7ff1a1e214ba3ae5dce36548b47dbbe2727d8103e39dca6e0feec43

SHA512
3165d1f1952241090281aec49957ffc5afcf668d603fab6b0d76e8353c5e19e0dcd60c32f0d12b2bc43fc73c590c246bc9b7b95b5c4980ced057f4ba78cca123

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77613fbb5956d4c6b8ada010e732f226

SHA1
d26069905156d3beb89d8ba9961f9dcfe1129956

SHA256
16b012f86600074083df05212ef619e344bb863dd0ff71efa917cc8e59b1c002

SHA512
cf9304227b2d999c7d4db957a7618bc1565f3e34fec6b1ea1e9df92c6e3c25b77621ef89bb37505b1dbf3545dd4a2bbcf6a15241db6229a77e4af16d42272e2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
434384c859d0896c52d515fe8778615f

SHA1
ca957c1dcf97f99648cd13892316ef289e850fc3

SHA256
1b8d687096d40d41c4925565be0fbc15237aab3af5ad204395f345f1da9d6976

SHA512
8abe784c988b4fc0e3787abccdb9b07a56ad3aa65dee921875a204026478944b78dc753fe2ecb30b445f225a02d3772034d905bb2e280f91ff38d8d9f5d25586

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cf7bbe93e2de2060d3485574ad5087f

SHA1
3f77b6e6fbdde41992b1067a036d578d19cd9afd

SHA256
a9d4db606fef0ecaa7780fb50c1a24cd284d1ef5948d9c221edb66686f14800f

SHA512
cf7333b482ae92615a7c85402f463a190002534fed591cd4aea620394ccf55e57446407ee404728d1e09dd9c15d557ca0becd8fd472fff28f22d9b8eae6923a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
049973bd12fae6b7632192bc6bb28a4b

SHA1
d6087d587ef9e7d09bf958a764295841d827b8a5

SHA256
422b9945343cb86bc312e89f0ab42fcb60f4d4bbb08d66817b47e73f88c51b9f

SHA512
129d3fd274df17f7ead66630187a7e3632e111200e8b2c96bcedd5d102f9fa0535025cdf01d1777d4873d462530627b39fc83377a2b615820d79c445538e98fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
247d8e054e7dbe0cb1c57832fd6e9146

SHA1
5edbfdbd00f5cea2335bf51293a04e87527e0f19

SHA256
14d6df6d10444c84a79aa72b8adef519cb63bc30cc1879190f05d5e5e8e16bc9

SHA512
4a3410944e3c336bf2a3b967c87603bc1f623d12bcabcc7c7794a43762a5a4b6f352965ae62ed8252ef32944a6ed9569ffee4f75906334b4ba8beac3fe44bff3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0388c95c0ae136ff33122e91dd8c5c80

SHA1
8ed74a211b3914dbff9f3538dbb09cc34c8b401b

SHA256
6908d1905fe9574f2d0b3cb599ae113d37eec3df0bbefb71302f5165b538040c

SHA512
5ff20ac13877b6f9ba9a0a7f1687ebab81b4fc46b191b9512cc172e30f589bedd4efc3dcba4964cb2f0e819c7fe8c2c252acec622f77344cbedfd0110997987c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37edebb046d7d1750b4719bb84972a23

SHA1
876abf57daddb670e72e0c5b15b7d1b2a0d97e69

SHA256
1db1f7d8e9dbb453f8abbf58c8c251269c5aa3626574ea0060be004a42b89d58

SHA512
616ba0747edee381e2626c9819e2a76d7cb0d4f58879d54e467c789afefcce73ceeee6ea99567443029372c22ebff85c33768e62b82312a173f36c396b79f561

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf9b52700955b994a8d1a3007e04a2b1

SHA1
33c190de66c0a4dd9eba10cbe40d22dace6fa780

SHA256
940d6da44896816f986b91fc738ab84af41e63ff886605ff0c0635706bfb1bc6

SHA512
a1f83d1e91dc93fbe8b8f99c70f92880af3e96bdb51bc85679bf62f4b1974ae3fd04ea82f316fa609a8913a3a2f2b124f4da286efdabc87ec4fdd7512cda3101

Download Submit
C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat

Filesize
239B

MD5
54c75b75aa0ae6ff085ae174ca640819

SHA1
06070fde7c38c83b0f0c80ac38cbe053ce02e3b4

SHA256
5817ff6a36eb5771c4cc5401485c377ea9c02ca84547f0ef6578283d2af5964e

SHA512
7d73664fc4da557e92ccd3ad93ecb3497b3665f038722554bf7c8bf8d067a8ebd0a256b6a8f8abe4f2af8b2c22e087428cd48bb1613fdc6caa46f3412fba067b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1hmmkqxEk5.bat

Filesize
239B

MD5
c00ef5be5295d600cff3d3a6ff267a41

SHA1
5f408aaee08f591457072e00ac76fc02c4575b8b

SHA256
cd26e914311f2318319b836b77e1536cb3146b8028f621f83bc1cb3eeadd0f04

SHA512
25ad92c0c24313247505265d20bc31e1984a1002229232853d3a8f6500518e1f38ce59224fdf342b0acacf754453ef7b331e6fc1731dbae142efa405ef0d3b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\6M87tNVNy8.bat

Filesize
239B

MD5
ad37f3a82dc851ba80b054231bd6118e

SHA1
70c9fd76b9d72ccedd6397700bf8bf12addc0efb

SHA256
829ca3a009b38cdab6904982dce72585ebbeb5a54a4bec36df759fdb3767e6e9

SHA512
79f9d9f5cd7ea8f2d1c1d2fdf6c60bfa181f688033db7c4d9c70de31d970d67af42513d09f017215a2f99cf3706271b6dc0bd5034a1a742214fad1da0d97beef

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat

Filesize
239B

MD5
af7afd3868b34d066f495be9c4bebcac

SHA1
e979f8dc83b4024d240b179febb5c4944988df21

SHA256
ea5bf0a802170629982b3b6687132c8c0b42c166b9551bdc4b847dafabba5fe2

SHA512
a1b9d128036447ccb1ba9b179db17e0040adc4e2544cdfd5fcfe26bc87900e3260668828431c07300dd03ad63d2f43dbac6872ed767f2794369e4bac277a8a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3314.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JJ2zQTaq6h.bat

Filesize
239B

MD5
66c86593a8036926f8ddb8f536b588b0

SHA1
c33467933ca636ca304913c4383f1e26608f93a0

SHA256
c069fd9c19fd59531d91d1fff6070568489744746decf5a6e2fc2438d294f86f

SHA512
906c47d19fa86526c946f68e568f1c8732f88aba412ec81786d6e94f2bf5a9e17c116f4f61a23b675ecb6f41c7f14b03a9a43cc6c165ce0b471b9e1ddf6a6a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat

Filesize
239B

MD5
c7c642961dc8190551ff22582a1b217f

SHA1
6dc3f215f1cc806df47afb5bd0471e74dd1d0e10

SHA256
943c159312654366d9659b070f24272f8fd495e303ede42f944fcee657719d94

SHA512
a353fd956447f2809be04305f0768f13cdcd9e97fd1d271e9c0dfd9536483ff49452cd678030789f37850d032d90b516d67efee8031d1e153da10b71d9ba1fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat

Filesize
239B

MD5
74f63cf928105f81f1736e538954205a

SHA1
f005d299b0220909ffb5ea10fd9ce9b8fc40b745

SHA256
0aff3347834df917a1e68e41d64773fa4e37a845f5f4da7bb5efebe1b546b554

SHA512
425e99493e0dcfed4d58b3ca4ba46a96d3276fff0f4623ecc53c74f522eb0ff37cd1f15d0f5167c124d7e62c0af3c5618a7ac6985259d9f18862fa6f444c41d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3345.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat

Filesize
239B

MD5
914538272d71a890743251076fe87d2a

SHA1
bac5d4fa4d6e109a48bb8ba13f95baf9c6e458f9

SHA256
9e96ac212273cc6ec37c2dd2f33dba0c62e63e4236a8b61fea4ad8539b5eb3d5

SHA512
0fc748ae8eeb2ebdc26201656bd5f947f0d412db7ae36551dd8fd5ecc7a05479d9bd8cd33f26a93a51afd64863f2d2d85752f702bc320a8d3eb72cc6da5bb7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat

Filesize
239B

MD5
40955f78096b1cfec5f1bdc5cf7f8269

SHA1
69ee6bef512d135a7f47008e45fdb56dafc7f13b

SHA256
0a77b7c2f275b5b7a49f960a26c800afd341d1eab221a001be877e622f7a7ab2

SHA512
5bfc99eb7896692bcf456a782cc50484e713a2e35988b452d9083a684cf8ce66d04896836e1a9ab809630d552856fd01a18f91006688b6e4fa0ecbafabf5404c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mTJ33xL03H.bat

Filesize
239B

MD5
5d432d74c0cfacfba2d7056a3704b8c4

SHA1
5e3624217851c37d00eb0de2761c19889c3ad337

SHA256
4ebe53f73e32a7096c6a31e8d549cc67925a8d7809ba0642eae04d1e39e4e8e6

SHA512
cfeaa83487f7b08163bf86303831f7102473e21a3536ae64c2aad6969e3cf05c1ed91275865530a8c459a05503ac01ae369c4a2c0b7a7ce3b34a47315730896c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zj5cV41Lma.bat

Filesize
239B

MD5
d04f21ef98de8ec6cc82e8789c531226

SHA1
eb5a791ff3ee90a9fdfd03e0d4dd3f70b0b5e34e

SHA256
c5a97f9d6c48006f739b28438ac5539932fea145bc274f7ea1431a70dd3bc156

SHA512
ebf54f8bf501accf3365298ffb09d0aedc809bf52c7ee0fc479648708692b36887944b60028b4380155e01c9fbc35afabc753c3a0b8d268929836afc7c50bb49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ee62bdd94e812de518bbf8c940262f03

SHA1
53b8d4b3fc9cd36baaea79fb0cdc31a6d8c7535a

SHA256
3b0a8c8c69ea0d28750d77a12c63488242c843bd11651e778e3501b233f03549

SHA512
f0089f641f39e7a609fe5ec120ca0e922f47b8605574619ae0acdba3b0910935e67debd7500ec414bdde6eb215c50a7e1c7fffb5a438f7a7f968be4144718707

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/496-151-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/496-150-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download
memory/1052-748-0x00000000011F0000-0x0000000001300000-memory.dmp

Filesize
1.1MB

Download
memory/1444-330-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/1528-70-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/1788-450-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/2028-628-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/2120-688-0x00000000003E0000-0x00000000004F0000-memory.dmp

Filesize
1.1MB

Download
memory/2200-210-0x0000000000800000-0x0000000000910000-memory.dmp

Filesize
1.1MB

Download
memory/2292-69-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2680-270-0x0000000000CF0000-0x0000000000E00000-memory.dmp

Filesize
1.1MB

Download
memory/2752-13-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/2752-14-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/2752-15-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/2752-16-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2752-17-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/3016-390-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download