dcrat | 4910bdc080abf873730d7e67835569670b867aa95e29a5ecd0004486f8481f8f

Analysis

max time kernel
147s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4910bdc080abf873730d7e67835569670b867aa95e29a5ecd0004486f8481f8f.exe
Size

1.3MB
MD5

e401e55d32082fa6238bd29c93730377
SHA1

04265c8faa4308b12d77b6ed47082c39010493c4
SHA256

4910bdc080abf873730d7e67835569670b867aa95e29a5ecd0004486f8481f8f
SHA512

571f134bc5e37655d939bd6d945357dc61131e85dcf74002c408e703da450e93ab7b8d05567a34b3e924b4955543d9ea812ee7f26795d001d01417263e532ec4
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2232	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2232	schtasks.exe	32

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015d76-10.dat	dcrat
behavioral1/memory/1984-13-0x0000000001250000-0x0000000001360000-memory.dmp	dcrat
behavioral1/memory/2640-160-0x00000000001B0000-0x00000000002C0000-memory.dmp	dcrat
behavioral1/memory/836-220-0x00000000009E0000-0x0000000000AF0000-memory.dmp	dcrat
behavioral1/memory/1364-280-0x0000000000C50000-0x0000000000D60000-memory.dmp	dcrat
behavioral1/memory/280-399-0x00000000002E0000-0x00000000003F0000-memory.dmp	dcrat
behavioral1/memory/1800-460-0x0000000001240000-0x0000000001350000-memory.dmp	dcrat
behavioral1/memory/1252-579-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/2444-639-0x0000000000B30000-0x0000000000C40000-memory.dmp	dcrat
behavioral1/memory/2948-699-0x0000000000D20000-0x0000000000E30000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2444	powershell.exe
2764	powershell.exe
2180	powershell.exe
1932	powershell.exe
1992	powershell.exe
2228	powershell.exe
2088	powershell.exe
2004	powershell.exe
1936	powershell.exe
2572	powershell.exe
2680	powershell.exe
2912	powershell.exe
2368	powershell.exe
2220	powershell.exe
2664	powershell.exe
2856	powershell.exe
316	powershell.exe
2896	powershell.exe
2244	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
1984	DllCommonsvc.exe
2640	lsass.exe
836	lsass.exe
1364	lsass.exe
2592	lsass.exe
280	lsass.exe
1800	lsass.exe
948	lsass.exe
1252	lsass.exe
2444	lsass.exe
2948	lsass.exe
2916	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2280	cmd.exe
2280	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
35	raw.githubusercontent.com
25	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\en-US\cmd.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\en-US\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\en-US\6203df4a6bafc7	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\LiveKernelReports\System.exe	DllCommonsvc.exe
File created	C:\Windows\LiveKernelReports\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\Tasks\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\6203df4a6bafc7	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4910bdc080abf873730d7e67835569670b867aa95e29a5ecd0004486f8481f8f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
948	schtasks.exe
1584	schtasks.exe
2064	schtasks.exe
2940	schtasks.exe
2576	schtasks.exe
2656	schtasks.exe
532	schtasks.exe
2456	schtasks.exe
2632	schtasks.exe
620	schtasks.exe
892	schtasks.exe
2732	schtasks.exe
280	schtasks.exe
1900	schtasks.exe
1948	schtasks.exe
2776	schtasks.exe
2640	schtasks.exe
1764	schtasks.exe
2952	schtasks.exe
776	schtasks.exe
2124	schtasks.exe
2160	schtasks.exe
1052	schtasks.exe
2540	schtasks.exe
2808	schtasks.exe
2652	schtasks.exe
1844	schtasks.exe
832	schtasks.exe
2612	schtasks.exe
2908	schtasks.exe
2748	schtasks.exe
2992	schtasks.exe
1112	schtasks.exe
2436	schtasks.exe
1500	schtasks.exe
2380	schtasks.exe
1576	schtasks.exe
1856	schtasks.exe
868	schtasks.exe
300	schtasks.exe
2812	schtasks.exe
1960	schtasks.exe
1488	schtasks.exe
2336	schtasks.exe
800	schtasks.exe
1144	schtasks.exe
828	schtasks.exe
1316	schtasks.exe
1092	schtasks.exe
2916	schtasks.exe
1744	schtasks.exe
2496	schtasks.exe
1620	schtasks.exe
2712	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1984	DllCommonsvc.exe
316	powershell.exe
2368	powershell.exe
2764	powershell.exe
2664	powershell.exe
2444	powershell.exe
2244	powershell.exe
2896	powershell.exe
1932	powershell.exe
1936	powershell.exe
2680	powershell.exe
2228	powershell.exe
2220	powershell.exe
2912	powershell.exe
2088	powershell.exe
2572	powershell.exe
2180	powershell.exe
2004	powershell.exe
2856	powershell.exe
1992	powershell.exe
2640	lsass.exe
836	lsass.exe
1364	lsass.exe
2592	lsass.exe
280	lsass.exe
1800	lsass.exe
948	lsass.exe
1252	lsass.exe
2444	lsass.exe
2948	lsass.exe
2916	lsass.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	DllCommonsvc.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	2640	lsass.exe
Token: SeDebugPrivilege	836	lsass.exe
Token: SeDebugPrivilege	1364	lsass.exe
Token: SeDebugPrivilege	2592	lsass.exe
Token: SeDebugPrivilege	280	lsass.exe
Token: SeDebugPrivilege	1800	lsass.exe
Token: SeDebugPrivilege	948	lsass.exe
Token: SeDebugPrivilege	1252	lsass.exe
Token: SeDebugPrivilege	2444	lsass.exe
Token: SeDebugPrivilege	2948	lsass.exe
Token: SeDebugPrivilege	2916	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2836	2444	JaffaCakes118_4910bdc080abf873730d7e67835569670b867aa95e29a5ecd0004486f8481f8f.exe	28
PID 2444 wrote to memory of 2836	2444	JaffaCakes118_4910bdc080abf873730d7e67835569670b867aa95e29a5ecd0004486f8481f8f.exe	28
PID 2444 wrote to memory of 2836	2444	JaffaCakes118_4910bdc080abf873730d7e67835569670b867aa95e29a5ecd0004486f8481f8f.exe	28
PID 2444 wrote to memory of 2836	2444	JaffaCakes118_4910bdc080abf873730d7e67835569670b867aa95e29a5ecd0004486f8481f8f.exe	28
PID 2836 wrote to memory of 2280	2836	WScript.exe	29
PID 2836 wrote to memory of 2280	2836	WScript.exe	29
PID 2836 wrote to memory of 2280	2836	WScript.exe	29
PID 2836 wrote to memory of 2280	2836	WScript.exe	29
PID 2280 wrote to memory of 1984	2280	cmd.exe	31
PID 2280 wrote to memory of 1984	2280	cmd.exe	31
PID 2280 wrote to memory of 1984	2280	cmd.exe	31
PID 2280 wrote to memory of 1984	2280	cmd.exe	31
PID 1984 wrote to memory of 2896	1984	DllCommonsvc.exe	87
PID 1984 wrote to memory of 2896	1984	DllCommonsvc.exe	87
PID 1984 wrote to memory of 2896	1984	DllCommonsvc.exe	87
PID 1984 wrote to memory of 316	1984	DllCommonsvc.exe	88
PID 1984 wrote to memory of 316	1984	DllCommonsvc.exe	88
PID 1984 wrote to memory of 316	1984	DllCommonsvc.exe	88
PID 1984 wrote to memory of 2444	1984	DllCommonsvc.exe	89
PID 1984 wrote to memory of 2444	1984	DllCommonsvc.exe	89
PID 1984 wrote to memory of 2444	1984	DllCommonsvc.exe	89
PID 1984 wrote to memory of 2912	1984	DllCommonsvc.exe	90
PID 1984 wrote to memory of 2912	1984	DllCommonsvc.exe	90
PID 1984 wrote to memory of 2912	1984	DllCommonsvc.exe	90
PID 1984 wrote to memory of 2228	1984	DllCommonsvc.exe	92
PID 1984 wrote to memory of 2228	1984	DllCommonsvc.exe	92
PID 1984 wrote to memory of 2228	1984	DllCommonsvc.exe	92
PID 1984 wrote to memory of 2088	1984	DllCommonsvc.exe	94
PID 1984 wrote to memory of 2088	1984	DllCommonsvc.exe	94
PID 1984 wrote to memory of 2088	1984	DllCommonsvc.exe	94
PID 1984 wrote to memory of 2764	1984	DllCommonsvc.exe	95
PID 1984 wrote to memory of 2764	1984	DllCommonsvc.exe	95
PID 1984 wrote to memory of 2764	1984	DllCommonsvc.exe	95
PID 1984 wrote to memory of 2180	1984	DllCommonsvc.exe	96
PID 1984 wrote to memory of 2180	1984	DllCommonsvc.exe	96
PID 1984 wrote to memory of 2180	1984	DllCommonsvc.exe	96
PID 1984 wrote to memory of 2368	1984	DllCommonsvc.exe	97
PID 1984 wrote to memory of 2368	1984	DllCommonsvc.exe	97
PID 1984 wrote to memory of 2368	1984	DllCommonsvc.exe	97
PID 1984 wrote to memory of 1932	1984	DllCommonsvc.exe	98
PID 1984 wrote to memory of 1932	1984	DllCommonsvc.exe	98
PID 1984 wrote to memory of 1932	1984	DllCommonsvc.exe	98
PID 1984 wrote to memory of 2004	1984	DllCommonsvc.exe	99
PID 1984 wrote to memory of 2004	1984	DllCommonsvc.exe	99
PID 1984 wrote to memory of 2004	1984	DllCommonsvc.exe	99
PID 1984 wrote to memory of 1936	1984	DllCommonsvc.exe	100
PID 1984 wrote to memory of 1936	1984	DllCommonsvc.exe	100
PID 1984 wrote to memory of 1936	1984	DllCommonsvc.exe	100
PID 1984 wrote to memory of 1992	1984	DllCommonsvc.exe	101
PID 1984 wrote to memory of 1992	1984	DllCommonsvc.exe	101
PID 1984 wrote to memory of 1992	1984	DllCommonsvc.exe	101
PID 1984 wrote to memory of 2244	1984	DllCommonsvc.exe	102
PID 1984 wrote to memory of 2244	1984	DllCommonsvc.exe	102
PID 1984 wrote to memory of 2244	1984	DllCommonsvc.exe	102
PID 1984 wrote to memory of 2572	1984	DllCommonsvc.exe	103
PID 1984 wrote to memory of 2572	1984	DllCommonsvc.exe	103
PID 1984 wrote to memory of 2572	1984	DllCommonsvc.exe	103
PID 1984 wrote to memory of 2220	1984	DllCommonsvc.exe	104
PID 1984 wrote to memory of 2220	1984	DllCommonsvc.exe	104
PID 1984 wrote to memory of 2220	1984	DllCommonsvc.exe	104
PID 1984 wrote to memory of 2664	1984	DllCommonsvc.exe	105
PID 1984 wrote to memory of 2664	1984	DllCommonsvc.exe	105
PID 1984 wrote to memory of 2664	1984	DllCommonsvc.exe	105
PID 1984 wrote to memory of 2680	1984	DllCommonsvc.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4910bdc080abf873730d7e67835569670b867aa95e29a5ecd0004486f8481f8f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4910bdc080abf873730d7e67835569670b867aa95e29a5ecd0004486f8481f8f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7T3eBvHGcz.bat"
        5⤵
        
        PID:2064
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2508
      - C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QwDZd8tkMK.bat"
        7⤵
        
        PID:1716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2320
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"
        9⤵
        
        PID:1452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1448
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat"
        11⤵
        
        PID:1516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1756
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iMm147yiIR.bat"
        13⤵
        
        PID:2748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2796
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat"
        15⤵
        
        PID:2580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1140
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat"
        17⤵
        
        PID:2236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2956
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat"
        19⤵
        
        PID:2588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1560
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QRlBHoY6P9.bat"
        21⤵
        
        PID:1064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:992
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SXo39smTXJ.bat"
        23⤵
        
        PID:2824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1936
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat"
        25⤵
        
        PID:2872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2488
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\en-US\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\en-US\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Tasks\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Templates\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4e30e00e368d03909ee0c48e53cc607

SHA1
832c3993bf247f96a64d1cdb1e89c286a7e6d4ab

SHA256
280795fd9d0aa1ea69c7dadefc985d5ec0a2ade32ffd3b89b5782cfaaede18c3

SHA512
80bbe4dd231af7c781a761002b9fd2bdff34adaf4c3dfd63a913805abbbdb2ad50f2a2bd3768f37512147bdf3e37d17779785f9963fa9729e0648bbc6b6d708a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98be6ef19163f63dd6fd0363d0c1ac44

SHA1
38266e1388f73eaca14ffb412f95ab6a272caa47

SHA256
dbc3e0cabe9ab12a6086778a772128b5af7d4f229a960ee9a8c9cc4aacac209b

SHA512
8025215823c737af843b78772a963a120ab17300d60acdc7a4a7da49a40d7f46e939a2ea8e1576e7a0b54022fac3d808603e2d012d1b234d36ce1359f9a4d107

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24b02ad087d94e8ef39ab90777b43704

SHA1
ec71df3413741562e480f20e2fad399ae5cbface

SHA256
a3346d5e5087017f2668078c6c2f8c2d14208e4456db0467e644df708a59bc43

SHA512
cafad6df87170ee7438569b90d8b8407fbc5849c932c62a932f32418cd6e47a9109ac79d6a5501fc8b592122233cc694db74f4381a763879f6dcb007daf38e2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2c43f9407ddc673ca73e9e828905b0a

SHA1
845707b24f1bfc1b142fb8e5c4662f9b13df8b44

SHA256
7a1c90a98ad7270e7153cc6a0248563bcc5385fd84cd45c20d2ea516d0b19729

SHA512
e9c12a06ecb1e03873114638af3c1c22d86ebb6a9ac782f39f5ec8882857b8d5d6a104913d84f088104ac1b7dc44b96049e106841c72b1040bfd3c80c7df6abe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4b127d3f658e460d5b85337e77858e7

SHA1
384cb4dde0301a2afee3f16ecfaa1ced8f977e90

SHA256
51c82063b0707f57f378f3a32be3093e897b3e6d9d7d6e9635425422b4cc939a

SHA512
17532850bfbfdb6d20ff38a22e872b6f182a48843d4dbd9737ccbf964a2a60bf34f96f9d477e419885021caafbf608d91f0f2d9febb6b6e29f9acaf56e7b562f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29e06ee85c3101e9fc30f2104b246606

SHA1
35ecf5c46a23d436f5faa1f7cc35d45d94026b53

SHA256
89cd1f53bbf3e5e39f6f99fbf2e745f42a2bc606c4517f7c1d3ed3bf4d10f775

SHA512
b4599c856523191a7c2d0a71a78db0cc30a8975d9f8105fb8322eae9ec464a7861222b168ff577cecad9d92253646163159247694d1b969f93dab2d7cd4cf790

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9900a6a060907e9b9e801197af469eb9

SHA1
89b93216c95f4e8b9120e83410d17ba8a128d61b

SHA256
ac2dac7ef85b30b6fd88779cec30a8726d1aeff88818f2509a738f2a2a8f9fa9

SHA512
72109e54e048dbd4936c18438901b56a9d8c7b09b5c0303e92f5fd341cc23c1dbf7d74ddded9f1bcf789c69f71fa28547af59e8fb6b6d74854473ea9a9dc4eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6714e0c6ed218c239ec78e21bdaff83e

SHA1
9794e3b6670fcf0978d478beb241c1b240ac5231

SHA256
8e5fce1e9577d023e0299d75bbef3d5d7e9fd204ebde8a1b63167f48eb75c0e2

SHA512
9fa950a23264f522a8fce564d7d82c1b1026b5e70f4544c844f8990afbbcff19fbb7d1cedde228d770e3b6529d8b89be78199c509d7011aa9a7c43f89f55f56c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b80cdd3a66e59e044b0a0325d2af3434

SHA1
fb1dd191981f868f5910b39fbadc57a4f29f548c

SHA256
9845fe957bf2b935e6cb5eeec53aaebb03c6f090992c06522c4ae6d4cd5e436b

SHA512
ccd27b55f85837414381e93e6a57c9ce98afe96ac69fd1539ccb7b4c23d080410acfe7f25cb18de283d97a82e690b65991b4ea6b0ac999773c18eee520269885

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat

Filesize
192B

MD5
79ed619a3bab4e396365f95561ee63c2

SHA1
7aa26cc4d68801d5612cd2f2915286b867a12069

SHA256
d62782423afa18e06b0fc9a4d2c30c72629b1173b0cc22948f6b02fea5e5d3cd

SHA512
da068ad6480701b2fa832e4349a0ba9e46c03f4aa9c5617b6438f059f098bbefa430d3a31acc6f68817e2fb6e997c0523f844edd4ea70f59e86cd49532f89aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7T3eBvHGcz.bat

Filesize
192B

MD5
9e6a3cdc8cef9a5c6519f3f3137b8ddc

SHA1
9dac2fd23ee03eae9380292e76a80b4c1337ff6f

SHA256
8ed1f29163fdbaa4e2ada98d43823c27b44209edff6857f4e13c2bd1501604e8

SHA512
f5dd03290ea5f3062d42a3e543b6ab52d99fa79dd6e1fef65c05e26a1a36e001f0833d25e971bbcc0ac25c1b5fd22f44f2b75681379aa18f432e57b749509069

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF8B3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat

Filesize
192B

MD5
1cbece27fb2f9a73480f3c7de78147a4

SHA1
5d587c4a617dd32e8feb1d0dc6a7c79488fa5c64

SHA256
0795259fa100c4c1c158278a06152fc4ecd16e5610715d1fe57ff2e719b22f9e

SHA512
d651248ccea02c5fa6d01a7c345194481bbbc4bc444af26d9297bd22bb740061438c81ff809d43883826c2611e001b9529b2dab7708f2e01dc2971d4fa6eb609

Download Submit
C:\Users\Admin\AppData\Local\Temp\QRlBHoY6P9.bat

Filesize
192B

MD5
87ab8812bdce7e39e4957fb17759db05

SHA1
a4d9a897da5322590feb9710a902d95998e5f318

SHA256
3a48917de0b7715283023bb2deedf27798b38bbc8c8f4babb20581191ecaf505

SHA512
704ff4864244f37ccc64ea58efdaaaccdcae07a117076af8b70014a2dfd73c24976320225aed8776b04ead3df435b385e285caac47a50ae4857c55ea589502ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwDZd8tkMK.bat

Filesize
192B

MD5
45216ce782a078f7449c9d5e481a8173

SHA1
01065df79e74b413dd31b87ae7b3d50eebe1d3d8

SHA256
f7ae116651d291044d223d078075b55d5bb7d8b69ea5a16fc45c7a844564aa72

SHA512
349a79d322ad8991e32a9afe8becff3235d455a481f4b49e16bde0cdd908a6698e859b5886a07171455de90117694a6c88386f96f19fcf445da9a31d96b989c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SXo39smTXJ.bat

Filesize
192B

MD5
290ab3d31b30f524aeb7ec80e0973244

SHA1
73c3df6a4d6ee811580f9037b5c9bd672fc8fec7

SHA256
2428d695e49faf32500b71c48a3e2611736beede8f717fba06cbf79e0954473a

SHA512
52d82d6391f1521ca176b018741bcbe337c584c13cb2ceb90f7540af48f8e135d68401ccaa1306578609780a196b9d17bb8fca4e99a47c5e03fcccb98a89eaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF8C5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat

Filesize
192B

MD5
8ba2b623da0fbf8829478c9decf4334c

SHA1
f1cf4592f4f270019ece6a495bbb0dad78555f9a

SHA256
96639112a2580c42ed4872ff6d5e9a3e5de8cd6b5929dc0c06a7488d6cf11be8

SHA512
e1f060f633bd87f871e1008c360c69c5967db62655867c0c3f9d12bc11327352cac0c9790ee7da8d50c5264a2a3e6ca7dc26e353ac0744abe69e36749d3d9578

Download Submit
C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat

Filesize
192B

MD5
f820bafc3eea1be58effa858a0c339b7

SHA1
b1abe07ddd457f2a82109fc6811365621d164cc9

SHA256
8764b56224ec1e43bb37d6f3be7d2e3dd0fec7fbf7a5a20d8519bd0eb5c3d4bf

SHA512
ce1ffd2592ab490ff64c21407330ddbe9d04e790e2274f46c0f97b22513794dd2ed66203baeedf4e556d3cbc0f17f3bae693a86816df12c2632f7ce4b6dc0d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat

Filesize
192B

MD5
e6a0742048a95a9a6c86448450977efd

SHA1
4ebee3fc3e62de2803d56a86b015a3530ca5153a

SHA256
4bfe37b410a5d32a6a3838a98da5ae8d8141e0a8428e1c388152a0f0b1de6991

SHA512
61a3c765e22827ab876487e76dbf4cf50faf5d38eeeed3c88611478bdea3c458a2b4bdfbff7fad842806d68687a6224fd54310ef7c044c8f82ff3677a6b4eaa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMm147yiIR.bat

Filesize
192B

MD5
b8672401cc89917245c13c4e56c9c237

SHA1
9b080612ff25447572cdd6889a0365bb4cf5b4a6

SHA256
e6c2566d471d60b46a43f6c78a3c5110e7df3b025960c5bf542dfb5fb28cbb3e

SHA512
4417e2688c8363ac7345aec60e4b1faf9b454ee673c032e40a5ec91fb948e2faaf2e7aa37bbcdf046931eeb966777bffec36c20dda9f4dc5f3b6b665dcd0b8e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat

Filesize
192B

MD5
53aafbd2d4793c516f43ea6a68dfb737

SHA1
95b4f81548479d91d2ccc515a9a2c8448f76608f

SHA256
5be5de843f7acc320c15575c6066667f3b8d005f99f67abdea3eed20f9fcdf99

SHA512
e0375a47e7d23d60f3a067547147a16c8d518ad2c092b742d2d68d68edeaaf9ff42058e9268aebf057627ac3ba40a100be2353e4f78a727b8444cb2dfaa6efad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7ccab883937c65d9feef6f1421d4b39f

SHA1
acd4114c760747e2785f33586db0b6430ef5d481

SHA256
3349c3bd4fd6a503c21cf792a059e05c3a761175c87374894341429d2c7f1122

SHA512
8e679b90f1200b4d2d4ddbe155e7338a7dfe3f510021dbe3bf0e5ce4b51d6798e3dbae9e62f0b7b6bc1d7d8a8485c32f7484646c7ab987afd240ed7290cefc9a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/280-399-0x00000000002E0000-0x00000000003F0000-memory.dmp

Filesize
1.1MB

Download
memory/280-400-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/316-72-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/836-220-0x00000000009E0000-0x0000000000AF0000-memory.dmp

Filesize
1.1MB

Download
memory/1252-579-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/1364-280-0x0000000000C50000-0x0000000000D60000-memory.dmp

Filesize
1.1MB

Download
memory/1800-460-0x0000000001240000-0x0000000001350000-memory.dmp

Filesize
1.1MB

Download
memory/1984-15-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/1984-14-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1984-16-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/1984-13-0x0000000001250000-0x0000000001360000-memory.dmp

Filesize
1.1MB

Download
memory/1984-17-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2444-639-0x0000000000B30000-0x0000000000C40000-memory.dmp

Filesize
1.1MB

Download
memory/2640-161-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2640-160-0x00000000001B0000-0x00000000002C0000-memory.dmp

Filesize
1.1MB

Download
memory/2664-85-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2664-86-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2764-73-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2896-137-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2948-699-0x0000000000D20000-0x0000000000E30000-memory.dmp

Filesize
1.1MB

Download