dcrat | 04d364cec8672e7d68efb268f75309b58cc3cc3ff0cb5f1197582c8730b05751

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_04d364cec8672e7d68efb268f75309b58cc3cc3ff0cb5f1197582c8730b05751.exe
Size

1.3MB
MD5

25ca484813eed68aa6db13c2fb450e40
SHA1

5e40706b983e7aa6aee2eb8c04209472a5d76faf
SHA256

04d364cec8672e7d68efb268f75309b58cc3cc3ff0cb5f1197582c8730b05751
SHA512

305296b9eaf191c99eb86a2cf8a944a516d7527be945fb7104cbd0546acc5badf8d121dd27fa916ecd9eb582b18d4561b79c9a6679cfbec8b1371163dc30b45d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	488	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2240	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2240	schtasks.exe	34

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016399-12.dat	dcrat
behavioral1/memory/2752-13-0x0000000000DB0000-0x0000000000EC0000-memory.dmp	dcrat
behavioral1/memory/1496-58-0x0000000001130000-0x0000000001240000-memory.dmp	dcrat
behavioral1/memory/1996-264-0x0000000000130000-0x0000000000240000-memory.dmp	dcrat
behavioral1/memory/1752-324-0x0000000000B40000-0x0000000000C50000-memory.dmp	dcrat
behavioral1/memory/796-384-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/2788-444-0x0000000000FF0000-0x0000000001100000-memory.dmp	dcrat
behavioral1/memory/2648-504-0x0000000000270000-0x0000000000380000-memory.dmp	dcrat
behavioral1/memory/1108-564-0x0000000000D30000-0x0000000000E40000-memory.dmp	dcrat
behavioral1/memory/920-683-0x00000000010A0000-0x00000000011B0000-memory.dmp	dcrat
behavioral1/memory/2576-744-0x0000000001260000-0x0000000001370000-memory.dmp	dcrat
behavioral1/memory/956-804-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/2240-864-0x0000000001310000-0x0000000001420000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2836	powershell.exe
2212	powershell.exe
1280	powershell.exe
2912	powershell.exe
2884	powershell.exe
2540	powershell.exe
2756	powershell.exe
2864	powershell.exe
2740	powershell.exe
2528	powershell.exe
3060	powershell.exe
812	powershell.exe
2328	powershell.exe
2312	powershell.exe
2524	powershell.exe
2996	powershell.exe
2544	powershell.exe
2828	powershell.exe

Executes dropped EXE 14 IoCs

pid	Process
2752	DllCommonsvc.exe
1496	winlogon.exe
3052	winlogon.exe
1996	winlogon.exe
1752	winlogon.exe
796	winlogon.exe
2788	winlogon.exe
2648	winlogon.exe
1108	winlogon.exe
2008	winlogon.exe
920	winlogon.exe
2576	winlogon.exe
956	winlogon.exe
2240	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
2364	cmd.exe
2364	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
43	raw.githubusercontent.com
5	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com
40	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\es-ES\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\es-ES\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\0a1fd5f707cd16	DllCommonsvc.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\security\logs\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Windows\Globalization\ELS\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\Globalization\ELS\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\Media\Festival\smss.exe	DllCommonsvc.exe
File created	C:\Windows\Media\Festival\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\security\logs\winlogon.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\security\logs\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\TAPI\System.exe	DllCommonsvc.exe
File created	C:\Windows\TAPI\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_04d364cec8672e7d68efb268f75309b58cc3cc3ff0cb5f1197582c8730b05751.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
796	schtasks.exe
2512	schtasks.exe
1724	schtasks.exe
2076	schtasks.exe
2256	schtasks.exe
1356	schtasks.exe
2140	schtasks.exe
2128	schtasks.exe
1864	schtasks.exe
1488	schtasks.exe
2428	schtasks.exe
1764	schtasks.exe
544	schtasks.exe
844	schtasks.exe
3000	schtasks.exe
1608	schtasks.exe
1876	schtasks.exe
2676	schtasks.exe
584	schtasks.exe
1760	schtasks.exe
2944	schtasks.exe
2600	schtasks.exe
2508	schtasks.exe
2532	schtasks.exe
2644	schtasks.exe
1912	schtasks.exe
2324	schtasks.exe
2780	schtasks.exe
2084	schtasks.exe
1796	schtasks.exe
2928	schtasks.exe
2964	schtasks.exe
644	schtasks.exe
444	schtasks.exe
3024	schtasks.exe
3008	schtasks.exe
1300	schtasks.exe
2224	schtasks.exe
2116	schtasks.exe
2684	schtasks.exe
2824	schtasks.exe
2936	schtasks.exe
2320	schtasks.exe
1292	schtasks.exe
908	schtasks.exe
2440	schtasks.exe
1652	schtasks.exe
1616	schtasks.exe
1040	schtasks.exe
488	schtasks.exe
2412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2544	powershell.exe
2312	powershell.exe
2212	powershell.exe
2756	powershell.exe
1496	winlogon.exe
3060	powershell.exe
2540	powershell.exe
2836	powershell.exe
2524	powershell.exe
2328	powershell.exe
2828	powershell.exe
2912	powershell.exe
2996	powershell.exe
1280	powershell.exe
2528	powershell.exe
2884	powershell.exe
812	powershell.exe
2740	powershell.exe
2864	powershell.exe
3052	winlogon.exe
1996	winlogon.exe
1752	winlogon.exe
796	winlogon.exe
2788	winlogon.exe
2648	winlogon.exe
1108	winlogon.exe
2008	winlogon.exe
920	winlogon.exe
2576	winlogon.exe
956	winlogon.exe
2240	winlogon.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	DllCommonsvc.exe
Token: SeDebugPrivilege	1496	winlogon.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	3052	winlogon.exe
Token: SeDebugPrivilege	1996	winlogon.exe
Token: SeDebugPrivilege	1752	winlogon.exe
Token: SeDebugPrivilege	796	winlogon.exe
Token: SeDebugPrivilege	2788	winlogon.exe
Token: SeDebugPrivilege	2648	winlogon.exe
Token: SeDebugPrivilege	1108	winlogon.exe
Token: SeDebugPrivilege	2008	winlogon.exe
Token: SeDebugPrivilege	920	winlogon.exe
Token: SeDebugPrivilege	2576	winlogon.exe
Token: SeDebugPrivilege	956	winlogon.exe
Token: SeDebugPrivilege	2240	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2540	3044	JaffaCakes118_04d364cec8672e7d68efb268f75309b58cc3cc3ff0cb5f1197582c8730b05751.exe	30
PID 3044 wrote to memory of 2540	3044	JaffaCakes118_04d364cec8672e7d68efb268f75309b58cc3cc3ff0cb5f1197582c8730b05751.exe	30
PID 3044 wrote to memory of 2540	3044	JaffaCakes118_04d364cec8672e7d68efb268f75309b58cc3cc3ff0cb5f1197582c8730b05751.exe	30
PID 3044 wrote to memory of 2540	3044	JaffaCakes118_04d364cec8672e7d68efb268f75309b58cc3cc3ff0cb5f1197582c8730b05751.exe	30
PID 2540 wrote to memory of 2364	2540	WScript.exe	31
PID 2540 wrote to memory of 2364	2540	WScript.exe	31
PID 2540 wrote to memory of 2364	2540	WScript.exe	31
PID 2540 wrote to memory of 2364	2540	WScript.exe	31
PID 2364 wrote to memory of 2752	2364	cmd.exe	33
PID 2364 wrote to memory of 2752	2364	cmd.exe	33
PID 2364 wrote to memory of 2752	2364	cmd.exe	33
PID 2364 wrote to memory of 2752	2364	cmd.exe	33
PID 2752 wrote to memory of 2528	2752	DllCommonsvc.exe	86
PID 2752 wrote to memory of 2528	2752	DllCommonsvc.exe	86
PID 2752 wrote to memory of 2528	2752	DllCommonsvc.exe	86
PID 2752 wrote to memory of 2312	2752	DllCommonsvc.exe	87
PID 2752 wrote to memory of 2312	2752	DllCommonsvc.exe	87
PID 2752 wrote to memory of 2312	2752	DllCommonsvc.exe	87
PID 2752 wrote to memory of 2524	2752	DllCommonsvc.exe	88
PID 2752 wrote to memory of 2524	2752	DllCommonsvc.exe	88
PID 2752 wrote to memory of 2524	2752	DllCommonsvc.exe	88
PID 2752 wrote to memory of 3060	2752	DllCommonsvc.exe	89
PID 2752 wrote to memory of 3060	2752	DllCommonsvc.exe	89
PID 2752 wrote to memory of 3060	2752	DllCommonsvc.exe	89
PID 2752 wrote to memory of 812	2752	DllCommonsvc.exe	90
PID 2752 wrote to memory of 812	2752	DllCommonsvc.exe	90
PID 2752 wrote to memory of 812	2752	DllCommonsvc.exe	90
PID 2752 wrote to memory of 2544	2752	DllCommonsvc.exe	91
PID 2752 wrote to memory of 2544	2752	DllCommonsvc.exe	91
PID 2752 wrote to memory of 2544	2752	DllCommonsvc.exe	91
PID 2752 wrote to memory of 2328	2752	DllCommonsvc.exe	92
PID 2752 wrote to memory of 2328	2752	DllCommonsvc.exe	92
PID 2752 wrote to memory of 2328	2752	DllCommonsvc.exe	92
PID 2752 wrote to memory of 2212	2752	DllCommonsvc.exe	93
PID 2752 wrote to memory of 2212	2752	DllCommonsvc.exe	93
PID 2752 wrote to memory of 2212	2752	DllCommonsvc.exe	93
PID 2752 wrote to memory of 1280	2752	DllCommonsvc.exe	94
PID 2752 wrote to memory of 1280	2752	DllCommonsvc.exe	94
PID 2752 wrote to memory of 1280	2752	DllCommonsvc.exe	94
PID 2752 wrote to memory of 2912	2752	DllCommonsvc.exe	95
PID 2752 wrote to memory of 2912	2752	DllCommonsvc.exe	95
PID 2752 wrote to memory of 2912	2752	DllCommonsvc.exe	95
PID 2752 wrote to memory of 2540	2752	DllCommonsvc.exe	96
PID 2752 wrote to memory of 2540	2752	DllCommonsvc.exe	96
PID 2752 wrote to memory of 2540	2752	DllCommonsvc.exe	96
PID 2752 wrote to memory of 2756	2752	DllCommonsvc.exe	97
PID 2752 wrote to memory of 2756	2752	DllCommonsvc.exe	97
PID 2752 wrote to memory of 2756	2752	DllCommonsvc.exe	97
PID 2752 wrote to memory of 2864	2752	DllCommonsvc.exe	98
PID 2752 wrote to memory of 2864	2752	DllCommonsvc.exe	98
PID 2752 wrote to memory of 2864	2752	DllCommonsvc.exe	98
PID 2752 wrote to memory of 2884	2752	DllCommonsvc.exe	99
PID 2752 wrote to memory of 2884	2752	DllCommonsvc.exe	99
PID 2752 wrote to memory of 2884	2752	DllCommonsvc.exe	99
PID 2752 wrote to memory of 2996	2752	DllCommonsvc.exe	100
PID 2752 wrote to memory of 2996	2752	DllCommonsvc.exe	100
PID 2752 wrote to memory of 2996	2752	DllCommonsvc.exe	100
PID 2752 wrote to memory of 2836	2752	DllCommonsvc.exe	101
PID 2752 wrote to memory of 2836	2752	DllCommonsvc.exe	101
PID 2752 wrote to memory of 2836	2752	DllCommonsvc.exe	101
PID 2752 wrote to memory of 2740	2752	DllCommonsvc.exe	102
PID 2752 wrote to memory of 2740	2752	DllCommonsvc.exe	102
PID 2752 wrote to memory of 2740	2752	DllCommonsvc.exe	102
PID 2752 wrote to memory of 2828	2752	DllCommonsvc.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04d364cec8672e7d68efb268f75309b58cc3cc3ff0cb5f1197582c8730b05751.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04d364cec8672e7d68efb268f75309b58cc3cc3ff0cb5f1197582c8730b05751.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\logs\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\ELS\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Festival\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\es-ES\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
    - - C:\Windows\security\logs\winlogon.exe
        
        "C:\Windows\security\logs\winlogon.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat"
        6⤵
        
        PID:1652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2148
        
        C:\Windows\security\logs\winlogon.exe
        
        "C:\Windows\security\logs\winlogon.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat"
        8⤵
        
        PID:2792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1556
        
        C:\Windows\security\logs\winlogon.exe
        
        "C:\Windows\security\logs\winlogon.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat"
        10⤵
        
        PID:1296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2648
        
        C:\Windows\security\logs\winlogon.exe
        
        "C:\Windows\security\logs\winlogon.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat"
        12⤵
        
        PID:2512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:900
        
        C:\Windows\security\logs\winlogon.exe
        
        "C:\Windows\security\logs\winlogon.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlraSVrJxn.bat"
        14⤵
        
        PID:1512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2312
        
        C:\Windows\security\logs\winlogon.exe
        
        "C:\Windows\security\logs\winlogon.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat"
        16⤵
        
        PID:908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2696
        
        C:\Windows\security\logs\winlogon.exe
        
        "C:\Windows\security\logs\winlogon.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat"
        18⤵
        
        PID:2192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:896
        
        C:\Windows\security\logs\winlogon.exe
        
        "C:\Windows\security\logs\winlogon.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ddqzBJK7Zu.bat"
        20⤵
        
        PID:1104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1544
        
        C:\Windows\security\logs\winlogon.exe
        
        "C:\Windows\security\logs\winlogon.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat"
        22⤵
        
        PID:1624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2056
        
        C:\Windows\security\logs\winlogon.exe
        
        "C:\Windows\security\logs\winlogon.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat"
        24⤵
        
        PID:2592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2224
        
        C:\Windows\security\logs\winlogon.exe
        
        "C:\Windows\security\logs\winlogon.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YXbxSkVmu9.bat"
        26⤵
        
        PID:1580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2844
        
        C:\Windows\security\logs\winlogon.exe
        
        "C:\Windows\security\logs\winlogon.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat"
        28⤵
        
        PID:2352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2724
        
        C:\Windows\security\logs\winlogon.exe
        
        "C:\Windows\security\logs\winlogon.exe"
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\security\logs\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\security\logs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\security\logs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Globalization\ELS\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Globalization\ELS\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\ELS\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\Festival\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Media\Festival\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\Media\Festival\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Cookies\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Cookies\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Cookies\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\TAPI\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
359129523bfe3ae1fea99029ffc8a6cf

SHA1
0e514f435880a705c6b55026f94e45a4af5eb539

SHA256
d285374d205cfa0f1c6de7bb53d8077d8a6a37de616aad314d63addb0fc8acfb

SHA512
6d8311f8ff7b0564f79881e4fa6a561df1cc09af7b972853e6e185f908fade3667080a2dd3d42674d14f96a46ad5f39242872cbf98aab6748fdb06625be35682

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d02e9136d6ada125cc99ab8d57251abf

SHA1
6646226ed8a630edf8560bdbc7a92c24cfc26735

SHA256
8e4ae7bac5351f5b830d1049db27ef340a4836a7f9811fc9d87f065e0c031cac

SHA512
97fb6dbd6fe98798d28c4027bd2a7956ccbbd93b2ee1f7888738dfc349c19b83694e01b25364f2031dcc82e8d8cbea12ef7040cf2b814207f7becf79023e5fb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b621ce5caf482a4a224bbed491bc1c46

SHA1
d1eff74370ce8e7e8d24e2b5991b229e884b0dda

SHA256
56e65f5203f795824fd67e19df534c8e23ac6b80d1c3f9021ecaee7968665352

SHA512
130586cad8ae79ce55d78e5e8c968c77da83700ec70016562d17dec1c3ae617d8d2c9de9196abdbd4960f9e07f8e1640770724bfbd6dd870be0d2102f30b56d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6ef5729d196aa9f9fc8e55c89a891b9

SHA1
e12db90a2c4aa17bb4ef83a53c44cec190ed0850

SHA256
6d26dc88e1feef7b62b60c2d030ce95f524f9c6ebd6f06e384f1c2ef6205efee

SHA512
7a1442688fabfb8363a2b364f91374c59f4d08284e2623b2fcb3d321c7a41a70fb6902b9409c3a4156325231dd77f5d74d7f227bc21d4ad4db7659c1b02b22b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5284ebf12dd556f571ff6808a6491294

SHA1
dec5cecc24f358cd4eb9ef041ff6d38787cc5b8e

SHA256
df4e58b699fb7bd4883022949e03e9bd132f447c8827d6da3eccbd7703af6508

SHA512
5918a89ac02dd816a2608a58536c8af38d280a4d85ea6027913de18263de5b4ee2eeddd9a4329bfd01f5c6b7c0f3a45991da5c9c0c148305064f2d948791b5c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f4f66110c130e347aebbfa9d23b3860

SHA1
eb42dcc359aa468889088b177dd6dd0dba4e18f7

SHA256
cfa8d8cbb766b3bfebf44ac0c2fe2b97990aaecf89b4e2e072d5fae424268df1

SHA512
37090dcb947baaf67b9c2314a3f1782decd5e715afa4808503164626f6f118d5894e1c4d90bbcda73c3f64063b477ee8d7e06cf4c1448e8b676b9b501938b6b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e969903a60ba2264aa9e307bd553558

SHA1
a09ac1e08c6d869e3f56a841723e1267e17391fa

SHA256
fba7964969f3eb343adc56320673e17e39a4f331b614b9fa9835784b128e9fb7

SHA512
749c94239b1263b222c4c045006f89624ff808d7ed0892ec3cf3a632d6b95145a266793e0219c81aa6cab7a06033f9518b77348202af30cdbbdcbe32f17f655f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b79eafeef6d9b6aaee963c04e03dbdd

SHA1
33af2a06310b15dc1037bf053ee703eaa830fe71

SHA256
dbbfc4f637d8b4a6156fed807402d83cd9f60fb451de30b5f6d4ed307bb22ed4

SHA512
232bb8984ad2ae6aa0fadafc76501071dd5fa263e35aa20d548e2d07ae5852714ce405b0b96afb546674b09ea32125e2b8a7e5d0cf1f71a1ef97047b865bb4d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9fe4439a7e6c97411639f16b62b620cd

SHA1
57b4eb754c27f3922780f0444854ac1e525afe95

SHA256
d55ddfe480f70c6db5ac9daa31001d134a786dea9f39d055e175e81e29024c6b

SHA512
e4cbb1534da83fbe098f9ddb089cc6e5b3de533bbc3431a812bc0019f8dd87946a2258c4cd391862435844ab5feb39569e2d19bd72aa57fa4e8d96b713a070c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c58846784c67821a10249d94d8f89721

SHA1
ce1e6ac7c56de8ffa19efb1060a7bd925997dbb1

SHA256
03dbfa5e7dc63d2a33493268131b89ea4eba3886725ee1a3c64e52d7412b7a86

SHA512
e76c7880e863b615e0172a4cb75c42d5ded416a69053a32ee8e36265416896a906625bb459e657c8ec815d11b05df0e31bb1858cf9db0880e5f79bee9ea3a44a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66693710a4a938111ac6c3ab5da9667c

SHA1
bc984c53bbe129dd16d2f98accd78c7d9f323c91

SHA256
bcb3e9befdb51cc3dcf602a0fccfbe239a900c8bb2fa2a15fa4ac8b160d8e50d

SHA512
7c37b661e444b26c2e9283cd57192fe487a0e495f76b2d84e8cb8e862a47975bd09df27e223e6cec3672750e30a77bafb769a6ba6f6feed61151b5a5a7a25589

Download Submit
C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat

Filesize
202B

MD5
54eec671143aaff2cb24acce64fe106d

SHA1
caf4c89c46fd1f0988959f4c6dbff86824624d06

SHA256
496907575052b0ed33346c60b000f786d0cc064134c4745ca23b26b603895625

SHA512
1f485fa5151e4cdcaf83d0ff9ef7ff2ac008a3ca46dfa7a483d47fd7d3ff26e9d5c5762e5db2c865ee63ea1e6fe1d445c5018e60b22fc976c451c82c5253f802

Download Submit
C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat

Filesize
202B

MD5
e47de7794c229ef9ded311b62fd47188

SHA1
4a1b108f293aa83779586a90608d0dfa3f1bfc4c

SHA256
3564d9a328fc05f59f2dce44861a38faa03683765faae80923d2a10fe9bbc1c2

SHA512
88b56525feca5ab9f7c23df7d13cc89c0e302dd9cfcc4776f83153451c9d4a9a0ac99b65b8a869f61ff6f2120822fb840945114a3786ab8bde1a49059f547531

Download Submit
C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat

Filesize
202B

MD5
fa6cde515a57765f7ca1a9fa47505059

SHA1
c67626c2cf3d68c475ff108007e73b9edf4c5c09

SHA256
4cb7e40626af4b61a3ef8e664923d443007486d7a506972c757dd8a348b9ff59

SHA512
b128c87b99be5ebcabae42be759e7f4a29864c3d41b1ebd3aac7605fccee3ec3e7a8478aaf8aa1eabe595278c06e4155d61d38ebb01bd9c1bb268a6921cfbb41

Download Submit
C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat

Filesize
202B

MD5
ccdc659566fbb7754817a4f0eb22fa51

SHA1
9da689e667d54942b7e6d2eb56bab028582fb14c

SHA256
e30327827ad3ad0c6a18106644f19908bc3d6ad5595aff273fb0ab514d1ee7b1

SHA512
d709b5740df9ed93a649a9c2e7823006565886766b8e439d177e84bfee599ab4ffad7f24bc0779df8b42f06edf36893e6d2c24d52895bfc556526a23ce2aa233

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC8CD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat

Filesize
202B

MD5
565c40f1be0f7d3174779f8121901262

SHA1
552a348bbb25de9f45bb093a84130b48a74feb1d

SHA256
39d48195889925371c1b46effa6352be6e81029a8bf1614a374dd1712f3d23a3

SHA512
3fb122551682875d91a5c942a7be6a5db11f95ca10fc4dfc1fda4b5f423093b410a6c46cdd22b41200694770e7b7e4e5d7b8193855d9b55e8ad15d3a873a328c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC8EF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YXbxSkVmu9.bat

Filesize
202B

MD5
79b84f0f7bab0a6fa79dc2f913c32886

SHA1
a4e5d1a18c4fe3041e6fd076449a58f3d9a8311c

SHA256
5420155580cadd21db9d0aed7fa2c25fa458e8ff2d6703cb294b97c185b37160

SHA512
2ae937b1981e80db4030d8931654eb69c2a4302c1f07dfdad7c60ecf199daefa30f0eed9b18fdb0aab1df89d6029ccd850a6c0f6f528d2961f50ebc6369f9f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat

Filesize
202B

MD5
795ff1be17d4c8ca892602aec9b32d33

SHA1
c16838af094e8ef688373a973c30cad67ad6750f

SHA256
e1ab49861140d4be1c9bd2ef4df59a425eb26cc7b595108a9749113ba109d275

SHA512
98468984f9201edd4c6e6a60230238bb3ed740183d86b40688ca679cd8adf93d8ce89011eeb936d3e65481c7061ef0f4b4441838a74e382debfc459550d37497

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddqzBJK7Zu.bat

Filesize
202B

MD5
09af0e5e414b7be983cdc94e24b1db81

SHA1
13b724ef5f67587b2552bea0043d6ca18c5a9b03

SHA256
251b03540581f5d1eb50caea51bff28d6d4a89a09c9d1183e5aafdaca472efa7

SHA512
399fcd2747a48ba76cdaa02482b5c0049d8b1b4de4cb48e312e137639e8ef1e8fb1fd36fd16e9dfd0e982433f178ab58812ecd34c5bc184ed092b99e9d387bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat

Filesize
202B

MD5
5dd22d69c5971b0b9ab81d7568629a73

SHA1
1a5666ab13053eab51e5b1c603f0571f579309da

SHA256
543d6a0dcc6bcfd9e3ed595c40c5b09f9cbb6577e870ddc7779257247cf0fd99

SHA512
be0d445a733d52f90313e2d9a5eb508276426d034b9901753f996bd0795861ec65a7b729b51760db9e5f6679a8fedfb2d63ed511e05de042c3a8aa426b43199e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat

Filesize
202B

MD5
fab2929b1b15f54c0ab0b2689eb23447

SHA1
4408017daab46d89281a9dd8ff2d08d43d7c0094

SHA256
62f228d549499c7761cfd1b52f28bc199a398225a7492f37216b604a76be97f9

SHA512
dd661cd70f0f384ad75ebc7360e4f4278e39805873035e9b83ec009e3ced2874a88cad95b2ea8a1e01083576d6d6d906efa927f53fec7504c69e171d0034cf9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat

Filesize
202B

MD5
9371f987a3c5887a82461c864384235b

SHA1
5443df585f14414f26243a190a39e75223eb42b4

SHA256
0484ded98f6bef1efb8c32c3fdfbad26bfb286b9bca2d80e20097180202e9a77

SHA512
f416eabd0fb11a494a9827f2a2ed824bb88c72b7bf33d0e918fb80062ac6237793ac97ccd2af1a78dffb64f3662ebe3185f5292e6c6e21129f2fb024bdd833fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlraSVrJxn.bat

Filesize
202B

MD5
a9f8fc6b6a09e008a484c9a40867c99c

SHA1
c9e0e1aaed4ce7c6abfd2f456ff7dfb2bcffa383

SHA256
078ef9e5cd0c9a8813d0a3d3b76247f22ccaf53d25e56d88e0d7391198869581

SHA512
3ddf48dc96c120af11c156e639d6d233420ea5e3ce4c93feaa9babf2ef62d88fc246af20ec8632a589de4d4f1607c59907aab35a6d55d4914bc1e7e8db1a6c89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9c7b77d66250f6ca44df4e9a54580aac

SHA1
f28243dd7c5e0126cc3550fbac305b93df0ed3ba

SHA256
d71c69004c21ec2bc45a8c995768051aea17ebd6d6cb33adcd93b67be0f8a3ae

SHA512
95c57e3e93eca7c98337ec1280043addb13866baa8d6afb530ccf0fe4fd6d189e729775e8d92148c05bb3adaa4711bf0181dd2d7d17403945da7c2cdd6021aba

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/796-384-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/920-684-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/920-683-0x00000000010A0000-0x00000000011B0000-memory.dmp

Filesize
1.1MB

Download
memory/956-804-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/1108-564-0x0000000000D30000-0x0000000000E40000-memory.dmp

Filesize
1.1MB

Download
memory/1496-58-0x0000000001130000-0x0000000001240000-memory.dmp

Filesize
1.1MB

Download
memory/1752-324-0x0000000000B40000-0x0000000000C50000-memory.dmp

Filesize
1.1MB

Download
memory/1996-264-0x0000000000130000-0x0000000000240000-memory.dmp

Filesize
1.1MB

Download
memory/2240-864-0x0000000001310000-0x0000000001420000-memory.dmp

Filesize
1.1MB

Download
memory/2240-865-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2544-69-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/2544-68-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/2576-744-0x0000000001260000-0x0000000001370000-memory.dmp

Filesize
1.1MB

Download
memory/2648-504-0x0000000000270000-0x0000000000380000-memory.dmp

Filesize
1.1MB

Download
memory/2752-16-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2752-13-0x0000000000DB0000-0x0000000000EC0000-memory.dmp

Filesize
1.1MB

Download
memory/2752-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2752-15-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/2752-17-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2788-444-0x0000000000FF0000-0x0000000001100000-memory.dmp

Filesize
1.1MB

Download