dcrat | 989ba9bbda4297b4d985be9d6ccc68109b45cab87d182e63e2d44bfe7b460edb

Analysis

max time kernel
145s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_989ba9bbda4297b4d985be9d6ccc68109b45cab87d182e63e2d44bfe7b460edb.exe
Size

1.3MB
MD5

31220e0b90509009103e0f38cba4818f
SHA1

b4e3f0f458687542516f2e0fa78e39e83e703360
SHA256

989ba9bbda4297b4d985be9d6ccc68109b45cab87d182e63e2d44bfe7b460edb
SHA512

4ce351131539803be251bd4f797cb40a4694e16f7bbee674f8bd0f7a4b717bd7bc2d547539e95e559f345d6564b24873d16c7959bca104f7efb4ef164da0cf31
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2840	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2840	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001746a-12.dat	dcrat
behavioral1/memory/2916-13-0x00000000012E0000-0x00000000013F0000-memory.dmp	dcrat
behavioral1/memory/1492-60-0x0000000000970000-0x0000000000A80000-memory.dmp	dcrat
behavioral1/memory/2732-272-0x0000000000A60000-0x0000000000B70000-memory.dmp	dcrat
behavioral1/memory/1948-333-0x0000000000140000-0x0000000000250000-memory.dmp	dcrat
behavioral1/memory/1408-394-0x00000000010F0000-0x0000000001200000-memory.dmp	dcrat
behavioral1/memory/284-632-0x0000000001320000-0x0000000001430000-memory.dmp	dcrat
behavioral1/memory/3012-751-0x0000000000270000-0x0000000000380000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2368	powershell.exe
2860	powershell.exe
1808	powershell.exe
904	powershell.exe
1216	powershell.exe
1804	powershell.exe
2492	powershell.exe
2912	powershell.exe
2988	powershell.exe
2696	powershell.exe
1696	powershell.exe
2076	powershell.exe
2820	powershell.exe
2836	powershell.exe
2832	powershell.exe
2808	powershell.exe
1744	powershell.exe
2304	powershell.exe
2704	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2916	DllCommonsvc.exe
1492	csrss.exe
2068	csrss.exe
2732	csrss.exe
1948	csrss.exe
1408	csrss.exe
1580	csrss.exe
1812	csrss.exe
1188	csrss.exe
284	csrss.exe
2804	csrss.exe
3012	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2372	cmd.exe
2372	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
29	raw.githubusercontent.com
36	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\en-US\spoolsv.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\en-US\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\OSPPSVC.exe	DllCommonsvc.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\diagnostics\system\HomeGroup\es-ES\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Panther\UnattendGC\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\Panther\UnattendGC\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\rescache\rc0007\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\LiveKernelReports\services.exe	DllCommonsvc.exe
File created	C:\Windows\LiveKernelReports\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_989ba9bbda4297b4d985be9d6ccc68109b45cab87d182e63e2d44bfe7b460edb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2900	schtasks.exe
1196	schtasks.exe
2948	schtasks.exe
1676	schtasks.exe
380	schtasks.exe
2568	schtasks.exe
1756	schtasks.exe
2620	schtasks.exe
1348	schtasks.exe
880	schtasks.exe
1704	schtasks.exe
2460	schtasks.exe
2940	schtasks.exe
1072	schtasks.exe
2748	schtasks.exe
2312	schtasks.exe
2652	schtasks.exe
1564	schtasks.exe
1380	schtasks.exe
1788	schtasks.exe
1948	schtasks.exe
348	schtasks.exe
2484	schtasks.exe
1432	schtasks.exe
2536	schtasks.exe
840	schtasks.exe
2964	schtasks.exe
2180	schtasks.exe
2012	schtasks.exe
1936	schtasks.exe
2124	schtasks.exe
1576	schtasks.exe
1452	schtasks.exe
2376	schtasks.exe
772	schtasks.exe
1100	schtasks.exe
2992	schtasks.exe
3028	schtasks.exe
804	schtasks.exe
1208	schtasks.exe
1660	schtasks.exe
3024	schtasks.exe
2656	schtasks.exe
2280	schtasks.exe
2880	schtasks.exe
1372	schtasks.exe
1344	schtasks.exe
1688	schtasks.exe
1816	schtasks.exe
1168	schtasks.exe
2088	schtasks.exe
2136	schtasks.exe
1496	schtasks.exe
956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2916	DllCommonsvc.exe
2836	powershell.exe
2304	powershell.exe
1744	powershell.exe
2912	powershell.exe
1696	powershell.exe
2988	powershell.exe
2704	powershell.exe
2696	powershell.exe
2808	powershell.exe
2492	powershell.exe
2832	powershell.exe
2368	powershell.exe
2820	powershell.exe
1804	powershell.exe
904	powershell.exe
2076	powershell.exe
1808	powershell.exe
1216	powershell.exe
2860	powershell.exe
1492	csrss.exe
2068	csrss.exe
2732	csrss.exe
1948	csrss.exe
1408	csrss.exe
1580	csrss.exe
1812	csrss.exe
1188	csrss.exe
284	csrss.exe
2804	csrss.exe
3012	csrss.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	DllCommonsvc.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	1492	csrss.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2068	csrss.exe
Token: SeDebugPrivilege	2732	csrss.exe
Token: SeDebugPrivilege	1948	csrss.exe
Token: SeDebugPrivilege	1408	csrss.exe
Token: SeDebugPrivilege	1580	csrss.exe
Token: SeDebugPrivilege	1812	csrss.exe
Token: SeDebugPrivilege	1188	csrss.exe
Token: SeDebugPrivilege	284	csrss.exe
Token: SeDebugPrivilege	2804	csrss.exe
Token: SeDebugPrivilege	3012	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2368	2692	JaffaCakes118_989ba9bbda4297b4d985be9d6ccc68109b45cab87d182e63e2d44bfe7b460edb.exe	30
PID 2692 wrote to memory of 2368	2692	JaffaCakes118_989ba9bbda4297b4d985be9d6ccc68109b45cab87d182e63e2d44bfe7b460edb.exe	30
PID 2692 wrote to memory of 2368	2692	JaffaCakes118_989ba9bbda4297b4d985be9d6ccc68109b45cab87d182e63e2d44bfe7b460edb.exe	30
PID 2692 wrote to memory of 2368	2692	JaffaCakes118_989ba9bbda4297b4d985be9d6ccc68109b45cab87d182e63e2d44bfe7b460edb.exe	30
PID 2368 wrote to memory of 2372	2368	WScript.exe	31
PID 2368 wrote to memory of 2372	2368	WScript.exe	31
PID 2368 wrote to memory of 2372	2368	WScript.exe	31
PID 2368 wrote to memory of 2372	2368	WScript.exe	31
PID 2372 wrote to memory of 2916	2372	cmd.exe	33
PID 2372 wrote to memory of 2916	2372	cmd.exe	33
PID 2372 wrote to memory of 2916	2372	cmd.exe	33
PID 2372 wrote to memory of 2916	2372	cmd.exe	33
PID 2916 wrote to memory of 1808	2916	DllCommonsvc.exe	89
PID 2916 wrote to memory of 1808	2916	DllCommonsvc.exe	89
PID 2916 wrote to memory of 1808	2916	DllCommonsvc.exe	89
PID 2916 wrote to memory of 2696	2916	DllCommonsvc.exe	90
PID 2916 wrote to memory of 2696	2916	DllCommonsvc.exe	90
PID 2916 wrote to memory of 2696	2916	DllCommonsvc.exe	90
PID 2916 wrote to memory of 1696	2916	DllCommonsvc.exe	91
PID 2916 wrote to memory of 1696	2916	DllCommonsvc.exe	91
PID 2916 wrote to memory of 1696	2916	DllCommonsvc.exe	91
PID 2916 wrote to memory of 904	2916	DllCommonsvc.exe	92
PID 2916 wrote to memory of 904	2916	DllCommonsvc.exe	92
PID 2916 wrote to memory of 904	2916	DllCommonsvc.exe	92
PID 2916 wrote to memory of 1216	2916	DllCommonsvc.exe	93
PID 2916 wrote to memory of 1216	2916	DllCommonsvc.exe	93
PID 2916 wrote to memory of 1216	2916	DllCommonsvc.exe	93
PID 2916 wrote to memory of 2076	2916	DllCommonsvc.exe	94
PID 2916 wrote to memory of 2076	2916	DllCommonsvc.exe	94
PID 2916 wrote to memory of 2076	2916	DllCommonsvc.exe	94
PID 2916 wrote to memory of 1804	2916	DllCommonsvc.exe	95
PID 2916 wrote to memory of 1804	2916	DllCommonsvc.exe	95
PID 2916 wrote to memory of 1804	2916	DllCommonsvc.exe	95
PID 2916 wrote to memory of 2368	2916	DllCommonsvc.exe	96
PID 2916 wrote to memory of 2368	2916	DllCommonsvc.exe	96
PID 2916 wrote to memory of 2368	2916	DllCommonsvc.exe	96
PID 2916 wrote to memory of 2304	2916	DllCommonsvc.exe	97
PID 2916 wrote to memory of 2304	2916	DllCommonsvc.exe	97
PID 2916 wrote to memory of 2304	2916	DllCommonsvc.exe	97
PID 2916 wrote to memory of 2704	2916	DllCommonsvc.exe	98
PID 2916 wrote to memory of 2704	2916	DllCommonsvc.exe	98
PID 2916 wrote to memory of 2704	2916	DllCommonsvc.exe	98
PID 2916 wrote to memory of 2492	2916	DllCommonsvc.exe	99
PID 2916 wrote to memory of 2492	2916	DllCommonsvc.exe	99
PID 2916 wrote to memory of 2492	2916	DllCommonsvc.exe	99
PID 2916 wrote to memory of 2820	2916	DllCommonsvc.exe	100
PID 2916 wrote to memory of 2820	2916	DllCommonsvc.exe	100
PID 2916 wrote to memory of 2820	2916	DllCommonsvc.exe	100
PID 2916 wrote to memory of 2836	2916	DllCommonsvc.exe	101
PID 2916 wrote to memory of 2836	2916	DllCommonsvc.exe	101
PID 2916 wrote to memory of 2836	2916	DllCommonsvc.exe	101
PID 2916 wrote to memory of 2860	2916	DllCommonsvc.exe	102
PID 2916 wrote to memory of 2860	2916	DllCommonsvc.exe	102
PID 2916 wrote to memory of 2860	2916	DllCommonsvc.exe	102
PID 2916 wrote to memory of 2832	2916	DllCommonsvc.exe	103
PID 2916 wrote to memory of 2832	2916	DllCommonsvc.exe	103
PID 2916 wrote to memory of 2832	2916	DllCommonsvc.exe	103
PID 2916 wrote to memory of 2808	2916	DllCommonsvc.exe	104
PID 2916 wrote to memory of 2808	2916	DllCommonsvc.exe	104
PID 2916 wrote to memory of 2808	2916	DllCommonsvc.exe	104
PID 2916 wrote to memory of 2912	2916	DllCommonsvc.exe	105
PID 2916 wrote to memory of 2912	2916	DllCommonsvc.exe	105
PID 2916 wrote to memory of 2912	2916	DllCommonsvc.exe	105
PID 2916 wrote to memory of 2988	2916	DllCommonsvc.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_989ba9bbda4297b4d985be9d6ccc68109b45cab87d182e63e2d44bfe7b460edb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_989ba9bbda4297b4d985be9d6ccc68109b45cab87d182e63e2d44bfe7b460edb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\SpeechEngines\Microsoft\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\UnattendGC\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\es-ES\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\Help\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
    - - C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe
        
        "C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YNa8GmLI5m.bat"
        6⤵
        
        PID:1676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2020
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe
        
        "C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat"
        8⤵
        
        PID:2536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2076
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe
        
        "C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H34YhpUhHp.bat"
        10⤵
        
        PID:2284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:576
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe
        
        "C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat"
        12⤵
        
        PID:2184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1200
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe
        
        "C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat"
        14⤵
        
        PID:1760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2964
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe
        
        "C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat"
        16⤵
        
        PID:2008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:448
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe
        
        "C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8OW3hmLaVA.bat"
        18⤵
        
        PID:2916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:904
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe
        
        "C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7eFR6a9mI.bat"
        20⤵
        
        PID:2884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2088
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe
        
        "C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat"
        22⤵
        
        PID:804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1728
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe
        
        "C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat"
        24⤵
        
        PID:2672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1556
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe
        
        "C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Links\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\UnattendGC\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\UnattendGC\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14732caeb928ce4adcaadf41e9150d6c

SHA1
2b4514a875ebb0213dab5dfa465d5db93488276b

SHA256
70016fcc7368b3c9a75bb4b54d8234a2ffaffd7cffb128c5e4d99087d0120c98

SHA512
da0997581eb05ad31b9e25a6bd464f90c247ef165be99c4ff4758dfbd1fed50a4f95c004399ca527030f76146908d8ea19d8a78ebb25b40db07539689389f6ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a26ee5c26164e1cbad3ab27556e0c4b

SHA1
211582f5d24a484c3dee6a96e19a3f1748d06f2d

SHA256
def279e1b4882d7efcefe31ed6a27a45a47332467071bdcd1b366d2114fd43ac

SHA512
f2b5ec31724a7d525cd8e2e14b00ebe99314ed68bae85a7d6814728acf9a71d647ac1a33776a7d749351f48bfe5775033c80dc71ec133215fe218b78edb572ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6441e91a2ff04136012e8a53b9b0eacf

SHA1
a27e2ca2935afc531513decf562e4a0b48fd1abc

SHA256
b03e6a77cd403fe523f132f898f9aa24f3f59dd3882fa01840a7a4f681e0aa33

SHA512
5c78ec547ee5cf3a427317d0c8f3f649bd17fbaa4b7a861adcb1c84f894a3d0dbfd42b17ba64ee4e279559bb5225ca79d91308feb274fca215fea1bf93a13c7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7c1298f5cb9deec975a2f7b49d32cd6

SHA1
d74baec8ea5818c546e35c931ccb407694c163ab

SHA256
44d60881348d27707a5fd3161a661ea918e02aec5eaf3d706dc54c4ad93ee535

SHA512
1f8c222103419bdf64c063a905ea72886478eb9210fa70f1f381a11ed437adca2aa707f412f7b6db9f99080e2417089b9442706f6047ccc77302fdced431261d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5fd094b69a42579111ec5acfb54591f

SHA1
e62e4454d24a1dd089373fe7653304d9974e481d

SHA256
475bdc6b833991558b516b74bad25eb188cc10396bb29dc439ce2dac0f04a932

SHA512
6e5e3bfb98e6174683a2d3d214221fd2caa4d205546264a927411d6575b89070f0f850281fac98d9e43bca92346f59ca2380d4f5354f47c6f7ed984a1a6ae49e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f27eaa4b119500bae8ba88c55d082f2a

SHA1
ad7887265107fab2c9085f56e169adf8159e9f45

SHA256
84df93000ec55eede22babcc44cf2aa22c1d37ef8646f561525298f96d3cd63e

SHA512
f8507af400c324baf60add91943e8e4ade74e5bf49220c903ec596ae2b0d79fd42ef065325fb5bb4d6d5bfa34d45434e8dc02519e5274926d02a8028ab49638a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e5a9ed488bb1b2269e742aca150342a

SHA1
423324d495abf1fe42629e408916e1f886632e75

SHA256
e3e2aa13f4b8ad86ab7471c1d1ccc0bcddcfc83e4525439bfe635e08e9147b3e

SHA512
854b42f556d66c5d4bc47dd8a4e0b3c3f27fe7df0047cffd33215f332b2410404f6b266f1dc4940df83cabafb51221f209832828cce7378328ed9b94267af59b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65970a0e5bd29d6052d0332db74ef03c

SHA1
1612e7a26a0a6bc105c8fb38016753b6c9fa577d

SHA256
6fa5b7b3bbc03dc6ab1231d120e42468d86dc72efcd52c7c7b33bd2975907f6e

SHA512
1212f3c2c18cbadf8943effa39e9e4cf7c3b3243f279df27a97535bf3afb7ec1a313f09727610ae1eb123356212b2dde6fd556d6ac8024d4253b35776ac5478b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0643024fadc295b588b2035fd20960a9

SHA1
6cf418f91d47c658917ac783ef82d6ead039d9d4

SHA256
0a5842eaa5b38d93a31fe49275695aa3163d420163e5f841f86fabe53ec93ffe

SHA512
d2153a4099c4b1af7e0843226196c876e9e01599b379304396154e4c35dc0e4631e3f71b3e54ca48ff78b95506ca6bf24d6ad7e356991fc4f8fe8f306e527030

Download Submit
C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat

Filesize
244B

MD5
34096df3283657ce73de61bb0d44d253

SHA1
96daed1d999ab25ba77913746d195173218a63df

SHA256
69f41a4ee292820c259188dcc173c677a40d91a8868af0feabd085bc9e4566ce

SHA512
aea85e16d2487f21ca5303413be7b8af65ffbcb9fb299d5498f3022954337d69bc41c9025e803a75c266f70e15b0de68c166ba7c3f4f4db77ed95842abbe266c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8OW3hmLaVA.bat

Filesize
244B

MD5
5f457fcc2d5acb793cf32927ca4169a0

SHA1
e8198d818c72a71ef72621dae2260a7a1ee8738c

SHA256
f0fd1948dbe732aebbcbe233ddd0ed0e8099545c34478f53e773f0e3b775fe8f

SHA512
74c2b2f8f605aee1475bd56e85b4d3ec49bb3bdf77f631fd3a6ed63596b7ac7550e670f80333021398bd6100eb9e239ce504510ec01f981e124c4da6c31ba6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat

Filesize
244B

MD5
1248a1710b67615f00eb3abac7818e23

SHA1
9630fc6f81cb28e1486ec520bcc0fc89e1435907

SHA256
1f6dbce90240520b263d14df2f27f6c215041c16a02106a012e600157031b3df

SHA512
fb05e7c6c9896e778f9dd8faea694bc48fb664b7d95852e460981e0084e363492b9dcf1e6138ad449e5963d2b37ff59cfb8e10efc825bfbfd108fc57b96be6ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE7B2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\H34YhpUhHp.bat

Filesize
244B

MD5
d8384f2cbffd0bca8f8074eadea1fdf4

SHA1
f84e7915c095c8be8f4058aea4b69623664d77c4

SHA256
10f76413739c49e502d669edd85269636d47aa84fbe73f23252cb0e554cfb4f4

SHA512
533d2c5eda80c00f6c26838cdf01b51f2c5e037684a8a3d91b7d67052435d8c9503331445eae6e90fd3686c61a031b7338ef1252f27b37a251de300d47256ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\H7eFR6a9mI.bat

Filesize
244B

MD5
31127f81dcde1fb9cc3d6ea129292b51

SHA1
b88e8d2fadb34a51632a316b4fcab250ccd39854

SHA256
127b69c18166cfff24194a8b9e657507d2a09a19e88ddf6f48ce53ddaa444ba3

SHA512
f8207da3925ed88414a28ada8dc515335c52299d799f252fcead9326706955a7385fd86e4c7b776cf4d9d65a83d1c57266aa61e0765c068268e8dbde258f9f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat

Filesize
244B

MD5
7062164116ef0838526eeb31b2883f88

SHA1
92f5404baeb828e947f63c7fb9bae968c3720ca4

SHA256
d5c549155065e9eb62778ffc4785a15d5d0385e74e2a843e5d6f411a80d4eb55

SHA512
140c574227abbff700f9525bf1d3f546edd9893bf97ec631083f1b68d63fa494dae71405abd487cada3a87ff35faf5bf82d02722a88a52414b54007a8dd5d99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE7D5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat

Filesize
244B

MD5
4d348db84c8d19b8fb1155c27ae63652

SHA1
a9c1182cfb70bb20d519674e2ab9019f5f1283bf

SHA256
a0457248565774da7a82b99c491b43895ce8650caa67ace94f6dd2bb751b7cc9

SHA512
310b12cd24732ea04eed4fb5b2a5e12f2fc925dc9a14b0ca2ef4b1a3a40f84f9ac04f0d20c63c33bd17ade2085811d0fb2b3c30c0c8ce912880152f286509132

Download Submit
C:\Users\Admin\AppData\Local\Temp\YNa8GmLI5m.bat

Filesize
244B

MD5
77c3ef99e8065709bf4ff17bd9d3c72f

SHA1
36fa8f2b40ed1933bde1e7c9e765049042166a5a

SHA256
0378812bd6e2e9761d2159da527d5bf30c470a05ebdd2eb476d947e649d8bf9a

SHA512
2a787311df376f949beef4003ec2bf0e13c49488e3b83f0024f6ad879d07e79766f2cd318fd5a966c38b055db1461ed7750ba72caac72c63878800fe83870060

Download Submit
C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat

Filesize
244B

MD5
d0fed7cd393e874bee50e0c0162b1a91

SHA1
a66a50f86bea33e90880ca9324555e417a2079fb

SHA256
471bc7b3bd65f6055f9d1d655a9207a97bb1922e0651176659d0767da4969f65

SHA512
d71b53b8d7ad01f03818d0dd91b2e26cb5e855308db02db837c32bb153a8c851632952b2839bcd5b37136311a49ce759a11426334b0b2bcce0af3b9cc3b9147e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat

Filesize
244B

MD5
df038c76f1091c39a97b1110423983d4

SHA1
0d1a1b7adc0c8c4ce1b3f237ef7c47babbf62bf0

SHA256
f793adf240b1972da89f57203045cdb919b864923d2d7f4d1529c870256ed2b1

SHA512
22b60e1747428048e4c9e88b2c40382107059ab32883405b5dffc3ac9103617acd5f4c640c6baa4cc6260f28725377920ec1c4c6071c3bb99576e5711e04e596

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2aef4a21ac62dac3c8eff29f379e168b

SHA1
05f8323e8d6a6be93982c3d9eb7ff2ea5f138b3e

SHA256
3e348fad5de6ea6b407980a162b1fe09b0aa724b954b53fcd774478d8d0183b0

SHA512
3ce291a9025a967b1a85c795af620e83896b296764bed0b57fd04fb6878dc4c02352f3a1c8fa11d911ef262b0e242dfe415979c479a3a2b213c3bad9944e4646

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/284-632-0x0000000001320000-0x0000000001430000-memory.dmp

Filesize
1.1MB

Download
memory/1188-572-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1408-394-0x00000000010F0000-0x0000000001200000-memory.dmp

Filesize
1.1MB

Download
memory/1492-60-0x0000000000970000-0x0000000000A80000-memory.dmp

Filesize
1.1MB

Download
memory/1948-333-0x0000000000140000-0x0000000000250000-memory.dmp

Filesize
1.1MB

Download
memory/1948-334-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2068-212-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2732-272-0x0000000000A60000-0x0000000000B70000-memory.dmp

Filesize
1.1MB

Download
memory/2732-273-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/2836-76-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2836-77-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/2916-16-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2916-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2916-13-0x00000000012E0000-0x00000000013F0000-memory.dmp

Filesize
1.1MB

Download
memory/2916-15-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2916-17-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/3012-751-0x0000000000270000-0x0000000000380000-memory.dmp

Filesize
1.1MB

Download
memory/3012-752-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download