dcrat | cb976cfef7150426a8316653c785dd654bb22464c1c3141f0a043039b3f0c486

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb976cfef7150426a8316653c785dd654bb22464c1c3141f0a043039b3f0c486.exe
Size

1.3MB
MD5

87ffa1a3f2fbce96323269f2daa4d238
SHA1

5ead778818b0859d08c5df91f0ac0e83914c259c
SHA256

cb976cfef7150426a8316653c785dd654bb22464c1c3141f0a043039b3f0c486
SHA512

737b6964a54df3b6f51b7c80a2f177d8f7005083eb5817291e4523ecb003f1aea3032c0dcda74afb968127b240e31ee8b8d9e2d8e1dd047c0acf7faea738c7c8
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	476	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2848	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2848	schtasks.exe	32

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000014b28-10.dat	dcrat
behavioral1/memory/2904-13-0x0000000001070000-0x0000000001180000-memory.dmp	dcrat
behavioral1/memory/2280-155-0x00000000013A0000-0x00000000014B0000-memory.dmp	dcrat
behavioral1/memory/576-334-0x00000000003A0000-0x00000000004B0000-memory.dmp	dcrat
behavioral1/memory/2280-394-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat
behavioral1/memory/1244-454-0x0000000000EC0000-0x0000000000FD0000-memory.dmp	dcrat
behavioral1/memory/3016-573-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/1636-633-0x0000000000FD0000-0x00000000010E0000-memory.dmp	dcrat
behavioral1/memory/2272-693-0x00000000010B0000-0x00000000011C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2856	powershell.exe
2620	powershell.exe
2516	powershell.exe
1072	powershell.exe
2612	powershell.exe
2228	powershell.exe
2752	powershell.exe
332	powershell.exe
2628	powershell.exe
2880	powershell.exe
2284	powershell.exe
2536	powershell.exe
1680	powershell.exe
2380	powershell.exe
2528	powershell.exe
2708	powershell.exe
2724	powershell.exe
3020	powershell.exe
2836	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2904	DllCommonsvc.exe
2280	conhost.exe
2744	conhost.exe
2768	conhost.exe
576	conhost.exe
2280	conhost.exe
1244	conhost.exe
1128	conhost.exe
3016	conhost.exe
1636	conhost.exe
2272	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2760	cmd.exe
2760	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
30	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
20	raw.githubusercontent.com
36	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\smss.exe	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\debug\WIA\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\CSC\v2.0.6\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Windows\Offline Web Pages\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Offline Web Pages\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\debug\WIA\sppsvc.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb976cfef7150426a8316653c785dd654bb22464c1c3141f0a043039b3f0c486.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2336	schtasks.exe
1192	schtasks.exe
2260	schtasks.exe
1940	schtasks.exe
996	schtasks.exe
1720	schtasks.exe
1328	schtasks.exe
964	schtasks.exe
1020	schtasks.exe
3004	schtasks.exe
2548	schtasks.exe
1836	schtasks.exe
1156	schtasks.exe
2216	schtasks.exe
2484	schtasks.exe
2064	schtasks.exe
2932	schtasks.exe
1320	schtasks.exe
1784	schtasks.exe
2264	schtasks.exe
1872	schtasks.exe
1980	schtasks.exe
2680	schtasks.exe
320	schtasks.exe
1660	schtasks.exe
2688	schtasks.exe
1948	schtasks.exe
916	schtasks.exe
2060	schtasks.exe
1808	schtasks.exe
1764	schtasks.exe
572	schtasks.exe
2052	schtasks.exe
1624	schtasks.exe
1616	schtasks.exe
2544	schtasks.exe
2796	schtasks.exe
2816	schtasks.exe
1572	schtasks.exe
1768	schtasks.exe
476	schtasks.exe
2488	schtasks.exe
2864	schtasks.exe
2872	schtasks.exe
2500	schtasks.exe
1088	schtasks.exe
2268	schtasks.exe
1512	schtasks.exe
2984	schtasks.exe
2400	schtasks.exe
664	schtasks.exe
1988	schtasks.exe
2540	schtasks.exe
1444	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
3020	powershell.exe
2752	powershell.exe
2724	powershell.exe
2536	powershell.exe
2620	powershell.exe
2528	powershell.exe
2880	powershell.exe
332	powershell.exe
2708	powershell.exe
2228	powershell.exe
1072	powershell.exe
1680	powershell.exe
2836	powershell.exe
2380	powershell.exe
2284	powershell.exe
2516	powershell.exe
2612	powershell.exe
2628	powershell.exe
2856	powershell.exe
2280	conhost.exe
2744	conhost.exe
2768	conhost.exe
576	conhost.exe
2280	conhost.exe
1244	conhost.exe
1128	conhost.exe
3016	conhost.exe
1636	conhost.exe
2272	conhost.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	DllCommonsvc.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2280	conhost.exe
Token: SeDebugPrivilege	2744	conhost.exe
Token: SeDebugPrivilege	2768	conhost.exe
Token: SeDebugPrivilege	576	conhost.exe
Token: SeDebugPrivilege	2280	conhost.exe
Token: SeDebugPrivilege	1244	conhost.exe
Token: SeDebugPrivilege	1128	conhost.exe
Token: SeDebugPrivilege	3016	conhost.exe
Token: SeDebugPrivilege	1636	conhost.exe
Token: SeDebugPrivilege	2272	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 2964	1044	cb976cfef7150426a8316653c785dd654bb22464c1c3141f0a043039b3f0c486.exe	28
PID 1044 wrote to memory of 2964	1044	cb976cfef7150426a8316653c785dd654bb22464c1c3141f0a043039b3f0c486.exe	28
PID 1044 wrote to memory of 2964	1044	cb976cfef7150426a8316653c785dd654bb22464c1c3141f0a043039b3f0c486.exe	28
PID 1044 wrote to memory of 2964	1044	cb976cfef7150426a8316653c785dd654bb22464c1c3141f0a043039b3f0c486.exe	28
PID 2964 wrote to memory of 2760	2964	WScript.exe	29
PID 2964 wrote to memory of 2760	2964	WScript.exe	29
PID 2964 wrote to memory of 2760	2964	WScript.exe	29
PID 2964 wrote to memory of 2760	2964	WScript.exe	29
PID 2760 wrote to memory of 2904	2760	cmd.exe	31
PID 2760 wrote to memory of 2904	2760	cmd.exe	31
PID 2760 wrote to memory of 2904	2760	cmd.exe	31
PID 2760 wrote to memory of 2904	2760	cmd.exe	31
PID 2904 wrote to memory of 3020	2904	DllCommonsvc.exe	87
PID 2904 wrote to memory of 3020	2904	DllCommonsvc.exe	87
PID 2904 wrote to memory of 3020	2904	DllCommonsvc.exe	87
PID 2904 wrote to memory of 2880	2904	DllCommonsvc.exe	88
PID 2904 wrote to memory of 2880	2904	DllCommonsvc.exe	88
PID 2904 wrote to memory of 2880	2904	DllCommonsvc.exe	88
PID 2904 wrote to memory of 1072	2904	DllCommonsvc.exe	90
PID 2904 wrote to memory of 1072	2904	DllCommonsvc.exe	90
PID 2904 wrote to memory of 1072	2904	DllCommonsvc.exe	90
PID 2904 wrote to memory of 2284	2904	DllCommonsvc.exe	92
PID 2904 wrote to memory of 2284	2904	DllCommonsvc.exe	92
PID 2904 wrote to memory of 2284	2904	DllCommonsvc.exe	92
PID 2904 wrote to memory of 2724	2904	DllCommonsvc.exe	94
PID 2904 wrote to memory of 2724	2904	DllCommonsvc.exe	94
PID 2904 wrote to memory of 2724	2904	DllCommonsvc.exe	94
PID 2904 wrote to memory of 2752	2904	DllCommonsvc.exe	96
PID 2904 wrote to memory of 2752	2904	DllCommonsvc.exe	96
PID 2904 wrote to memory of 2752	2904	DllCommonsvc.exe	96
PID 2904 wrote to memory of 2228	2904	DllCommonsvc.exe	97
PID 2904 wrote to memory of 2228	2904	DllCommonsvc.exe	97
PID 2904 wrote to memory of 2228	2904	DllCommonsvc.exe	97
PID 2904 wrote to memory of 2628	2904	DllCommonsvc.exe	100
PID 2904 wrote to memory of 2628	2904	DllCommonsvc.exe	100
PID 2904 wrote to memory of 2628	2904	DllCommonsvc.exe	100
PID 2904 wrote to memory of 2708	2904	DllCommonsvc.exe	101
PID 2904 wrote to memory of 2708	2904	DllCommonsvc.exe	101
PID 2904 wrote to memory of 2708	2904	DllCommonsvc.exe	101
PID 2904 wrote to memory of 2528	2904	DllCommonsvc.exe	102
PID 2904 wrote to memory of 2528	2904	DllCommonsvc.exe	102
PID 2904 wrote to memory of 2528	2904	DllCommonsvc.exe	102
PID 2904 wrote to memory of 2836	2904	DllCommonsvc.exe	103
PID 2904 wrote to memory of 2836	2904	DllCommonsvc.exe	103
PID 2904 wrote to memory of 2836	2904	DllCommonsvc.exe	103
PID 2904 wrote to memory of 2856	2904	DllCommonsvc.exe	104
PID 2904 wrote to memory of 2856	2904	DllCommonsvc.exe	104
PID 2904 wrote to memory of 2856	2904	DllCommonsvc.exe	104
PID 2904 wrote to memory of 2612	2904	DllCommonsvc.exe	105
PID 2904 wrote to memory of 2612	2904	DllCommonsvc.exe	105
PID 2904 wrote to memory of 2612	2904	DllCommonsvc.exe	105
PID 2904 wrote to memory of 2516	2904	DllCommonsvc.exe	106
PID 2904 wrote to memory of 2516	2904	DllCommonsvc.exe	106
PID 2904 wrote to memory of 2516	2904	DllCommonsvc.exe	106
PID 2904 wrote to memory of 2620	2904	DllCommonsvc.exe	107
PID 2904 wrote to memory of 2620	2904	DllCommonsvc.exe	107
PID 2904 wrote to memory of 2620	2904	DllCommonsvc.exe	107
PID 2904 wrote to memory of 2380	2904	DllCommonsvc.exe	109
PID 2904 wrote to memory of 2380	2904	DllCommonsvc.exe	109
PID 2904 wrote to memory of 2380	2904	DllCommonsvc.exe	109
PID 2904 wrote to memory of 1680	2904	DllCommonsvc.exe	110
PID 2904 wrote to memory of 1680	2904	DllCommonsvc.exe	110
PID 2904 wrote to memory of 1680	2904	DllCommonsvc.exe	110
PID 2904 wrote to memory of 2536	2904	DllCommonsvc.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cb976cfef7150426a8316653c785dd654bb22464c1c3141f0a043039b3f0c486.exe
"C:\Users\Admin\AppData\Local\Temp\cb976cfef7150426a8316653c785dd654bb22464c1c3141f0a043039b3f0c486.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\WIA\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\skins\fonts\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:332
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\as7boQT60v.bat"
        5⤵
        
        PID:1336
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:700
      - C:\Windows\Offline Web Pages\conhost.exe
        
        "C:\Windows\Offline Web Pages\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat"
        7⤵
        
        PID:1996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2112
        
        C:\Windows\Offline Web Pages\conhost.exe
        
        "C:\Windows\Offline Web Pages\conhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat"
        9⤵
        
        PID:2724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2180
        
        C:\Windows\Offline Web Pages\conhost.exe
        
        "C:\Windows\Offline Web Pages\conhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat"
        11⤵
        
        PID:2548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2872
        
        C:\Windows\Offline Web Pages\conhost.exe
        
        "C:\Windows\Offline Web Pages\conhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat"
        13⤵
        
        PID:1440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2540
        
        C:\Windows\Offline Web Pages\conhost.exe
        
        "C:\Windows\Offline Web Pages\conhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat"
        15⤵
        
        PID:1788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1816
        
        C:\Windows\Offline Web Pages\conhost.exe
        
        "C:\Windows\Offline Web Pages\conhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NjKeWzk8OD.bat"
        17⤵
        
        PID:1368
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1612
        
        C:\Windows\Offline Web Pages\conhost.exe
        
        "C:\Windows\Offline Web Pages\conhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mTJ33xL03H.bat"
        19⤵
        
        PID:2052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1800
        
        C:\Windows\Offline Web Pages\conhost.exe
        
        "C:\Windows\Offline Web Pages\conhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat"
        21⤵
        
        PID:2976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2056
        
        C:\Windows\Offline Web Pages\conhost.exe
        
        "C:\Windows\Offline Web Pages\conhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat"
        23⤵
        
        PID:2388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2816
        
        C:\Windows\Offline Web Pages\conhost.exe
        
        "C:\Windows\Offline Web Pages\conhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat"
        25⤵
        
        PID:292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\WIA\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\debug\WIA\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\WIA\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Minesweeper\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Favorites\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Favorites\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e882a3adc4c1a50d64430b9bec5ca38e

SHA1
c9856f2ec0495cd077d24d268020a3e0bda2e99b

SHA256
244a27d026339cd63a3eb63ce79778798eed160adf58e6c535c5d56715fc92bf

SHA512
f4f032d1e106da51a13a5ef0cae96c0f71eb5a493c0cd531ad1463b5039e120ddcf76e4d83214b3194cf958b6cc4bd62c6d8eaa3eb0582ac502115153359c26c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
218d42cb04ee4af4e7d56a2562a9ec83

SHA1
9eb1b954bf4c855a112653f29a616bd79ef29149

SHA256
5ffa97209f33c69f31647b62f41771804483c3a44040ee0065256a310e18e4e4

SHA512
88bf37f749c003e3438ef36a4589fd4b3d06ebc2201ecabcc78fe573ad041d76e17ac0a06a3b0c5a89b9d2e3720d90a7624971412229e1ce67301df42f0846dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d286d899d42a40389c47097bdade54ed

SHA1
dce017d4437c374d8ec2aa1c2abbca34e3b2c540

SHA256
33d1c517c0183c5e7d5b02dfac37b09865d49c427a6bdb61e9e5d8fa7a41ce12

SHA512
8a78824b38c0eaa21e93e51ebf430813f51a89770d9e416643fc2a3ca6d41c6c4958712909c91f31aeac8d6288c85226914582b24f0a2dda962d06180908fc5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6f03b41ee12237b8556b0fad49b2526

SHA1
3a030fb8d907df5231e129014f0d3add1ad08837

SHA256
cb10a8d607648a145ac7d94b9c39730a1e9f70a8351ad60d79122be0891fca91

SHA512
e356eb68c95b51ec99ad9ecb58f422b2652f2f21954798d8204338f1423a6c3bbca944c92fda256c4063b9c58f12dcc51d5513f25c2d44fd2873041a16d53b06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c96f33d8e2eb427ada3288e4cde67142

SHA1
cdf508a042809e47d8cfc7ff25729466ed2dbc8a

SHA256
c3c6e98c1fc17cd8383fdce8a849a7e1b29b83f2c05bc98796eb88591e9747cf

SHA512
61941198ee3cc1d4cb0cde7758e7c7857fa65fa5d69abbe5ed621abe646350485deecf168e759dc9d41e999d9989c7673653ce6558a5b8cfd3235e7569169d72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe2628107cf36bce4ff063deb9776ec2

SHA1
32e6385584388137c14f9ddf9e830ec767d5ee7d

SHA256
a90cbe3f819e283f0936dc922fea468ffb20190efb66dff654bbc4945bffa651

SHA512
7512f1241943a9f02631f9f8b9df71ddaf33e105e14fb92af328920779aa3ab74a74db4b5a8f9fd811d1a470f76404d15a7d7e1598eff241de84027a53b9ab26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ae860822222b46bbeb3666eb8373e22

SHA1
79ead42cc8e7b2ea40954ea65cd1c151ad118e42

SHA256
3857af167277d712b4ebeb8c85b2c08487a0e9c27e8e1de1ec3dbe8d256734dc

SHA512
d7114e76d9739a10529c576d489ccf0d03444eaf032f8ca4b43d7496b8d3cfcaec171b93f1accf4bd0fe8ed7fc1c18a4bf71ddbde80aa033f35c3dc9b94f2a45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b5ad023ca2d2d71638e06437d20e88d

SHA1
5b4d874cd25e638a001bf88353c7363ff05b8edb

SHA256
b7b11532e289059c44e7d463c8ed3550812d089e96ff70448517b3db97506e70

SHA512
16e3c96d32446de1fd3103f8fdbe2cfc5990f24d5c217bd81c02fe580433ba8e8caf522d1c98ce7e7598b70ecc1463e07dada7d9298ddf78201ef211c54c98ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b04c12a6419f2f4442ceeeea024ab120

SHA1
3286c7598f167e82d94e3c286eda32cc3c7d0504

SHA256
7fad45f4e8c4025747b738c869c3f8a151a81ce8cd5a5fe8cf55af4c5cbb6c82

SHA512
e38ab1589b7f88a0876dd2fd4818b6cada07840f812781e5c22c491ff6709e3c497b7268f0d4d347fb4ada890fea566f151317f73314b89ba1d337a6569b4c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat

Filesize
205B

MD5
b6215cff79ce77ce9065a3f853cf90f1

SHA1
d68dd12c3139b21465767fc632623b5f69e5a4b6

SHA256
3af666236d8a35f6b51ff5587bbcf7e8132ece7bfd21ed3de223d97cb26af304

SHA512
d3f35fb3a9ba2915482bd6b2258c88bf2ed25b2387a0c6fcb7c651225b624c5bb8322b2a19e7e05041fe929f5caad5e846b269fd5200e3a26ff1347c496f9feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAC48.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat

Filesize
205B

MD5
e9b91fc23c2eab28468282172cc10069

SHA1
6f6a9f34b7908b8a2c0d6ff04574dc3623a70771

SHA256
acfffab17d01cb3034c137733af791420778d0d6c6b4b2d282cfb7ff49b0068f

SHA512
e651390a3e67911e1098a9dc75f5bd422ceba8f5b8bdabc63d2d5f0d301ee6cb6372e3946736b418c1eb9f6ea0b4bfbce976369a4c9216fff698736a8793d2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\NjKeWzk8OD.bat

Filesize
205B

MD5
29ed755dd548d04146f9d05a3230b33d

SHA1
9a2b846fb4b736ac0868760a48cf4f5cb8158963

SHA256
fcb37113604b92c1ae99152ec96dd89e259c59794ea372ab6de6f32b9ef05af1

SHA512
d7fe20056ace8a33f687b4198a0cc0de0718cfed1fe74d18797fe9e5e716c24a34bff59b1fdb43ba37192f0fa57eb7a9753a65bd041ad4783f224ed29cc6b9fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat

Filesize
205B

MD5
ac4bd7745a770f41fb9f023d2ea75546

SHA1
1e000db7c123e8353d634f83c754ecc9ff4bd7f9

SHA256
7b9b5c91ebafeb1e3b4792b5258a7ccada7ea6081b2a85352708a89516ac5991

SHA512
1e98aaeb5eb8de488514950242e2a76b13e418da0ba66183722b33c15dfdf8b5fda5af1ecd7a09e5019cad887cc252adebb3238b519c6abd60d1e7126a4814e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAC5B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat

Filesize
205B

MD5
d2829c50b40c1ed3a9d8628c9ab51aaa

SHA1
ae04339b9a415a13fc0b815515673d593098f8c3

SHA256
7ba6a8eca4b8de324f56d9960b7c104fbf49b4aec6e1776624e9b631a9efea99

SHA512
d909bab3f6fd1507a773e2f51daaddf921b94e4ab58251cad4f2912b43b17c0b221c4a8bc4398a6ab5a536b852291e07814d573f58e6675e3a5e1299328e7ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\as7boQT60v.bat

Filesize
205B

MD5
4bd89fa9947a067b8dc140e7ae557d3a

SHA1
7951de4e7debaea577ea7d76da1445b78d53724d

SHA256
f4823b41ca9ad7eaf38879787e319a972a1558fad40f67e306e32ab63a94bb37

SHA512
02e8a031e379c747abedbf430a4d113f68c39b4241a37962ea0942261dd69ef0f8ece578d9aa44b478d6696014ad810f87da30cbcc119ce84ad6ab2f0fe3c990

Download Submit
C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat

Filesize
205B

MD5
692e6954152943a6ac320927573d4733

SHA1
c937537d61488b03567313ced28c09df47029024

SHA256
f88b3342c1f7c06d37dbc7b55c7b9c15c10e9e67362f249b0494b92f6c87e53a

SHA512
e71ecbd99cbb7d273d16fc87c89c1b54b3c2aabff7e108b2e7629f94c11331525f82ad3af74c9313eff1360cbd1e025a48b1ba31650d9ca1ddddae1f80ac0e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat

Filesize
205B

MD5
40ca0096813b534f07dbdf12f431c894

SHA1
655104b173068a0a0c14de3a771a26a2985b1636

SHA256
852ffdd6469bd02afff1a7043c028961d6ff534f86330f9b9e7ae256fd7149cd

SHA512
9c7e5143d5972adab8abb43fbbb9b64c1d169351d2c283c2472698b8fa5880a2d6b3a8f7ef287e3478d99c2916b806587b413f04bd8bc3a299341085903da6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat

Filesize
205B

MD5
5d484e524ea5e1e3141b574009d0f13a

SHA1
409665495e97d8107d8c532c6cbdbdd922ef4bec

SHA256
2bd6eec79a67ca68e5ce726c87c778b296fad7d6d1486e2d381601d1862776ae

SHA512
a4d1b1b0b0c73bed3d7f09139adfe2dea53567e1cc229d13731eba2b5ec9fb7e09f1440b232841421bfd6f2d4fa4abccdea818c56cb0f23c5fae3340661e0caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat

Filesize
205B

MD5
4c71a829729178e90130d240a560f1c6

SHA1
2eaf7b8707c76a36457c4681027f3dc06dd9c901

SHA256
4ded04ddf0ba4e02692835d76c9bdb3290517e5fabe1c6ee7680518dfccf9701

SHA512
587c36e66826eb3583d6f0cfae0dac9a767e132edfde08296582883f641c972e39391b57e83cb67cd2d55f64e9b0963188e60c2ee84a87fa516f4a89c6623330

Download Submit
C:\Users\Admin\AppData\Local\Temp\mTJ33xL03H.bat

Filesize
205B

MD5
92d3d7caf6a02c2ee028062195926087

SHA1
45c20bc6b634fa64b8cfc656e9a1a2835e610795

SHA256
cf5fdc341acbde332fef3d9c14755462adb229a1de2ac0f14f9b4a5df83b1fec

SHA512
b9c81008261fc3f72e9c48fdaa255bdd88bf0bd6a43a383f7b5293323e1f8fbe17149e68b1fe6f9966692f4c0c1d0c8163a2c34a375c9579ff10655500f8149c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d5ad5b54722f70e826325c59a1dc87f5

SHA1
a97d3093de01484db7d5e8f024138d48517e68e3

SHA256
759be71b7a47e41e3293de468fb943ddca0944d70aeb537f51d6ceeb086ecfef

SHA512
a25ffd1a73dbf9252193834a3712fc22accec9b254ef512decf8c25c37911596332a0dba4d2ed40cd1ccb5f4915bdb014752daf9255443da5fcf5395fe132a7d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/576-334-0x00000000003A0000-0x00000000004B0000-memory.dmp

Filesize
1.1MB

Download
memory/1244-454-0x0000000000EC0000-0x0000000000FD0000-memory.dmp

Filesize
1.1MB

Download
memory/1636-633-0x0000000000FD0000-0x00000000010E0000-memory.dmp

Filesize
1.1MB

Download
memory/2272-693-0x00000000010B0000-0x00000000011C0000-memory.dmp

Filesize
1.1MB

Download
memory/2280-156-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/2280-394-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/2280-155-0x00000000013A0000-0x00000000014B0000-memory.dmp

Filesize
1.1MB

Download
memory/2744-215-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2904-13-0x0000000001070000-0x0000000001180000-memory.dmp

Filesize
1.1MB

Download
memory/2904-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2904-15-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2904-16-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2904-17-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/3016-573-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/3020-63-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/3020-65-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download