dcrat | 5da935bb79ad7f8a80e64593e09f4d1922c0fa80077926ed71b0eb263acf8b28

Analysis

max time kernel
149s
max time network
156s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5da935bb79ad7f8a80e64593e09f4d1922c0fa80077926ed71b0eb263acf8b28.exe
Size

1.3MB
MD5

73e7771e9b6f203eab524a704807fec8
SHA1

acacf0b2d442e31818a9939bbbbc952b8ca48280
SHA256

5da935bb79ad7f8a80e64593e09f4d1922c0fa80077926ed71b0eb263acf8b28
SHA512

fe3538a70857ee49d9083fc8c7512ef90ed833ce7425ff08420d5e83bcbc8bde415988beacb33ef6e6fd03f70f49a90f6e570267689cc22045b4a80038c1117a
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2660	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2660	schtasks.exe	35

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016cab-11.dat	dcrat
behavioral1/memory/2124-13-0x0000000001110000-0x0000000001220000-memory.dmp	dcrat
behavioral1/memory/1684-177-0x0000000001330000-0x0000000001440000-memory.dmp	dcrat
behavioral1/memory/2432-236-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/2000-296-0x0000000000D60000-0x0000000000E70000-memory.dmp	dcrat
behavioral1/memory/1116-356-0x00000000010E0000-0x00000000011F0000-memory.dmp	dcrat
behavioral1/memory/2708-416-0x00000000013C0000-0x00000000014D0000-memory.dmp	dcrat
behavioral1/memory/1008-594-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 21 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2624	powershell.exe
1140	powershell.exe
2772	powershell.exe
2616	powershell.exe
1036	powershell.exe
2040	powershell.exe
1484	powershell.exe
1868	powershell.exe
932	powershell.exe
1352	powershell.exe
2560	powershell.exe
2868	powershell.exe
1956	powershell.exe
3008	powershell.exe
832	powershell.exe
1676	powershell.exe
2124	powershell.exe
1992	powershell.exe
1920	powershell.exe
1964	powershell.exe
3012	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2124	DllCommonsvc.exe
3044	DllCommonsvc.exe
1684	dwm.exe
2432	dwm.exe
2000	dwm.exe
1116	dwm.exe
2708	dwm.exe
2724	dwm.exe
2928	dwm.exe
1008	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
2508	cmd.exe
2508	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
18	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\75a57c1bdf437c	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\es-ES\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\es-ES\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\WMIADAP.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5da935bb79ad7f8a80e64593e09f4d1922c0fa80077926ed71b0eb263acf8b28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3048	schtasks.exe
916	schtasks.exe
3012	schtasks.exe
3068	schtasks.exe
768	schtasks.exe
2904	schtasks.exe
1296	schtasks.exe
2792	schtasks.exe
1276	schtasks.exe
1028	schtasks.exe
1752	schtasks.exe
1152	schtasks.exe
1808	schtasks.exe
2684	schtasks.exe
2600	schtasks.exe
1796	schtasks.exe
2844	schtasks.exe
2180	schtasks.exe
1692	schtasks.exe
1528	schtasks.exe
1324	schtasks.exe
2692	schtasks.exe
1008	schtasks.exe
1148	schtasks.exe
1952	schtasks.exe
2688	schtasks.exe
3016	schtasks.exe
2524	schtasks.exe
2496	schtasks.exe
2508	schtasks.exe
1196	schtasks.exe
1584	schtasks.exe
1852	schtasks.exe
2188	schtasks.exe
1556	schtasks.exe
2548	schtasks.exe
2648	schtasks.exe
2876	schtasks.exe
2636	schtasks.exe
3056	schtasks.exe
2448	schtasks.exe
2892	schtasks.exe
2400	schtasks.exe
2592	schtasks.exe
1588	schtasks.exe
2708	schtasks.exe
2384	schtasks.exe
772	schtasks.exe
1968	schtasks.exe
2276	schtasks.exe
2064	schtasks.exe
2168	schtasks.exe
1784	schtasks.exe
2700	schtasks.exe
2648	schtasks.exe
1748	schtasks.exe
1732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2124	DllCommonsvc.exe
2616	powershell.exe
1676	powershell.exe
2772	powershell.exe
3044	DllCommonsvc.exe
3044	DllCommonsvc.exe
3044	DllCommonsvc.exe
3044	DllCommonsvc.exe
3044	DllCommonsvc.exe
3044	DllCommonsvc.exe
3044	DllCommonsvc.exe
3044	DllCommonsvc.exe
3044	DllCommonsvc.exe
3044	DllCommonsvc.exe
3044	DllCommonsvc.exe
1036	powershell.exe
2560	powershell.exe
1352	powershell.exe
2868	powershell.exe
1992	powershell.exe
2124	powershell.exe
1868	powershell.exe
1964	powershell.exe
2040	powershell.exe
1956	powershell.exe
1484	powershell.exe
1140	powershell.exe
2624	powershell.exe
3008	powershell.exe
1920	powershell.exe
3012	powershell.exe
832	powershell.exe
932	powershell.exe
1684	dwm.exe
2432	dwm.exe
2000	dwm.exe
1116	dwm.exe
2708	dwm.exe
2724	dwm.exe
2928	dwm.exe
1008	dwm.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	DllCommonsvc.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	3044	DllCommonsvc.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	1684	dwm.exe
Token: SeDebugPrivilege	2432	dwm.exe
Token: SeDebugPrivilege	2000	dwm.exe
Token: SeDebugPrivilege	1116	dwm.exe
Token: SeDebugPrivilege	2708	dwm.exe
Token: SeDebugPrivilege	2724	dwm.exe
Token: SeDebugPrivilege	2928	dwm.exe
Token: SeDebugPrivilege	1008	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1796	2044	JaffaCakes118_5da935bb79ad7f8a80e64593e09f4d1922c0fa80077926ed71b0eb263acf8b28.exe	30
PID 2044 wrote to memory of 1796	2044	JaffaCakes118_5da935bb79ad7f8a80e64593e09f4d1922c0fa80077926ed71b0eb263acf8b28.exe	30
PID 2044 wrote to memory of 1796	2044	JaffaCakes118_5da935bb79ad7f8a80e64593e09f4d1922c0fa80077926ed71b0eb263acf8b28.exe	30
PID 2044 wrote to memory of 1796	2044	JaffaCakes118_5da935bb79ad7f8a80e64593e09f4d1922c0fa80077926ed71b0eb263acf8b28.exe	30
PID 1796 wrote to memory of 2508	1796	WScript.exe	31
PID 1796 wrote to memory of 2508	1796	WScript.exe	31
PID 1796 wrote to memory of 2508	1796	WScript.exe	31
PID 1796 wrote to memory of 2508	1796	WScript.exe	31
PID 2508 wrote to memory of 2124	2508	cmd.exe	33
PID 2508 wrote to memory of 2124	2508	cmd.exe	33
PID 2508 wrote to memory of 2124	2508	cmd.exe	33
PID 2508 wrote to memory of 2124	2508	cmd.exe	33
PID 2124 wrote to memory of 2772	2124	DllCommonsvc.exe	42
PID 2124 wrote to memory of 2772	2124	DllCommonsvc.exe	42
PID 2124 wrote to memory of 2772	2124	DllCommonsvc.exe	42
PID 2124 wrote to memory of 2616	2124	DllCommonsvc.exe	43
PID 2124 wrote to memory of 2616	2124	DllCommonsvc.exe	43
PID 2124 wrote to memory of 2616	2124	DllCommonsvc.exe	43
PID 2124 wrote to memory of 1676	2124	DllCommonsvc.exe	44
PID 2124 wrote to memory of 1676	2124	DllCommonsvc.exe	44
PID 2124 wrote to memory of 1676	2124	DllCommonsvc.exe	44
PID 2124 wrote to memory of 2560	2124	DllCommonsvc.exe	48
PID 2124 wrote to memory of 2560	2124	DllCommonsvc.exe	48
PID 2124 wrote to memory of 2560	2124	DllCommonsvc.exe	48
PID 2560 wrote to memory of 1964	2560	cmd.exe	50
PID 2560 wrote to memory of 1964	2560	cmd.exe	50
PID 2560 wrote to memory of 1964	2560	cmd.exe	50
PID 2560 wrote to memory of 3044	2560	cmd.exe	51
PID 2560 wrote to memory of 3044	2560	cmd.exe	51
PID 2560 wrote to memory of 3044	2560	cmd.exe	51
PID 3044 wrote to memory of 1036	3044	DllCommonsvc.exe	103
PID 3044 wrote to memory of 1036	3044	DllCommonsvc.exe	103
PID 3044 wrote to memory of 1036	3044	DllCommonsvc.exe	103
PID 3044 wrote to memory of 1352	3044	DllCommonsvc.exe	104
PID 3044 wrote to memory of 1352	3044	DllCommonsvc.exe	104
PID 3044 wrote to memory of 1352	3044	DllCommonsvc.exe	104
PID 3044 wrote to memory of 2124	3044	DllCommonsvc.exe	105
PID 3044 wrote to memory of 2124	3044	DllCommonsvc.exe	105
PID 3044 wrote to memory of 2124	3044	DllCommonsvc.exe	105
PID 3044 wrote to memory of 1992	3044	DllCommonsvc.exe	107
PID 3044 wrote to memory of 1992	3044	DllCommonsvc.exe	107
PID 3044 wrote to memory of 1992	3044	DllCommonsvc.exe	107
PID 3044 wrote to memory of 2040	3044	DllCommonsvc.exe	108
PID 3044 wrote to memory of 2040	3044	DllCommonsvc.exe	108
PID 3044 wrote to memory of 2040	3044	DllCommonsvc.exe	108
PID 3044 wrote to memory of 1868	3044	DllCommonsvc.exe	109
PID 3044 wrote to memory of 1868	3044	DllCommonsvc.exe	109
PID 3044 wrote to memory of 1868	3044	DllCommonsvc.exe	109
PID 3044 wrote to memory of 1956	3044	DllCommonsvc.exe	110
PID 3044 wrote to memory of 1956	3044	DllCommonsvc.exe	110
PID 3044 wrote to memory of 1956	3044	DllCommonsvc.exe	110
PID 3044 wrote to memory of 2868	3044	DllCommonsvc.exe	111
PID 3044 wrote to memory of 2868	3044	DllCommonsvc.exe	111
PID 3044 wrote to memory of 2868	3044	DllCommonsvc.exe	111
PID 3044 wrote to memory of 1484	3044	DllCommonsvc.exe	112
PID 3044 wrote to memory of 1484	3044	DllCommonsvc.exe	112
PID 3044 wrote to memory of 1484	3044	DllCommonsvc.exe	112
PID 3044 wrote to memory of 1964	3044	DllCommonsvc.exe	113
PID 3044 wrote to memory of 1964	3044	DllCommonsvc.exe	113
PID 3044 wrote to memory of 1964	3044	DllCommonsvc.exe	113
PID 3044 wrote to memory of 2560	3044	DllCommonsvc.exe	114
PID 3044 wrote to memory of 2560	3044	DllCommonsvc.exe	114
PID 3044 wrote to memory of 2560	3044	DllCommonsvc.exe	114
PID 3044 wrote to memory of 3008	3044	DllCommonsvc.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5da935bb79ad7f8a80e64593e09f4d1922c0fa80077926ed71b0eb263acf8b28.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5da935bb79ad7f8a80e64593e09f4d1922c0fa80077926ed71b0eb263acf8b28.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gsi4pWcSOH.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2560
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1964
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\taskhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WMIADAP.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\audiodg.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\taskhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\OSPPSVC.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\audiodg.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\es-ES\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GCz4Ehy5lY.bat"
        7⤵
        
        PID:2716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1008
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\dwm.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\dwm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat"
        9⤵
        
        PID:2112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2872
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\dwm.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\dwm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"
        11⤵
        
        PID:2116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2556
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\dwm.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\dwm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat"
        13⤵
        
        PID:2028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3020
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\dwm.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\dwm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yEObGBIDe.bat"
        15⤵
        
        PID:3052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2560
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\dwm.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\dwm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat"
        17⤵
        
        PID:2012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2224
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\dwm.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\dwm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"
        19⤵
        
        PID:1680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2000
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\dwm.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\dwm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat"
        21⤵
        
        PID:2752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:236
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\dwm.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\dwm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Favorites\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Favorites\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Favorites\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Favorites\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Favorites\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\CrashReports\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\CrashReports\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Default\SendTo\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\SendTo\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Default\SendTo\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f84bd8cb1bf103d3425d15fc4a66e1d3

SHA1
0a6a22fa533b8bddee3c869571cd3a2558bb586b

SHA256
eb0dfee0ce2fcc040e9b36b900174e38e13d2dfb3400772c98eb7a48f221c737

SHA512
73749c712e976155af9215c3b339e0046fe17b6ae403b6ad7dd51ef019dd69dd7039b3a3f67ae6bfb5d78a0d6646412ae55a7613c22cedf308674b5ff6530f4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ff5c345d594e60b521ed92b9d395763

SHA1
5e99ff2d4d2766ea77d89308f48e452a1a95bb02

SHA256
20095de15197773b92a730811d6ab696725be8e9b2a3f961fee7c3f049bf7bbe

SHA512
91d41453f3a5f302135a5cdaa7ae0caa6de8615effeb31700104b61650eb8ad9293ff62bc92c0f348cc2f75dad45fa2e2e2d4d821228910e96a3b07b726faa59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eabc2e92b9c497e7471f46c7a4992b8f

SHA1
8b5331f3141f66579aebf9a1e63362c60d28cf03

SHA256
69cb955246e04d4dbbf0bd70c3a9dae9aa49d09402d445a1c077669cd0323c87

SHA512
7c67c189409d8f0980eb7887551717f28b24d38ee8129785282729d1886f31a2a0e47d97a4887240a02ab9b2ae2213a04f627cdd41b00154ca8d8ffb67a02e79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e8d0af3408ba6327af36ce5f4652538

SHA1
f49e242a21df17941ff437f354075d0296902305

SHA256
df5935e293aa82b4a90d4cf8451a970594f210ef6eeb7092e15b749710fcbe93

SHA512
e990389879e2bcaea61fd1534a19d13f511adbcbace561485d53881ddafad38dd33cd7c229dcc7827f0ad11406e020c8e8c233d819cf1ee4d97eaa8c7e4c8350

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef2f468bc06bdf00e3d67ee562a9e9af

SHA1
d8618cc5333d8bf67dd75739a929585303f514b4

SHA256
96c569aa326dce0deae4c55e93c15810c51d39227c281f713ec96d21dc4b5929

SHA512
a10dd317f06fc436b8a2d379c080a91468dc7076175f9b250b44c0306fcf4f252c579b12efe0873226bb2acbf206349a0516dcd53c72a51cc0fa7bad4c8c2a42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81c100a55f110bd098f5c747c0a5b0b7

SHA1
5b14bd24b819159571eb20c69dcd6d79bbd73e0e

SHA256
0c0acd3fda4cff1e516987223c19dfed0378c699eea26a74412bfa2d46229357

SHA512
7f08bb64b26048e9182962e9cd1cd66562b0fda874b5e39a7b74631476ac046dcb07ccd0810f1df9b228edff4a338bae9e5645ba6819d77032bd4c867b6bef14

Download Submit
C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat

Filesize
263B

MD5
430754d2882ef7f445a5fb6408dd53d5

SHA1
c76059eff4eed5fc021ff301ad832cd3bf7e980b

SHA256
61c31ba754a98ece8f96ce1ebd36c8382261138b86da6b9e1a965fda7a7a099d

SHA512
7edc3a81a46cf69c74efe0a56be24b5526b4a071d1dcf98a51d80d4294fb2ef3f7357b3cdb838cc26e5745fc9406443faf1ed5c4e9388292428850d51a9ecf22

Download Submit
C:\Users\Admin\AppData\Local\Temp\4yEObGBIDe.bat

Filesize
263B

MD5
e9ec7b8db72f96f842e7c3e1c431d3c9

SHA1
4cfe610da80300760811769a74f4d537103e9343

SHA256
130d2a8bb8becb796a780aa0a61cb97c72f8e6b0733b1714ba2d3520adc39a8c

SHA512
b61f55134ec060a39cfeec745483e81a6d909e89d526cb45d96f241fc88d83796a9eef6966cb91561f1b9154c991860793a28c845919eb55da5503feb781e02b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat

Filesize
263B

MD5
36d2e1be999a5fbf7c993ca45f26dc72

SHA1
526d622eaeefe7643b34993e9f70db326038fd38

SHA256
ef3ff5487e0136a7696c7917461e3e547c36278d1b6983084939710ceebd17dd

SHA512
dcf6c2b85f703f5b031c780c7fe83569c2c3b633bb33dab44e2f9d3b437257a70cc6b1d6d5ee5aced6e3714ee38104f2117584e11ee9bcd469dd735e448c9b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat

Filesize
263B

MD5
2360f885b41acdd9745ea4701cb31985

SHA1
96feeb6729ed2ee2f019c7860b7a75aa289c8a7d

SHA256
2bc4f85d4bb166b3727b1af2869e2192a8b32dff85cc52719c85dacb788f4422

SHA512
01a5ceb1a4b4fdaedeff1c0637b1f1b42dfaa8b82c4a2c38753b15c997117c04d66d5b9f5137c7b96f5228fe0cb04fa6d41048036d7dca0f0459df9cfd3f8ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab55C0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCz4Ehy5lY.bat

Filesize
263B

MD5
f56fc855f7d70db0c30637abd5e3e366

SHA1
09814a07c4002ba0de8b6d5118f4bf2151e0da0a

SHA256
e13dd1bc6af453b511a3658167eff261b31d186f41271b730634d0da13912ad8

SHA512
fdf392eb2b860fe275c4f96f40a0d5327983c9592e17ccbb5df769967e76424158966e79958a82521a210832cd0b0fc6772198bbe8b12e7eccd496fd7ab98e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gsi4pWcSOH.bat

Filesize
199B

MD5
8d401b7ddc39287a00e13f72771f53d8

SHA1
86d22239962d89a873561cdd998100dc0c1bae2a

SHA256
a60d5ccc9cd85a6578ae213e78a81cf3fc1f1e92532879699c60c6830a047fbe

SHA512
df64df1f22f76a19de00ebc0eb0e06b1ada14a2a0ee8daf76e17c6bb5dd7fafe47a822215729d33cc16ebf8d6c985218b36300238f000141c13f0bcd6a1e2cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar56AD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat

Filesize
263B

MD5
37319cf9b8ce7d31342d7dee195c6a21

SHA1
ae9ab84a2f1f54c8eed0195a6264fcc88f786898

SHA256
a9c6d6e9e768e68d6da6dbf0f3aa0b73657ecd6cff0c85680d89a6dadb7bf306

SHA512
c616753dc9242a818d523de6d9cdf938bc63f09ec4d0ffd02690972c3961fd6a51445961c27dfe06fbb54cfba08412695728090aafc9f3861c9d480b5ead7ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat

Filesize
263B

MD5
cbf4cf375dfcb47cde4798a6d95ce585

SHA1
75d67bf20f4c3b5c456efd2d28d80221d7745792

SHA256
f581afd2ba0ca07e98b57e9fe681a08809f40220a18771606e77c8326cd8481a

SHA512
6cb6b5d2537f387d8c3d78a5398b96cc5f551833c7a96a7307f132f9bc56c6608cb3f077b2a7e5d86027b6b435f2c086cc0fc9c628bd2f7a6bad91b96cf53ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat

Filesize
263B

MD5
aee8671371b1e42da373c9a20caf8c35

SHA1
f34b90bd60332c0ebc6e141e8cdfc04061335282

SHA256
c14adfbdc45621e3bb3ae5b7cac251a5748c700ce76917d72364cf019a9813da

SHA512
7251168b1dcade7adf14d02b7779f726f95478820aa35132fa1057356a32b72a91fa44c54d02e528f84fce657bfc22ea30050e5d290ec4a7d66768c5e4a5ab3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a3b7287f4545a57db105007177866c46

SHA1
93d44dc555da0270bbf6f8140b64a28bcde88431

SHA256
12542718768d92551729116bfb3ff0b6d956e37df396f90c1e89ab0328f097d4

SHA512
05577ca355a88a16e4fe52a2fa60f19cd5fbc689da92bb4ccee95086f7d2f638af6ad91bfb5cbe10cb34637b14cbd73f0c26cb0704c2689c3150b160e08cb04d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1008-594-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/1036-103-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download
memory/1116-356-0x00000000010E0000-0x00000000011F0000-memory.dmp

Filesize
1.1MB

Download
memory/1684-177-0x0000000001330000-0x0000000001440000-memory.dmp

Filesize
1.1MB

Download
memory/2000-296-0x0000000000D60000-0x0000000000E70000-memory.dmp

Filesize
1.1MB

Download
memory/2124-15-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2124-14-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2124-13-0x0000000001110000-0x0000000001220000-memory.dmp

Filesize
1.1MB

Download
memory/2124-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2124-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2432-236-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/2560-104-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/2616-41-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2616-40-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

Filesize
2.9MB

Download
memory/2708-416-0x00000000013C0000-0x00000000014D0000-memory.dmp

Filesize
1.1MB

Download