dcrat | 28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe
Size

1.3MB
MD5

86530bf4b3d606a1f3031a93d8d02712
SHA1

9a4ebab5ec898e73aa30c28fd695ec95e6e6e22b
SHA256

28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7
SHA512

f42cc0f5a0a1a909a9f16a6c08a882dee15ca34e4b6514d2e35c3eb3a0206f11f8cb8230c483baede054248bd93afafe505e524c4d7549aa9e8afb983d1fe771
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2524	schtasks.exe	32

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000014b28-9.dat	dcrat
behavioral1/memory/2904-13-0x0000000000830000-0x0000000000940000-memory.dmp	dcrat
behavioral1/memory/1096-143-0x00000000013D0000-0x00000000014E0000-memory.dmp	dcrat
behavioral1/memory/3048-203-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/1208-264-0x00000000010A0000-0x00000000011B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2696	powershell.exe
2792	powershell.exe
3044	powershell.exe
2296	powershell.exe
2924	powershell.exe
1616	powershell.exe
1732	powershell.exe
2752	powershell.exe
2316	powershell.exe
768	powershell.exe
1668	powershell.exe
1072	powershell.exe
2608	powershell.exe
2964	powershell.exe
2444	powershell.exe
2648	powershell.exe
2708	powershell.exe
2692	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2904	DllCommonsvc.exe
1096	taskhost.exe
3048	taskhost.exe
1208	taskhost.exe
2132	taskhost.exe
2508	taskhost.exe
1204	taskhost.exe
2932	taskhost.exe
2248	taskhost.exe
2256	taskhost.exe
1228	taskhost.exe
1128	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2760	cmd.exe
2760	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
29	raw.githubusercontent.com
36	raw.githubusercontent.com

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\es-ES\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\es-ES\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\audiodg.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1496	schtasks.exe
2532	schtasks.exe
2844	schtasks.exe
1752	schtasks.exe
2472	schtasks.exe
408	schtasks.exe
1992	schtasks.exe
600	schtasks.exe
2268	schtasks.exe
1444	schtasks.exe
1960	schtasks.exe
2944	schtasks.exe
2916	schtasks.exe
1440	schtasks.exe
1528	schtasks.exe
2676	schtasks.exe
1080	schtasks.exe
964	schtasks.exe
2176	schtasks.exe
2180	schtasks.exe
1512	schtasks.exe
2972	schtasks.exe
1116	schtasks.exe
1712	schtasks.exe
2076	schtasks.exe
1088	schtasks.exe
1340	schtasks.exe
332	schtasks.exe
1128	schtasks.exe
2184	schtasks.exe
772	schtasks.exe
3036	schtasks.exe
2756	schtasks.exe
1112	schtasks.exe
1656	schtasks.exe
1636	schtasks.exe
1508	schtasks.exe
1644	schtasks.exe
888	schtasks.exe
1968	schtasks.exe
2884	schtasks.exe
1348	schtasks.exe
2404	schtasks.exe
2160	schtasks.exe
2380	schtasks.exe
1680	schtasks.exe
572	schtasks.exe
2736	schtasks.exe
2804	schtasks.exe
1624	schtasks.exe
916	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
768	powershell.exe
2924	powershell.exe
2444	powershell.exe
1732	powershell.exe
1616	powershell.exe
2608	powershell.exe
2964	powershell.exe
3044	powershell.exe
2648	powershell.exe
2708	powershell.exe
1072	powershell.exe
1668	powershell.exe
2692	powershell.exe
2752	powershell.exe
2792	powershell.exe
2296	powershell.exe
2696	powershell.exe
1096	taskhost.exe
3048	taskhost.exe
1208	taskhost.exe
2132	taskhost.exe
2508	taskhost.exe
1204	taskhost.exe
2932	taskhost.exe
2248	taskhost.exe
2256	taskhost.exe
1228	taskhost.exe
1128	taskhost.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	DllCommonsvc.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	1096	taskhost.exe
Token: SeDebugPrivilege	3048	taskhost.exe
Token: SeDebugPrivilege	1208	taskhost.exe
Token: SeDebugPrivilege	2132	taskhost.exe
Token: SeDebugPrivilege	2508	taskhost.exe
Token: SeDebugPrivilege	1204	taskhost.exe
Token: SeDebugPrivilege	2932	taskhost.exe
Token: SeDebugPrivilege	2248	taskhost.exe
Token: SeDebugPrivilege	2256	taskhost.exe
Token: SeDebugPrivilege	1228	taskhost.exe
Token: SeDebugPrivilege	1128	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2792	2284	JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe	28
PID 2284 wrote to memory of 2792	2284	JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe	28
PID 2284 wrote to memory of 2792	2284	JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe	28
PID 2284 wrote to memory of 2792	2284	JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe	28
PID 2792 wrote to memory of 2760	2792	WScript.exe	29
PID 2792 wrote to memory of 2760	2792	WScript.exe	29
PID 2792 wrote to memory of 2760	2792	WScript.exe	29
PID 2792 wrote to memory of 2760	2792	WScript.exe	29
PID 2760 wrote to memory of 2904	2760	cmd.exe	31
PID 2760 wrote to memory of 2904	2760	cmd.exe	31
PID 2760 wrote to memory of 2904	2760	cmd.exe	31
PID 2760 wrote to memory of 2904	2760	cmd.exe	31
PID 2904 wrote to memory of 2924	2904	DllCommonsvc.exe	84
PID 2904 wrote to memory of 2924	2904	DllCommonsvc.exe	84
PID 2904 wrote to memory of 2924	2904	DllCommonsvc.exe	84
PID 2904 wrote to memory of 768	2904	DllCommonsvc.exe	85
PID 2904 wrote to memory of 768	2904	DllCommonsvc.exe	85
PID 2904 wrote to memory of 768	2904	DllCommonsvc.exe	85
PID 2904 wrote to memory of 2316	2904	DllCommonsvc.exe	86
PID 2904 wrote to memory of 2316	2904	DllCommonsvc.exe	86
PID 2904 wrote to memory of 2316	2904	DllCommonsvc.exe	86
PID 2904 wrote to memory of 1616	2904	DllCommonsvc.exe	88
PID 2904 wrote to memory of 1616	2904	DllCommonsvc.exe	88
PID 2904 wrote to memory of 1616	2904	DllCommonsvc.exe	88
PID 2904 wrote to memory of 1732	2904	DllCommonsvc.exe	89
PID 2904 wrote to memory of 1732	2904	DllCommonsvc.exe	89
PID 2904 wrote to memory of 1732	2904	DllCommonsvc.exe	89
PID 2904 wrote to memory of 2296	2904	DllCommonsvc.exe	91
PID 2904 wrote to memory of 2296	2904	DllCommonsvc.exe	91
PID 2904 wrote to memory of 2296	2904	DllCommonsvc.exe	91
PID 2904 wrote to memory of 2444	2904	DllCommonsvc.exe	93
PID 2904 wrote to memory of 2444	2904	DllCommonsvc.exe	93
PID 2904 wrote to memory of 2444	2904	DllCommonsvc.exe	93
PID 2904 wrote to memory of 1072	2904	DllCommonsvc.exe	94
PID 2904 wrote to memory of 1072	2904	DllCommonsvc.exe	94
PID 2904 wrote to memory of 1072	2904	DllCommonsvc.exe	94
PID 2904 wrote to memory of 3044	2904	DllCommonsvc.exe	95
PID 2904 wrote to memory of 3044	2904	DllCommonsvc.exe	95
PID 2904 wrote to memory of 3044	2904	DllCommonsvc.exe	95
PID 2904 wrote to memory of 2964	2904	DllCommonsvc.exe	96
PID 2904 wrote to memory of 2964	2904	DllCommonsvc.exe	96
PID 2904 wrote to memory of 2964	2904	DllCommonsvc.exe	96
PID 2904 wrote to memory of 1668	2904	DllCommonsvc.exe	97
PID 2904 wrote to memory of 1668	2904	DllCommonsvc.exe	97
PID 2904 wrote to memory of 1668	2904	DllCommonsvc.exe	97
PID 2904 wrote to memory of 2608	2904	DllCommonsvc.exe	98
PID 2904 wrote to memory of 2608	2904	DllCommonsvc.exe	98
PID 2904 wrote to memory of 2608	2904	DllCommonsvc.exe	98
PID 2904 wrote to memory of 2648	2904	DllCommonsvc.exe	99
PID 2904 wrote to memory of 2648	2904	DllCommonsvc.exe	99
PID 2904 wrote to memory of 2648	2904	DllCommonsvc.exe	99
PID 2904 wrote to memory of 2692	2904	DllCommonsvc.exe	100
PID 2904 wrote to memory of 2692	2904	DllCommonsvc.exe	100
PID 2904 wrote to memory of 2692	2904	DllCommonsvc.exe	100
PID 2904 wrote to memory of 2792	2904	DllCommonsvc.exe	102
PID 2904 wrote to memory of 2792	2904	DllCommonsvc.exe	102
PID 2904 wrote to memory of 2792	2904	DllCommonsvc.exe	102
PID 2904 wrote to memory of 2752	2904	DllCommonsvc.exe	104
PID 2904 wrote to memory of 2752	2904	DllCommonsvc.exe	104
PID 2904 wrote to memory of 2752	2904	DllCommonsvc.exe	104
PID 2904 wrote to memory of 2708	2904	DllCommonsvc.exe	106
PID 2904 wrote to memory of 2708	2904	DllCommonsvc.exe	106
PID 2904 wrote to memory of 2708	2904	DllCommonsvc.exe	106
PID 2904 wrote to memory of 2696	2904	DllCommonsvc.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_28c5a31d5015f85f87106a7e876e78aa94801b36fd57d87272315d74c42fb9f7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fr-FR\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\es-ES\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zjYsvWFKF3.bat"
        5⤵
        
        PID:1604
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2224
      - C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat"
        7⤵
        
        PID:2824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2328
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat"
        9⤵
        
        PID:1756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:556
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat"
        11⤵
        
        PID:2500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1368
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat"
        13⤵
        
        PID:1972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1792
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"
        15⤵
        
        PID:2768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2020
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat"
        17⤵
        
        PID:2560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2244
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"
        19⤵
        
        PID:2112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2292
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat"
        21⤵
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1652
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jI650TZYhJ.bat"
        23⤵
        
        PID:2480
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2544
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat"
        25⤵
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2736
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe
        
        "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\es-ES\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7783898679fa69a19376bcd06b421073

SHA1
da680bcb3f13b6fb816bfbc878830923268d9f21

SHA256
b622c30a1b21396202b2c4329a567a7a9df2cd7050a3d38f0edae4663ffff696

SHA512
25e9e0c1750e3773f36b5b34cb47091c2b3594e9fff8e262b40277071bdd8815ccdaed63787107bbc4bdc8f59c835cc00930c3dc79479914e58c470854fa38bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c99faa16d1c42702b2498a95b492bd2

SHA1
311969fe87480f168629a30363e0a623cc4cd3ac

SHA256
a077d9db69cba951d7b25bdf6e0e6e6287c91396a912087250343d9d0e23bea7

SHA512
c665dcad1d92d7c4a102e57966dff95ad0b2ea15bbf86b591ccbf3505450dd998a67dc160fa2c81eacb391bca931d969489c4572a8da8d18913a48d60d264274

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0bc14da09e12fe7b3056fe7cacd8b666

SHA1
981889acd60dfa1df98fff021321c16d988a2faf

SHA256
7226e474e2f068fa223af4fab0c3a3f4eaf1a8b6d295767d5de3241425a20db0

SHA512
6f511f0651dcd89c5c4c2d692eaa9a2d2b1828131756741fa3f1e4b61ee8cdbf8d8b845d5b5090d1fe087566b88f256a60079e0c7c24bf4a7301d59e09c929d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78a53d323803e907b88e0de483ddaea7

SHA1
43d9f23072cc911db44b5b8cfd8fedb597f13ab9

SHA256
1d9e3eae7868622441f8d632a821877dd4504b14dc1354d3e9c6c9faf6d535b1

SHA512
cd785004c0f8845b9f3ed902b227ad6352f62e3ab12457c0cd271890870840f03a8fb847e0955432b4d54ae9c75e68c2f353e90bc7d52d5bece023664b5b4426

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f83644d9bc6052aebf4d349ae0ac439b

SHA1
aaa99e5d57ce177fed6c7fac88f12e3d1e4747a4

SHA256
b38b22dc847c80cc36952f8904a0c01c2890331ef8b08506fa99c04f935aecd1

SHA512
05c2a2cdd41b7c48600ae5bb519172f91d31cbdcc85736eb2fc678cfd80383a1eae485c211e7b4dcbd1028d97a6203bc23252f8e56522474868cff345d223185

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
418f684fec3970dbf5fc42d4e7024aea

SHA1
399b5ddd5fbb83b6258b8b8adcd626f02a0497f0

SHA256
f02c914f21bc10f1a6cbc578bf34816f45f0416d9bce9c2064cbcb2fee069e1f

SHA512
69f01fd2774df97d20528cc662891fc71ebde14dcd0854ea83d1749ff976568f57150a044b1cd630d8f3aae0e7e60c099fbb1889f03791d173e680760714729b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be9e80ac68894f2e9a80ea2bc0e85eaf

SHA1
644f41f3b6673a38713dc5d86999dde7e331997f

SHA256
9fa5c80b826289d01074d577c96f0a90a7fc654fb2cbc226abe28faf4d3fa31a

SHA512
d1f2441137b918ca01ef3aaba2fbbdb5e4af74f64351baae6b3c96bcc0b47d3de40e2cb579d7b3613ebf9ba6cb64606b069ca3ee26e174d3b6b49f0f88a7322c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd8107ce1bdf712d0b5556e3e00a1791

SHA1
6c33d3f10c25d0a78acb96151df748cec1a6e0d5

SHA256
6c2ea9c677cb68745bd969ec4e42b3573eeec11a271f5b9e70dcdcfed5c6eebe

SHA512
4474e4788d34040c07d0738330e1cc8652915f2b849619e4e80c1f90b7f242f674ab274b54f411e4629fc9abee771e6ad6ee2e531f11f5b66c9343a5605059a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52b37f8e721f8b475371291f2148babd

SHA1
d08d05d00d7232a1d4b88d204340d226e8043e2e

SHA256
a441a3fffc99be881adfb0845e907baa56ea4c75bd1b0a0e5179a539c92acc04

SHA512
4ecd133794c8207815da947019d8e44265c105618ee44e1a4c652a8546043239122c5da5f2fceae7b702e5fcd55903a605fa13bf8dc1bce3d8ba80b0010c08e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat

Filesize
226B

MD5
253dbb3ea3502d1255531401b040fd1b

SHA1
69bcda72df3c83e4ce5d4b1182adb311cd90c549

SHA256
8a23910c404f1f6e7956192c111efbf18081a8fff72e4b3d22842f1293e0aa6c

SHA512
3199f9ba2efd24bc0bb90b967b0bb48cee70e475f451fec6db2dc879e0be413d10afe47ede7edee98e0be38362cc531caafee77d44fcb86cbfec01af02761fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat

Filesize
226B

MD5
54c0c49e504b9d79a505a3f2770a958c

SHA1
14caa86a5f2c71546199b38482c4ec8c22f0022e

SHA256
968b843e7f78f346530c4bddd4fbb438d981420b64c770570b97a79147eee2d0

SHA512
cb045b150bde76192d672556dfa3f79c2547283a81c36722bc1d61ecb837b48c057b16a111658ea04ef4d0335a7014b31ff4f5471af4dfdbb743d311fc002b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA630.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat

Filesize
226B

MD5
f40d9b1facf708539aee59a6434f7edb

SHA1
fbf65a50b26300b5407a293e7fef7d78af9cb00a

SHA256
8318227e2b2b31ccfccb58dc6ef8c47cd25c531975c235a7e96b36194044a30b

SHA512
734800f5051b9d392cb4e262dd0478f486d323f9d8baa88e4485874ebe48ea7f31829bf94e282da1e4b395a1701a1d2c45951617629bb3307cfc9a6502bbeddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat

Filesize
226B

MD5
e26654a0ad2a87e527894019377f1a40

SHA1
57c9148ea31fb76b73f62e43a904679ea0913cbc

SHA256
ea699f1650255b34e60e8a4bf68c14ed59d00df0ee7a7b4f8ddac1ca36421e7c

SHA512
2233b8f623576ae63ddbac41830f6db27e87a56e8a64760dc6656e52df8ba2d70403e5b007b48aa3af69cad2ca7563fe5f7b2eb1225367680fd5db9ba4f3f8f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA643.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat

Filesize
226B

MD5
0b7194570c4bdfab2f08b6e21809b94d

SHA1
bb00e0ccf5fc64959161a0cf337a613b2d782647

SHA256
b7619386ccfd2c4fda968ca0dbd33959aba09bf40cb6f296010b230f008462c7

SHA512
308415a5c160c6db14248daf561099d06e6032518b811b2fa38f8b7d08778b6ce344a8595aed9ece232b7f8ea0a390741179969f10f675178f84113c81eeb723

Download Submit
C:\Users\Admin\AppData\Local\Temp\jI650TZYhJ.bat

Filesize
226B

MD5
a6df0786d3898ef166c7707a71fdaa7b

SHA1
0a372b0faea954a35741c3f77f570bd9a60e5998

SHA256
703b693b514fd0f59c1a375f2da27fa19664ee71d4e460732708496ac29701f1

SHA512
4dd0d4acb2854934271020d42084c183d267ad50f69ad48e5e0770e00db08931909ce84e21f6716a85aa1eb73a2cfb9f51f0ccb2c9624843c4a9e4cfcdbaacb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat

Filesize
226B

MD5
1bddae09f2f626ce11753350b7153fe4

SHA1
606e5931444fcfc60366e15a69c4c6724d5756e1

SHA256
7cca49c22169b2878d55057b808ad55c2063ac516858c50db18dfd99a2cf24ca

SHA512
60842dd8b950e11444142bf7fa4f41d1b4c371018d409693a340632576a93475605f4cd4f8156d915b7ed85cd798c7249d8c710e851b215892ea1ead08de54bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat

Filesize
226B

MD5
0b91809a9c31f0d07ec6ff1837174092

SHA1
d2227aa6e2e7611ec716ac1656e4625461b548a5

SHA256
9ce44594b617f6c45beffa2d1fff2582bb69a27cc394e2ca7fd8bda16a7c1e55

SHA512
1d9cd18a6d14aa5fb560cf546da41165ca6f81abcda05d5f389205ed1c8104de85c27a844c26a7efb99d9c46f9b2cc532c4230058d1a0450a1c18de2b0ae9041

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat

Filesize
226B

MD5
b85eeb6108802702b5d0238153250f39

SHA1
6c41845be0ed8b416737a250a88ff40eb3107b67

SHA256
d0de2fe9da793e2837d68fadcbd9668d49dee53e862a35fbffd3f37463936882

SHA512
4c0af00a0fa1766f0d204dedeaa8d7278971001297254c47dd075852ad9e2dbe7b62959940d8390f7b22e26d43b771ed38498e8db17f7e3f5eaee5b88d0653e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat

Filesize
226B

MD5
0cb6272ae4b9f160d2fbdcde956431fc

SHA1
1135a43373b14ef6031ef66407aaf01cae50e19a

SHA256
3773a2361a8b72bc7afabb14a5886c14113a7f4774f7fcd2aa5c116721042820

SHA512
b881de80bec948355265a5f384d38979c5e6052d38c39277520ba271b52e7bf442bde0fe82e2a66a22b9622ec5d1f9a8398ca2112d01b6229169778fd9f95fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\zjYsvWFKF3.bat

Filesize
226B

MD5
6b7608fd88ee46166dfe6dc48539c4a6

SHA1
181e7aff08193d370b775b11877ff342b497bb21

SHA256
6917801413e5a41c3ca8f09572aed244f5340a9138362525cd084e81978dc7b9

SHA512
f984f2789ff97d819245bdf677f47b929ff82e28fa05aa91c896621a7d01025c29be11f6549117c3f2a7f5c21e9bbd70aaee5b09860064018b24a29e73976985

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
acdd09fb7b6fb3fd8f12b2e0c9e2aa9f

SHA1
0d1d7a6f56a95522527c7fe8e07ccccf2762656d

SHA256
3e698b9c289d961e31377b29b7c94c8a819fa2d9e3208c46957fa1dfc099c738

SHA512
6e21deae155f0b89ee1c9f8a9afd94a5b36dcf0a50b5ff8a471f3333725cf7244307c96055a77f30693e8a7fa8a9ff1207a7894e9f7d1b2487f0c3cbd9e273e8

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/768-79-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/1096-144-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/1096-143-0x00000000013D0000-0x00000000014E0000-memory.dmp

Filesize
1.1MB

Download
memory/1208-264-0x00000000010A0000-0x00000000011B0000-memory.dmp

Filesize
1.1MB

Download
memory/2132-324-0x0000000000B10000-0x0000000000B22000-memory.dmp

Filesize
72KB

Download
memory/2444-76-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2904-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2904-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2904-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2904-13-0x0000000000830000-0x0000000000940000-memory.dmp

Filesize
1.1MB

Download
memory/2904-16-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2932-502-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/3048-204-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/3048-203-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download