dcrat | 46f9f4b1f04170ae3199cde57e29d1cbfb6291d587db4cc3aaaf1a80a5aa99cb

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_46f9f4b1f04170ae3199cde57e29d1cbfb6291d587db4cc3aaaf1a80a5aa99cb.exe
Size

1.3MB
MD5

2f8c046a678643662929163443ecf69f
SHA1

94a1431fe1a721e2ad672e6f8da3bbf2a35138c0
SHA256

46f9f4b1f04170ae3199cde57e29d1cbfb6291d587db4cc3aaaf1a80a5aa99cb
SHA512

a6648a6c3179d5987f4ad75763d37e39aae531d6749329c5766de01f0bea2f885f71fd0f19bc159575f0074737cdc625497684e2d429aef8469a1c006d899d9f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2424	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2424	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000174a6-12.dat	dcrat
behavioral1/memory/2056-13-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat
behavioral1/memory/408-138-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/1616-197-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/1624-257-0x00000000012C0000-0x00000000013D0000-memory.dmp	dcrat
behavioral1/memory/908-613-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/2216-673-0x0000000000ED0000-0x0000000000FE0000-memory.dmp	dcrat
behavioral1/memory/1712-733-0x0000000001390000-0x00000000014A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1588	powershell.exe
2728	powershell.exe
2796	powershell.exe
1624	powershell.exe
2348	powershell.exe
2984	powershell.exe
2724	powershell.exe
2856	powershell.exe
1556	powershell.exe
3000	powershell.exe
2508	powershell.exe
1964	powershell.exe
3004	powershell.exe
1700	powershell.exe
2008	powershell.exe
2140	powershell.exe
2204	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2056	DllCommonsvc.exe
408	sppsvc.exe
1616	sppsvc.exe
1624	sppsvc.exe
2908	sppsvc.exe
2356	sppsvc.exe
1780	sppsvc.exe
560	sppsvc.exe
2664	sppsvc.exe
908	sppsvc.exe
2216	sppsvc.exe
1712	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2640	cmd.exe
2640	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
33	raw.githubusercontent.com
39	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
29	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\fr-FR\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\fr-FR\taskhost.exe	DllCommonsvc.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\Installer\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\Installer\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Windows\Setup\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\Setup\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\System.exe	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_46f9f4b1f04170ae3199cde57e29d1cbfb6291d587db4cc3aaaf1a80a5aa99cb.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2776	schtasks.exe
1512	schtasks.exe
912	schtasks.exe
1000	schtasks.exe
1572	schtasks.exe
2800	schtasks.exe
288	schtasks.exe
2696	schtasks.exe
1876	schtasks.exe
2392	schtasks.exe
1248	schtasks.exe
296	schtasks.exe
1956	schtasks.exe
1152	schtasks.exe
856	schtasks.exe
2628	schtasks.exe
2864	schtasks.exe
1936	schtasks.exe
792	schtasks.exe
2108	schtasks.exe
544	schtasks.exe
3048	schtasks.exe
2020	schtasks.exe
2376	schtasks.exe
1660	schtasks.exe
2096	schtasks.exe
1052	schtasks.exe
1808	schtasks.exe
2324	schtasks.exe
2076	schtasks.exe
2268	schtasks.exe
1524	schtasks.exe
2512	schtasks.exe
660	schtasks.exe
2152	schtasks.exe
3044	schtasks.exe
2112	schtasks.exe
2304	schtasks.exe
1592	schtasks.exe
1816	schtasks.exe
1672	schtasks.exe
1664	schtasks.exe
484	schtasks.exe
2944	schtasks.exe
1160	schtasks.exe
1028	schtasks.exe
1732	schtasks.exe
1688	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 11 IoCs

pid	Process
408	sppsvc.exe
1616	sppsvc.exe
1624	sppsvc.exe
2908	sppsvc.exe
2356	sppsvc.exe
1780	sppsvc.exe
560	sppsvc.exe
2664	sppsvc.exe
908	sppsvc.exe
2216	sppsvc.exe
1712	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2056	DllCommonsvc.exe
1700	powershell.exe
3000	powershell.exe
2204	powershell.exe
1624	powershell.exe
2856	powershell.exe
1964	powershell.exe
2796	powershell.exe
1588	powershell.exe
2984	powershell.exe
2008	powershell.exe
2140	powershell.exe
3004	powershell.exe
1556	powershell.exe
2724	powershell.exe
2508	powershell.exe
2728	powershell.exe
408	sppsvc.exe
1616	sppsvc.exe
1624	sppsvc.exe
2908	sppsvc.exe
2356	sppsvc.exe
1780	sppsvc.exe
560	sppsvc.exe
2664	sppsvc.exe
908	sppsvc.exe
2216	sppsvc.exe
1712	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	DllCommonsvc.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	408	sppsvc.exe
Token: SeDebugPrivilege	1616	sppsvc.exe
Token: SeDebugPrivilege	1624	sppsvc.exe
Token: SeDebugPrivilege	2908	sppsvc.exe
Token: SeDebugPrivilege	2356	sppsvc.exe
Token: SeDebugPrivilege	1780	sppsvc.exe
Token: SeDebugPrivilege	560	sppsvc.exe
Token: SeDebugPrivilege	2664	sppsvc.exe
Token: SeDebugPrivilege	908	sppsvc.exe
Token: SeDebugPrivilege	2216	sppsvc.exe
Token: SeDebugPrivilege	1712	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1560	1964	JaffaCakes118_46f9f4b1f04170ae3199cde57e29d1cbfb6291d587db4cc3aaaf1a80a5aa99cb.exe	29
PID 1964 wrote to memory of 1560	1964	JaffaCakes118_46f9f4b1f04170ae3199cde57e29d1cbfb6291d587db4cc3aaaf1a80a5aa99cb.exe	29
PID 1964 wrote to memory of 1560	1964	JaffaCakes118_46f9f4b1f04170ae3199cde57e29d1cbfb6291d587db4cc3aaaf1a80a5aa99cb.exe	29
PID 1964 wrote to memory of 1560	1964	JaffaCakes118_46f9f4b1f04170ae3199cde57e29d1cbfb6291d587db4cc3aaaf1a80a5aa99cb.exe	29
PID 1560 wrote to memory of 2640	1560	WScript.exe	31
PID 1560 wrote to memory of 2640	1560	WScript.exe	31
PID 1560 wrote to memory of 2640	1560	WScript.exe	31
PID 1560 wrote to memory of 2640	1560	WScript.exe	31
PID 2640 wrote to memory of 2056	2640	cmd.exe	33
PID 2640 wrote to memory of 2056	2640	cmd.exe	33
PID 2640 wrote to memory of 2056	2640	cmd.exe	33
PID 2640 wrote to memory of 2056	2640	cmd.exe	33
PID 2056 wrote to memory of 2348	2056	DllCommonsvc.exe	83
PID 2056 wrote to memory of 2348	2056	DllCommonsvc.exe	83
PID 2056 wrote to memory of 2348	2056	DllCommonsvc.exe	83
PID 2056 wrote to memory of 1556	2056	DllCommonsvc.exe	84
PID 2056 wrote to memory of 1556	2056	DllCommonsvc.exe	84
PID 2056 wrote to memory of 1556	2056	DllCommonsvc.exe	84
PID 2056 wrote to memory of 1700	2056	DllCommonsvc.exe	85
PID 2056 wrote to memory of 1700	2056	DllCommonsvc.exe	85
PID 2056 wrote to memory of 1700	2056	DllCommonsvc.exe	85
PID 2056 wrote to memory of 2008	2056	DllCommonsvc.exe	86
PID 2056 wrote to memory of 2008	2056	DllCommonsvc.exe	86
PID 2056 wrote to memory of 2008	2056	DllCommonsvc.exe	86
PID 2056 wrote to memory of 1588	2056	DllCommonsvc.exe	87
PID 2056 wrote to memory of 1588	2056	DllCommonsvc.exe	87
PID 2056 wrote to memory of 1588	2056	DllCommonsvc.exe	87
PID 2056 wrote to memory of 2728	2056	DllCommonsvc.exe	88
PID 2056 wrote to memory of 2728	2056	DllCommonsvc.exe	88
PID 2056 wrote to memory of 2728	2056	DllCommonsvc.exe	88
PID 2056 wrote to memory of 3000	2056	DllCommonsvc.exe	89
PID 2056 wrote to memory of 3000	2056	DllCommonsvc.exe	89
PID 2056 wrote to memory of 3000	2056	DllCommonsvc.exe	89
PID 2056 wrote to memory of 2984	2056	DllCommonsvc.exe	90
PID 2056 wrote to memory of 2984	2056	DllCommonsvc.exe	90
PID 2056 wrote to memory of 2984	2056	DllCommonsvc.exe	90
PID 2056 wrote to memory of 2796	2056	DllCommonsvc.exe	91
PID 2056 wrote to memory of 2796	2056	DllCommonsvc.exe	91
PID 2056 wrote to memory of 2796	2056	DllCommonsvc.exe	91
PID 2056 wrote to memory of 2508	2056	DllCommonsvc.exe	92
PID 2056 wrote to memory of 2508	2056	DllCommonsvc.exe	92
PID 2056 wrote to memory of 2508	2056	DllCommonsvc.exe	92
PID 2056 wrote to memory of 1624	2056	DllCommonsvc.exe	93
PID 2056 wrote to memory of 1624	2056	DllCommonsvc.exe	93
PID 2056 wrote to memory of 1624	2056	DllCommonsvc.exe	93
PID 2056 wrote to memory of 1964	2056	DllCommonsvc.exe	94
PID 2056 wrote to memory of 1964	2056	DllCommonsvc.exe	94
PID 2056 wrote to memory of 1964	2056	DllCommonsvc.exe	94
PID 2056 wrote to memory of 3004	2056	DllCommonsvc.exe	95
PID 2056 wrote to memory of 3004	2056	DllCommonsvc.exe	95
PID 2056 wrote to memory of 3004	2056	DllCommonsvc.exe	95
PID 2056 wrote to memory of 2140	2056	DllCommonsvc.exe	96
PID 2056 wrote to memory of 2140	2056	DllCommonsvc.exe	96
PID 2056 wrote to memory of 2140	2056	DllCommonsvc.exe	96
PID 2056 wrote to memory of 2204	2056	DllCommonsvc.exe	97
PID 2056 wrote to memory of 2204	2056	DllCommonsvc.exe	97
PID 2056 wrote to memory of 2204	2056	DllCommonsvc.exe	97
PID 2056 wrote to memory of 2856	2056	DllCommonsvc.exe	98
PID 2056 wrote to memory of 2856	2056	DllCommonsvc.exe	98
PID 2056 wrote to memory of 2856	2056	DllCommonsvc.exe	98
PID 2056 wrote to memory of 2724	2056	DllCommonsvc.exe	99
PID 2056 wrote to memory of 2724	2056	DllCommonsvc.exe	99
PID 2056 wrote to memory of 2724	2056	DllCommonsvc.exe	99
PID 2056 wrote to memory of 2908	2056	DllCommonsvc.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_46f9f4b1f04170ae3199cde57e29d1cbfb6291d587db4cc3aaaf1a80a5aa99cb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_46f9f4b1f04170ae3199cde57e29d1cbfb6291d587db4cc3aaaf1a80a5aa99cb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\fr-FR\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CpWQL6yQss.bat"
        5⤵
        
        PID:2908
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1028
      - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IVqzzTSBcr.bat"
        7⤵
        
        PID:2748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2144
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat"
        9⤵
        
        PID:660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2836
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"
        11⤵
        
        PID:2508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1132
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat"
        13⤵
        
        PID:1336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3000
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat"
        15⤵
        
        PID:3008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2064
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat"
        17⤵
        
        PID:992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2932
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"
        19⤵
        
        PID:1084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2788
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kbrh69MYEy.bat"
        21⤵
        
        PID:2804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2684
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat"
        23⤵
        
        PID:868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2916
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat"
        25⤵
        
        PID:1768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1572
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat"
        27⤵
        
        PID:1284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\fr-FR\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ModemLogs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\Installer\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Installer\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Setup\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
077bfe64f75e57af6c7ea355e7fbca23

SHA1
0db1a1d26e239036616c638e016c05ac0ed7562f

SHA256
e1c363fc10768eaeea819f690605ecfdb3f97fd0f93f7271011364c3528d5a9b

SHA512
9b7c96179c499e3bd7724534f386acfff190c32f99562c2b0735f9211a3c803fa1823a85dd59679415da89dda9a2730e3ddac4152b0c749b0c8cb8ce4e746e8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd308fdc7e441d94846c6ae55c1951c2

SHA1
127e158611277f20b95ce073d29a6f7d54c80e5a

SHA256
ef3f9437efcfda7986537904811a4fc8dea44b5c5c335ccc877b8eb7ddddef70

SHA512
a632b4444a76c60dda1a6b212986b32d47ecdfb65c64b2fde523968429c7a34d21786721b7c99d937315fe0da0247cdfd79b2b41911b817c9593d1e4bc9e88c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84e46bc7c451b5b29d9eefcb3d7e768c

SHA1
4df120d35bcabe7b30dc9cf2429f0131dcd8184d

SHA256
c7916cae1606d184f3e89922b6c22772db7dac6c5ab055ba918f0258730588d8

SHA512
e890595964510bde7113006cecff2e6149f731b45c6b5ecbe020b2c387ef5f7da255da8ecb078be77dbc35c38b8250bb16551af1996ffaea0a468342f0379934

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e4cbf66fdd0b7b45223eab5b56cefd3

SHA1
366abbb1abfdc8050de86a97bc73076d213f19bb

SHA256
72522c1fae69eb684f10a88c20683777969c77186dc4efd19221762b843ad604

SHA512
ebf28dbe9e806ce77d1fd4c53244b3df2b6bd3af512dbf775c38a25498cb7e89f642416ca49d3dda000a6d687d2a80aa98f05468e365c60e8ff2a24c1d8df96f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98febc077183d5e1a7ef6354d8df642d

SHA1
8c45d8b4b6e5261017929e26fab3d3d393672913

SHA256
5887494fdda675ae614e891fd93da600073d69365b6f6fd85e9491f8815fe623

SHA512
6c7b0fd5118d554f0be9807222af56cda1b97c658107dfdbc1a574050e8178a63c8ee9a791be07d0a0685e42543f9c651e4f7a4d5a5d8025414ea579c13d8de7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2f12ebb45419d24924050af59296890

SHA1
ef9a4ee0d1394eb348d38046a48ff61aea78cfb2

SHA256
a8bd1301c0d9327c937ce9f5141a8ba1acb523a752018d37e56ab9e1e0ee43fb

SHA512
da1fb7e8da42d4ee05b1ed4c45af97fda5db828f0eec61b180652cbf6ae952d918584293af8b61f422fa9c3a6e6e1796662c7b9b0d597f6fcf29af2654b79396

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e9f47f4a1202cd6b20f6a714db77fef

SHA1
dc91ad85c51e09df486444d765426cf959c7a1a6

SHA256
21113a031407e2756f8da7a0d0d9e8f71466195cf63c84b82a9edd0db195fc62

SHA512
4c28ccb906beda8a9214d6a9a782654ce800ddd88b6aa4b305815020087c8b07687f77fba7cfffc17529d9e10a06a65202e1f413de583d614deed88cfb356e3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbe1e1a7965b400befa59462db8f27a2

SHA1
d2ee68f1ef1c053b97e027f83a2f2164a6caa592

SHA256
5d15be66c3bfaa1bade80bfb47deacf0391579b6e8a3b67f6fce896cf5b4ecdc

SHA512
b31023a2f8c573bed78a9778a35faee02d4ef6eb1d97e69fe76310ac1bd6dc05112e39ed321e3ab3e8beff299a9d7c6c4f23fad96efb8c71860fc26067908c88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64f11f3c09945f9350f5629235a3b2dd

SHA1
fcc5d4b6f0d510aedf5c403a10c76d0b8cc61995

SHA256
c064d53bc8edb18491676e9045924db118451eb69dcc0cb07dc789d392c6491f

SHA512
d47625e4647992f2426b0839fc1cba9d21195c04aa1079168163c6981bb03006aa00ba7905d7f44c7e79a189f0f7d5cde26c7787eda285f618e8e68e2f3565c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
916bef2b9a460595c6f07ce90c58d69c

SHA1
23ea95513510067ed52bc622f2e9384b652e6c37

SHA256
8b9c58c3b9d0066ed851fd6db2d33604f14a9ad900ad1aa79f1c096ca05db063

SHA512
29601429bf9be24633593b2427dffcc8e443c4ab28305dd9fa12845c9a11904425cef03298092fdb86adea3e5b163b6a9ed8e46ab4ecd8275bc34bc3ab54777d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab51DA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CpWQL6yQss.bat

Filesize
243B

MD5
debabb44d749d8bf54d32690d736c9c3

SHA1
ac96210e6ef4d7afe2f905dd08875db8e544b4b6

SHA256
716fb6618d563aa75400e706ab12140f53fa91a4f979a5083ca01c251962abf9

SHA512
04bd0f4b55bbd4ddb08bd2adec73c165fea2479aee8eb10284d098e3b43555c9d640b822bad9226c9b22bf48996b8899d849ea4653a85899b81f2bd03a0b1186

Download Submit
C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat

Filesize
243B

MD5
6e09be6df3184a3f8ee7184cf6545b4b

SHA1
04ee8a0cc4a394218bab04e43eb0aed414b59cee

SHA256
893b6da4b85221a455c5d71cfba9b04e92d79d72ca463fc6586493b92728940d

SHA512
80918843d806c6eeead029b72dd4a2b3c9b41ff69731c85386b494b5369f198d8b0a3a4ace804b75f3daf009ecc0c11cf333ad4b1e5daf548e077265cadb69b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat

Filesize
243B

MD5
898a236b796df81fc24c8e9b114bddfe

SHA1
e99a4e13d7af4af5c02ff4b668e68ad3b54831ac

SHA256
7a46d7eeffb3af1f5ad41c23da339485060c40c98c1563e218a3a583168796fd

SHA512
cdbd9f292b3e4f0fb49f42f22d6addb82f11be2a66a6c4336dd74ffa23062ef1d49af09ed1cfd3964bcc8a2ac41cfe6b928d6b46b28d4650e6a5bae4ac76c201

Download Submit
C:\Users\Admin\AppData\Local\Temp\IVqzzTSBcr.bat

Filesize
243B

MD5
d8599c97ccd7e79db77ab939c1be0cbb

SHA1
9f53b748bbc3dae3b01d0a0232767e924c383002

SHA256
b0fa7e38d594b0d1207d80efecb76ed6c732c8085362f47fb62bab2f1dadf17c

SHA512
6efe18fde453245f30fb6f3baa8422ca23d7aebcda1d59581d360bd4983c6b3e410526e1349a00b89e85dca3c9249d8bd4d7f5d0bac7bfa7364776d58f02b925

Download Submit
C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat

Filesize
243B

MD5
6c74e5d5102e0976a73f7c0a630b4af1

SHA1
67bc276b4aaac132fac6721f2defd20e8df79221

SHA256
b4583d1fd66199d0228626ccd5884d72c0025e71e9e265268f7e9ecfd680f678

SHA512
1d6926c3ad6e4042d142aaffb7d8a54a819a88576abbabbda914dc5cfc1a0a5ae73bcc2be83c7658dfb1c0283819148e1eeff09c2d051d79b55e8c078cbb8cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar51FC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat

Filesize
243B

MD5
1f777c3942690a36af90807440ee9580

SHA1
bbe504a8c18bef9d2ab32eeed3fdc252f86c5664

SHA256
5d5ef2d9cc77a03d90ce5379cd6bdaf3f1ffa4ea8b6753ded7eee474af3d82ba

SHA512
f4ee676e9ea97b4b2ba09e19129dd66363f28cd37c1bdf1df0ca587a4f8e59a744a10855bd497306dc69a053c7a4651911ff1edccd0c0662be7011cecf2274e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat

Filesize
243B

MD5
3b772917aa4223ae4f7bc24bd602d3eb

SHA1
49888e4e105646a9966bb2a37035fc0de86f1e0c

SHA256
9651a80f8b8e405b37d64fa29c66082918d4580bed6d12d8f1ede971330f1117

SHA512
d076ad34cfa1440f8752fcadcb19c7fb99f5451a18bd91004e25f96a97349381a4d91a7e4288fb276db88c77ed8d9cec69af7ac89e61fdc2946a99bf2154dfbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat

Filesize
243B

MD5
3a0322d12a7197ee03fcb81bc5fde540

SHA1
f73b1a624ddc9591d8523b8fef9ab53d91ac6953

SHA256
9a9e20ed0e501a5ad5b87388096587fe8102a93407203e28b2a8a568ad2381f6

SHA512
7a8df01e412acf5ac95f46a9074cb1d3bd4697adb032f1b1c2f34f9ba68f7027d4e475bcff0cf5de26638f98f77b68b9561d84dacd2672e415007349f4d1fbd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbrh69MYEy.bat

Filesize
243B

MD5
3ced68f0502ecc15dfad272f7c5c5467

SHA1
00e42aebfa2b95cc7af22938320468334d37deac

SHA256
3b940125ac3846a343e210c758dfe258387bf776a774e3a2999530222d2aa9dd

SHA512
4cde0702e3420f8b1a133eab2e83ffaea2527111e502f8442d58736f6d901c67c017041c65a6d8bb8d46d632897af9f8f0aec7cece775c294d09256d8cdd5978

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat

Filesize
243B

MD5
0a0923351763bc727f4360365432eb95

SHA1
a9a68735070a8c6df2e9bd78668e5d4021bb405c

SHA256
03bcf5b54948c043c0d1fb0ecc68ba2c38d34558c625d61be4a15e4b492e3651

SHA512
5a37471e66cc7f2e3f7ffc7beb04e10ce9de5ed480fda53f60a664d14d421765bd76ba68779841e63956e5d8e2d08c4465623d5cf9b9826019abb73485ac5da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat

Filesize
243B

MD5
526a778f207fe76c1fb2933f0d51ac53

SHA1
065b9731d19c8335bc5c5ab49bcd6e9d30737812

SHA256
0e15ace19ea5a6c613f1d0b13b032d2efcfe8f4e9eea7a87f30726583a739a11

SHA512
9c33a8ca00a4db793bb6ef49c5607bec8af103efc6a523f1dcb9894062f8cf621316ec207d04c780b840bc7ad5c5ead920343111fc62b0a09af47430b642155b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat

Filesize
243B

MD5
4a42bbd92996fb88fe0e44314c4c835e

SHA1
4897b26af16b0d0e00cf884fcdb3e97457beff5f

SHA256
3dd15617529133e2afd8393a84b51c8a1c3994a1c5b67ba84e9bc16deace8a47

SHA512
179f9f116212a76ceebad044978d7cfa6bc3bbc869c180623c958525f46c66e2bebc6f52ce6c62bffae60500eefb8673d994b720c4afc8b53ea1570c74d4e8cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3b049c4fb05a3b0f399c7ec6e1e3d83c

SHA1
0ab60306f5414338072c23e278b978314d260501

SHA256
6f164e677913c429b20585c1eeff1cefbc5fbbc60810abf3a679b6b99fe6d0dc

SHA512
c418ae50a4305de860e9a8fed17138fd06b7c84636506a1f32ab095f7d6fdfeda33d47769cab1deae07211a8be4d1cb895b34878b05c8136767786d6418d5f19

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/408-138-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/908-613-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/1616-197-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/1624-257-0x00000000012C0000-0x00000000013D0000-memory.dmp

Filesize
1.1MB

Download
memory/1700-65-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/1712-733-0x0000000001390000-0x00000000014A0000-memory.dmp

Filesize
1.1MB

Download
memory/2056-17-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2056-16-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2056-15-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/2056-14-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/2056-13-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download
memory/2216-673-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

Filesize
1.1MB

Download
memory/2664-553-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/3000-63-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download