dcrat | 0e39df2028f75c769c3529f650dca2e21c86e3f6725fb33ef6ded1e98c5755ef

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0e39df2028f75c769c3529f650dca2e21c86e3f6725fb33ef6ded1e98c5755ef.exe
Size

1.3MB
MD5

9e84b6dde23a864504ca2f88c5cd110b
SHA1

10f5f92b5becb4cdb1f3bf70452abdb5f64b2810
SHA256

0e39df2028f75c769c3529f650dca2e21c86e3f6725fb33ef6ded1e98c5755ef
SHA512

af72109ae75550f1170ac0e0b206726c63f18369cc4bbddff7d4cedc059e386cc2b723c1b206b49375ca7802693a179bf952a6d044d1c71359a1cf05bd533be3
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2732	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2732	schtasks.exe	34

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000173f1-9.dat	dcrat
behavioral1/memory/2240-13-0x0000000000AD0000-0x0000000000BE0000-memory.dmp	dcrat
behavioral1/memory/1092-86-0x0000000000B20000-0x0000000000C30000-memory.dmp	dcrat
behavioral1/memory/2688-209-0x00000000010C0000-0x00000000011D0000-memory.dmp	dcrat
behavioral1/memory/1968-446-0x0000000000110000-0x0000000000220000-memory.dmp	dcrat
behavioral1/memory/2756-506-0x0000000001100000-0x0000000001210000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2600	powershell.exe
2632	powershell.exe
2868	powershell.exe
2080	powershell.exe
3016	powershell.exe
2928	powershell.exe
680	powershell.exe
2832	powershell.exe
2216	powershell.exe
1812	powershell.exe
2628	powershell.exe
2376	powershell.exe
2192	powershell.exe
2092	powershell.exe
2900	powershell.exe
2720	powershell.exe
2816	powershell.exe
1656	powershell.exe
1212	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2240	DllCommonsvc.exe
1092	csrss.exe
2688	csrss.exe
532	csrss.exe
2900	csrss.exe
616	csrss.exe
1968	csrss.exe
2756	csrss.exe
1924	csrss.exe
988	csrss.exe
1592	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2516	cmd.exe
2516	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
19	raw.githubusercontent.com
27	raw.githubusercontent.com
34	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\SysWOW64\services.exe	DllCommonsvc.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Services\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Services\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\886983d96e3d3e	DllCommonsvc.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\system\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\AppCompat\Programs\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\AppCompat\Programs\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\system\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Windows\LiveKernelReports\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\de-DE\audiodg.exe	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\de-DE\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Windows\LiveKernelReports\0a1fd5f707cd16	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0e39df2028f75c769c3529f650dca2e21c86e3f6725fb33ef6ded1e98c5755ef.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2148	schtasks.exe
2060	schtasks.exe
1960	schtasks.exe
844	schtasks.exe
2336	schtasks.exe
480	schtasks.exe
2932	schtasks.exe
2552	schtasks.exe
572	schtasks.exe
1336	schtasks.exe
1508	schtasks.exe
2016	schtasks.exe
2140	schtasks.exe
2972	schtasks.exe
2548	schtasks.exe
1748	schtasks.exe
2640	schtasks.exe
772	schtasks.exe
768	schtasks.exe
2324	schtasks.exe
2664	schtasks.exe
2200	schtasks.exe
1916	schtasks.exe
3032	schtasks.exe
1764	schtasks.exe
776	schtasks.exe
2348	schtasks.exe
2612	schtasks.exe
2332	schtasks.exe
1560	schtasks.exe
1644	schtasks.exe
2840	schtasks.exe
2888	schtasks.exe
2580	schtasks.exe
1600	schtasks.exe
2308	schtasks.exe
1140	schtasks.exe
2268	schtasks.exe
3052	schtasks.exe
2156	schtasks.exe
892	schtasks.exe
2936	schtasks.exe
1428	schtasks.exe
2508	schtasks.exe
2264	schtasks.exe
2064	schtasks.exe
1628	schtasks.exe
1296	schtasks.exe
1784	schtasks.exe
2904	schtasks.exe
2880	schtasks.exe
2524	schtasks.exe
2660	schtasks.exe
852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2240	DllCommonsvc.exe
2240	DllCommonsvc.exe
2240	DllCommonsvc.exe
2240	DllCommonsvc.exe
2240	DllCommonsvc.exe
1656	powershell.exe
2080	powershell.exe
2092	powershell.exe
2628	powershell.exe
2192	powershell.exe
2600	powershell.exe
680	powershell.exe
2216	powershell.exe
2376	powershell.exe
2900	powershell.exe
3016	powershell.exe
2868	powershell.exe
2816	powershell.exe
1812	powershell.exe
2632	powershell.exe
1212	powershell.exe
2720	powershell.exe
1092	csrss.exe
2832	powershell.exe
2928	powershell.exe
2688	csrss.exe
532	csrss.exe
2900	csrss.exe
616	csrss.exe
1968	csrss.exe
2756	csrss.exe
1924	csrss.exe
988	csrss.exe
1592	csrss.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	DllCommonsvc.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	1092	csrss.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2688	csrss.exe
Token: SeDebugPrivilege	532	csrss.exe
Token: SeDebugPrivilege	2900	csrss.exe
Token: SeDebugPrivilege	616	csrss.exe
Token: SeDebugPrivilege	1968	csrss.exe
Token: SeDebugPrivilege	2756	csrss.exe
Token: SeDebugPrivilege	1924	csrss.exe
Token: SeDebugPrivilege	988	csrss.exe
Token: SeDebugPrivilege	1592	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2088	2100	JaffaCakes118_0e39df2028f75c769c3529f650dca2e21c86e3f6725fb33ef6ded1e98c5755ef.exe	30
PID 2100 wrote to memory of 2088	2100	JaffaCakes118_0e39df2028f75c769c3529f650dca2e21c86e3f6725fb33ef6ded1e98c5755ef.exe	30
PID 2100 wrote to memory of 2088	2100	JaffaCakes118_0e39df2028f75c769c3529f650dca2e21c86e3f6725fb33ef6ded1e98c5755ef.exe	30
PID 2100 wrote to memory of 2088	2100	JaffaCakes118_0e39df2028f75c769c3529f650dca2e21c86e3f6725fb33ef6ded1e98c5755ef.exe	30
PID 2088 wrote to memory of 2516	2088	WScript.exe	31
PID 2088 wrote to memory of 2516	2088	WScript.exe	31
PID 2088 wrote to memory of 2516	2088	WScript.exe	31
PID 2088 wrote to memory of 2516	2088	WScript.exe	31
PID 2516 wrote to memory of 2240	2516	cmd.exe	33
PID 2516 wrote to memory of 2240	2516	cmd.exe	33
PID 2516 wrote to memory of 2240	2516	cmd.exe	33
PID 2516 wrote to memory of 2240	2516	cmd.exe	33
PID 2240 wrote to memory of 1656	2240	DllCommonsvc.exe	89
PID 2240 wrote to memory of 1656	2240	DllCommonsvc.exe	89
PID 2240 wrote to memory of 1656	2240	DllCommonsvc.exe	89
PID 2240 wrote to memory of 2080	2240	DllCommonsvc.exe	90
PID 2240 wrote to memory of 2080	2240	DllCommonsvc.exe	90
PID 2240 wrote to memory of 2080	2240	DllCommonsvc.exe	90
PID 2240 wrote to memory of 2092	2240	DllCommonsvc.exe	93
PID 2240 wrote to memory of 2092	2240	DllCommonsvc.exe	93
PID 2240 wrote to memory of 2092	2240	DllCommonsvc.exe	93
PID 2240 wrote to memory of 2192	2240	DllCommonsvc.exe	94
PID 2240 wrote to memory of 2192	2240	DllCommonsvc.exe	94
PID 2240 wrote to memory of 2192	2240	DllCommonsvc.exe	94
PID 2240 wrote to memory of 2376	2240	DllCommonsvc.exe	95
PID 2240 wrote to memory of 2376	2240	DllCommonsvc.exe	95
PID 2240 wrote to memory of 2376	2240	DllCommonsvc.exe	95
PID 2240 wrote to memory of 3016	2240	DllCommonsvc.exe	97
PID 2240 wrote to memory of 3016	2240	DllCommonsvc.exe	97
PID 2240 wrote to memory of 3016	2240	DllCommonsvc.exe	97
PID 2240 wrote to memory of 2868	2240	DllCommonsvc.exe	99
PID 2240 wrote to memory of 2868	2240	DllCommonsvc.exe	99
PID 2240 wrote to memory of 2868	2240	DllCommonsvc.exe	99
PID 2240 wrote to memory of 2628	2240	DllCommonsvc.exe	100
PID 2240 wrote to memory of 2628	2240	DllCommonsvc.exe	100
PID 2240 wrote to memory of 2628	2240	DllCommonsvc.exe	100
PID 2240 wrote to memory of 2816	2240	DllCommonsvc.exe	101
PID 2240 wrote to memory of 2816	2240	DllCommonsvc.exe	101
PID 2240 wrote to memory of 2816	2240	DllCommonsvc.exe	101
PID 2240 wrote to memory of 2600	2240	DllCommonsvc.exe	102
PID 2240 wrote to memory of 2600	2240	DllCommonsvc.exe	102
PID 2240 wrote to memory of 2600	2240	DllCommonsvc.exe	102
PID 2240 wrote to memory of 1812	2240	DllCommonsvc.exe	103
PID 2240 wrote to memory of 1812	2240	DllCommonsvc.exe	103
PID 2240 wrote to memory of 1812	2240	DllCommonsvc.exe	103
PID 2240 wrote to memory of 2632	2240	DllCommonsvc.exe	104
PID 2240 wrote to memory of 2632	2240	DllCommonsvc.exe	104
PID 2240 wrote to memory of 2632	2240	DllCommonsvc.exe	104
PID 2240 wrote to memory of 2216	2240	DllCommonsvc.exe	106
PID 2240 wrote to memory of 2216	2240	DllCommonsvc.exe	106
PID 2240 wrote to memory of 2216	2240	DllCommonsvc.exe	106
PID 2240 wrote to memory of 2832	2240	DllCommonsvc.exe	107
PID 2240 wrote to memory of 2832	2240	DllCommonsvc.exe	107
PID 2240 wrote to memory of 2832	2240	DllCommonsvc.exe	107
PID 2240 wrote to memory of 2720	2240	DllCommonsvc.exe	108
PID 2240 wrote to memory of 2720	2240	DllCommonsvc.exe	108
PID 2240 wrote to memory of 2720	2240	DllCommonsvc.exe	108
PID 2240 wrote to memory of 2900	2240	DllCommonsvc.exe	109
PID 2240 wrote to memory of 2900	2240	DllCommonsvc.exe	109
PID 2240 wrote to memory of 2900	2240	DllCommonsvc.exe	109
PID 2240 wrote to memory of 680	2240	DllCommonsvc.exe	110
PID 2240 wrote to memory of 680	2240	DllCommonsvc.exe	110
PID 2240 wrote to memory of 680	2240	DllCommonsvc.exe	110
PID 2240 wrote to memory of 1212	2240	DllCommonsvc.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e39df2028f75c769c3529f650dca2e21c86e3f6725fb33ef6ded1e98c5755ef.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e39df2028f75c769c3529f650dca2e21c86e3f6725fb33ef6ded1e98c5755ef.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\de-DE\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Saved Games\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppCompat\Programs\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
    - - C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat"
        6⤵
        
        PID:2032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:892
        
        C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat"
        8⤵
        
        PID:1084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1724
        
        C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat"
        10⤵
        
        PID:2356
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:876
        
        C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat"
        12⤵
        
        PID:1260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2828
        
        C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat"
        14⤵
        
        PID:2308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2140
        
        C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat"
        16⤵
        
        PID:800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1704
        
        C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Urxb3wPgb0.bat"
        18⤵
        
        PID:2276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2596
        
        C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat"
        20⤵
        
        PID:1296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1688
        
        C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat"
        22⤵
        
        PID:264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2948
        
        C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat"
        24⤵
        
        PID:2280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\SysWOW64\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\SysWOW64\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\SysWOW64\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\Services\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\Services\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ModemLogs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\ModemLogs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\de-DE\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\de-DE\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\de-DE\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Saved Games\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Saved Games\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\AppCompat\Programs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\Programs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\system\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\system\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\system\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\LiveKernelReports\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
723794301812ca55e7776d5405ca0848

SHA1
5fa36e49e0a4feb3437497ad04edab049a0c0a7c

SHA256
cbf76a3e35db2830e12e9614c9bca5f90be161da8929dcaabd67f7970528e937

SHA512
7a32e18f0a857bdf16303d61e403e38b3ee0e6c9325535043094eb494439d01d4a3b70fd4b105a0d846777a14afefc0c0681a6608730c2635aa30c66de015d29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a89e700da7e3125852f13a3aef29f112

SHA1
0c8ac6cdb39cccdd034c37be775395f49968a9cd

SHA256
233061b53ee7657ddc45ee9b37e61486f2a86dd4961d77fd899082de006ec746

SHA512
93dd2099a5f6db521f7e1865008d00ba18f57cf69273639b8ffafda67e08697ae39b9630593ea8552c7bd9dac21c2dff6df2e97fcc428dd1f022e621fefea670

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cbf79e97dc3548192cf6ae80f8ff63e

SHA1
8c69981976d22f75f9354f579506b7ff1b0447a5

SHA256
e81a908571cf1375f45a056ffdfe74c2f5f3b9fbf60532f9edbd953b325e3f09

SHA512
2b278c6ec2d37a69c2086db0a4b44779221e3215106bf8cbd02a2ff710d5d4b55f3b2e5224eaf2bd31032fc9dadb0e36886a6da71b935ca5020a455536b0562c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a510e3b778b18a72a3d2dae5d44888a9

SHA1
9162aa83e789bf79f58bc625b562d5bddb307419

SHA256
318902270fbdb55b55229e87d41ae501f117c612cc8046fb2a95f3508dedc27f

SHA512
6d262b61b5b850715f3b03b120768e0af30e39b1a6d222a0157fe5d56dc69c0910c091d8a42b734069576a9e066d8779b2f68e4dca849baa9aeb7f271ff5433b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d230aec6dfeaf810828ba0e5cdcab22

SHA1
56385381f6ebbd88d297b8bb3765f2b3e43aff50

SHA256
c1008d31ab3641c6dfe33e5a0db763d8ccd52c05096a751669a92e2f9258969d

SHA512
3136c018ac696a56269b3d1725b0e9df423ca0ed01e8475f7d88da1d2e925b46ed2111420fbd29d4c5882c9f6535ff89c65179eec0747b0fa7bc39f60e840ae8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f0681926e0280b09095d687cff4d195

SHA1
0887ff4827b49bdcb34cb20c83d6cfc5b3d463f3

SHA256
16cbbbadec360d280e539cc0e33a62dc1cbc40629aee3d979a5c581cbcc50663

SHA512
8013dd7d2b21218b073516fd7b4c875326817a8335a11bf50411fbb39eb50c2862a56012d1ef0e7de807b282bde9b7e72bdba37a3fc1940376b11cd64ca6bb52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1070decf6304fd9633a0d6e613899f77

SHA1
46021dc1f00bbde57f214e9635e81d403cf957ce

SHA256
27e3fbc5581bd9717221ccc908d27b968e4e5caf6df336f7949da8d7106469f5

SHA512
63cbd88f42eba67d7f48ec5a38a5595993e93e86b705d7d6ffcf73c39316ce678c213c638dabf99c647ffe1dd2a6cc259a3a73d5a4c4087c4ecbeba2049a9d0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77e5d54bab3ed7425c4c48a49a14107b

SHA1
93b4d514d3218f564c9d10657f6eebf1547443fc

SHA256
3bfbc1455a31c5ae55f53f6a706ff84684f96187baf4b0f6063ec4bd64f8cf3b

SHA512
c1f4b48c2d095eb67c2ec0e870f292a2894058442797cd543ee25e8d0cb1f38e3f0f9302ce39fbbcddfef43730b8f959d29196636b32f9ae6c45160d6643bb1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80056da71c94a9852074b172df9c18ac

SHA1
3e88d3432c3f2206e4a88f267a6d0026f6fbcc00

SHA256
ea6abf98a71a0d51cb4800667e712bd6b1afc7e70ca9e0f1cd5fbd05023750b1

SHA512
d600ba5e8f7aa3a67631b381dea6b8eefa52dc10499da96add331bc110767e18f7261f2f5f4606ac745df18517b1675e881695e3cbe1f768f52207e1f82e2fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat

Filesize
221B

MD5
79e44a79dadb65fd3b02ad6381905779

SHA1
09fe0ec18bf342dd63ca87794c528e3046279e28

SHA256
cc058415c27b5bf1d3e36c8b046dc643f8ab2a81bf183fcc1b8e552a53eec644

SHA512
4568c99bbe22cdad423b8fdd126db17ce7a69e7f444b1d5fc4084b211850809dd55bc0ba825e2916f0c541370bab469a04e3dbf24e3f7f356a60624a163c7b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat

Filesize
221B

MD5
0aab90704e97b7c8062be2c5a9acbcc8

SHA1
0a24cab78b700c2f80ab332e7992b20e1eea8a5d

SHA256
2004e2cf5bb9c0a15b096527966dd9a76237415e5da885d90a974791c9add4a5

SHA512
fcededd72881fbc72f543d8ae0345cb117fae3583c1b3315c8a09eb789be5819a22ce1a76373186e55a8fffe183bb74a8859a831c588f3cf0ec1f1db6175004d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCB3D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat

Filesize
221B

MD5
1beb821aa8c7647fb7470bec4098c895

SHA1
97f902db6a5293304db728b7416c8eb80fd310df

SHA256
c7c68b2aad6145faf2ac14841453b2f2cdacb52420bd04c4d8eb0d2a0acc8b22

SHA512
42879477128097313eee858310ee91cabf30b54f2a68226b8dd25e76a6df5a4f0208391b3f0d61aea48bd5af8dafec435bff2ec8e3a0b5d2f2677e3f1daca909

Download Submit
C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat

Filesize
221B

MD5
57b151bd189052857e21b0102e04e252

SHA1
8dd3ab398d66efb7d903aa38d824b22f179fc0fc

SHA256
1250e233b747e845630d6b0997894985c85748c69d6cd04f810423e5a70e6900

SHA512
0a084ca3eb58ac41bc34adb983c3c5439e2a6f48bda74ddd6941f5dd8a127d6b7bb7a8bf71ec027a3132f9dced647408dd382fb27d7c5ee5ffac9f04d0038c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCB5F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Urxb3wPgb0.bat

Filesize
221B

MD5
25264c92550e9a665039e0ba407d1cc8

SHA1
9153a09fd83dffdcb32ede14172e49f8405f352f

SHA256
0ec4194d9b5b5050cf6308e5a6e1454fc7dfee12adf7f2117e5ce965ca6ad20f

SHA512
b8ae217ce6c045db702f187d77c173c558d2aa1313815697c18b71d73cc5b3a8df531147a526d188ce7694173a1fe11b71b6c6bfd2f0a293d3606bf9058c6d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat

Filesize
221B

MD5
2bbef3458ba77876d05ce846886ffb0a

SHA1
0c5b5afb36b1c4e7ddfff3b6f4c791b9756b6d5f

SHA256
e8277ff3f895785cbea2daa3288556d3e4068a2416189556d047ff7e0083cf74

SHA512
3750768d22a2a3eba482810bb66b1c5e63eabd0fa4c44c506eb0d548d71b8f5d5e6956964031d17c7c7b51b0ee6913fa8b1ad913ed43d6041a631706cb6d0071

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat

Filesize
221B

MD5
131e836c2fdb9de08d756d0a7d602528

SHA1
2d2d312e77dc1cb30ce70316fd70cbea72660635

SHA256
2d35bfbacdc71fbd01dfeacf5c51578399762fdae30ca8052d89836e9d43f353

SHA512
3728430700370feed123d92cde73cc2d0d0c7cee3b635b6c74157ea4307a17edffedb807bf936c5c6a3cdb92d24f6ba9d9dce44f4c3e8439a1380bea210f39d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat

Filesize
221B

MD5
91bde9151e1a5fc7351cbe186bad973d

SHA1
dbed5be71279e294cb97bebac9b5fceed514f291

SHA256
c31c341802cd77ee22179f22c037ba8d8a8dc3735fa832540a6b942af8cfcd12

SHA512
f8d9e073d4270a5ad0277b4174c553748f11baded2af880456b604b66dd58292cccfd784bb7a53363cba8dc45ee7adc05398cda2c9b7d2261a3ac8b505c32179

Download Submit
C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat

Filesize
221B

MD5
eadd1eba4de15f3e22e4edf6e11365f5

SHA1
575d06bebf3c715406e8ae04f31d7f091ab30758

SHA256
d5185cc98e122acee2ca69d42688061acbe250421adffe1bf81bd09220054b5a

SHA512
d4b4df65f3f7cc0b31814a4962709a592fe55bfe0f6b1f104aa54c576f4373718a1756a5f38dca7137bb344ea9f17d8cc1ea015b3d6a9c5e977c72183db97214

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat

Filesize
221B

MD5
64664b88a61fd56bed2a55a45d6b19e3

SHA1
a35e5f6b8ec4f61818635f78bc161077f6d22d05

SHA256
d2b1697b5b061c9945cced26938f50f994dbd2895ac3bca95ed0e86771163894

SHA512
099bb1659f28f7ab2dd81f6d1ee334dc8eef435c0de8d34895c112d574100ef2962e5ba58c3b5f393c2f197e514e51e252df55e5c833e4b75f2dbc9ade0acbe6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f19845cafdcb319ce94b66d4726e6990

SHA1
92e86b59b775fe0f1f976795c977a323b92c350f

SHA256
f25c667edf4c168dcc11e187723d707e871e1265e3b5353b7c4c59c73b439019

SHA512
7171ba3b9af8ae2e76c563fb54939604b94d8e3652eda28bab49e526163a8bd79a3ec0ab7435f5870f6d5ba66b1d679c05c6b9e7789596d00877aab3529ed32f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1092-86-0x0000000000B20000-0x0000000000C30000-memory.dmp

Filesize
1.1MB

Download
memory/1656-66-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/1924-566-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1968-446-0x0000000000110000-0x0000000000220000-memory.dmp

Filesize
1.1MB

Download
memory/2080-64-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2240-17-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2240-16-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2240-15-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2240-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2240-13-0x0000000000AD0000-0x0000000000BE0000-memory.dmp

Filesize
1.1MB

Download
memory/2688-209-0x00000000010C0000-0x00000000011D0000-memory.dmp

Filesize
1.1MB

Download
memory/2756-506-0x0000000001100000-0x0000000001210000-memory.dmp

Filesize
1.1MB

Download