dcrat | 135df13e0ee875bf4d54b040a23d4910d243d3e32a0cf354cf81a3fb68f0a3f2

Analysis

max time kernel
148s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_135df13e0ee875bf4d54b040a23d4910d243d3e32a0cf354cf81a3fb68f0a3f2.exe
Size

1.3MB
MD5

bfba1229b4b9f731c2f9935eec06379f
SHA1

a579fc54c290b435861346845f1da483fac13771
SHA256

135df13e0ee875bf4d54b040a23d4910d243d3e32a0cf354cf81a3fb68f0a3f2
SHA512

22186adbeef22b7a53c4ec92f1a61c20467369eb4dd54bf76fe42c2d0568d3e9e4d30f84efbf03ba945568acfce83f9f5980dc5ec9e88ee050b2ed8d1866188b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2408	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015d81-12.dat	dcrat
behavioral1/memory/2304-13-0x0000000000020000-0x0000000000130000-memory.dmp	dcrat
behavioral1/memory/1148-71-0x00000000012C0000-0x00000000013D0000-memory.dmp	dcrat
behavioral1/memory/2244-333-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/1708-394-0x0000000000A00000-0x0000000000B10000-memory.dmp	dcrat
behavioral1/memory/2952-454-0x0000000000CB0000-0x0000000000DC0000-memory.dmp	dcrat
behavioral1/memory/1944-515-0x0000000000F10000-0x0000000001020000-memory.dmp	dcrat
behavioral1/memory/2752-634-0x00000000012B0000-0x00000000013C0000-memory.dmp	dcrat
behavioral1/memory/2984-753-0x00000000001B0000-0x00000000002C0000-memory.dmp	dcrat
behavioral1/memory/696-813-0x0000000000FB0000-0x00000000010C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2684	powershell.exe
2728	powershell.exe
2628	powershell.exe
2876	powershell.exe
2452	powershell.exe
2212	powershell.exe
1936	powershell.exe
2016	powershell.exe
2896	powershell.exe
2624	powershell.exe
2580	powershell.exe
1676	powershell.exe
2916	powershell.exe
2828	powershell.exe
2852	powershell.exe
1932	powershell.exe
1924	powershell.exe
2996	powershell.exe
860	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2304	DllCommonsvc.exe
1148	services.exe
1956	services.exe
1568	services.exe
2244	services.exe
1708	services.exe
2952	services.exe
1944	services.exe
1664	services.exe
2752	services.exe
3040	services.exe
2984	services.exe
696	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2764	cmd.exe
2764	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
28	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
32	raw.githubusercontent.com
22	raw.githubusercontent.com
35	raw.githubusercontent.com
38	raw.githubusercontent.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\CrashReports\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\Pictures\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\Pictures\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Windows\SchCache\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\SchCache\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_135df13e0ee875bf4d54b040a23d4910d243d3e32a0cf354cf81a3fb68f0a3f2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2496	schtasks.exe
2680	schtasks.exe
1420	schtasks.exe
2208	schtasks.exe
1776	schtasks.exe
2636	schtasks.exe
1508	schtasks.exe
1292	schtasks.exe
2108	schtasks.exe
2160	schtasks.exe
2592	schtasks.exe
1656	schtasks.exe
2500	schtasks.exe
3040	schtasks.exe
2008	schtasks.exe
736	schtasks.exe
836	schtasks.exe
2376	schtasks.exe
1664	schtasks.exe
1128	schtasks.exe
1284	schtasks.exe
2024	schtasks.exe
2320	schtasks.exe
1628	schtasks.exe
3048	schtasks.exe
1944	schtasks.exe
2672	schtasks.exe
2804	schtasks.exe
1584	schtasks.exe
1296	schtasks.exe
1620	schtasks.exe
1852	schtasks.exe
3020	schtasks.exe
988	schtasks.exe
2976	schtasks.exe
2648	schtasks.exe
2664	schtasks.exe
2080	schtasks.exe
552	schtasks.exe
1608	schtasks.exe
952	schtasks.exe
1476	schtasks.exe
1900	schtasks.exe
264	schtasks.exe
1136	schtasks.exe
2836	schtasks.exe
1760	schtasks.exe
2420	schtasks.exe
1032	schtasks.exe
2436	schtasks.exe
2612	schtasks.exe
2892	schtasks.exe
2448	schtasks.exe
2468	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2304	DllCommonsvc.exe
2304	DllCommonsvc.exe
2304	DllCommonsvc.exe
2304	DllCommonsvc.exe
2304	DllCommonsvc.exe
2304	DllCommonsvc.exe
2304	DllCommonsvc.exe
2684	powershell.exe
2896	powershell.exe
2996	powershell.exe
2016	powershell.exe
1148	services.exe
1924	powershell.exe
1932	powershell.exe
1676	powershell.exe
1936	powershell.exe
2624	powershell.exe
2212	powershell.exe
2580	powershell.exe
2728	powershell.exe
2852	powershell.exe
2916	powershell.exe
2876	powershell.exe
2452	powershell.exe
2628	powershell.exe
2828	powershell.exe
860	powershell.exe
1956	services.exe
1568	services.exe
2244	services.exe
1708	services.exe
2952	services.exe
1944	services.exe
1664	services.exe
2752	services.exe
3040	services.exe
2984	services.exe
696	services.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	DllCommonsvc.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	1148	services.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	1956	services.exe
Token: SeDebugPrivilege	1568	services.exe
Token: SeDebugPrivilege	2244	services.exe
Token: SeDebugPrivilege	1708	services.exe
Token: SeDebugPrivilege	2952	services.exe
Token: SeDebugPrivilege	1944	services.exe
Token: SeDebugPrivilege	1664	services.exe
Token: SeDebugPrivilege	2752	services.exe
Token: SeDebugPrivilege	3040	services.exe
Token: SeDebugPrivilege	2984	services.exe
Token: SeDebugPrivilege	696	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 3040	2104	JaffaCakes118_135df13e0ee875bf4d54b040a23d4910d243d3e32a0cf354cf81a3fb68f0a3f2.exe	30
PID 2104 wrote to memory of 3040	2104	JaffaCakes118_135df13e0ee875bf4d54b040a23d4910d243d3e32a0cf354cf81a3fb68f0a3f2.exe	30
PID 2104 wrote to memory of 3040	2104	JaffaCakes118_135df13e0ee875bf4d54b040a23d4910d243d3e32a0cf354cf81a3fb68f0a3f2.exe	30
PID 2104 wrote to memory of 3040	2104	JaffaCakes118_135df13e0ee875bf4d54b040a23d4910d243d3e32a0cf354cf81a3fb68f0a3f2.exe	30
PID 3040 wrote to memory of 2764	3040	WScript.exe	31
PID 3040 wrote to memory of 2764	3040	WScript.exe	31
PID 3040 wrote to memory of 2764	3040	WScript.exe	31
PID 3040 wrote to memory of 2764	3040	WScript.exe	31
PID 2764 wrote to memory of 2304	2764	cmd.exe	33
PID 2764 wrote to memory of 2304	2764	cmd.exe	33
PID 2764 wrote to memory of 2304	2764	cmd.exe	33
PID 2764 wrote to memory of 2304	2764	cmd.exe	33
PID 2304 wrote to memory of 2016	2304	DllCommonsvc.exe	90
PID 2304 wrote to memory of 2016	2304	DllCommonsvc.exe	90
PID 2304 wrote to memory of 2016	2304	DllCommonsvc.exe	90
PID 2304 wrote to memory of 2684	2304	DllCommonsvc.exe	91
PID 2304 wrote to memory of 2684	2304	DllCommonsvc.exe	91
PID 2304 wrote to memory of 2684	2304	DllCommonsvc.exe	91
PID 2304 wrote to memory of 2916	2304	DllCommonsvc.exe	92
PID 2304 wrote to memory of 2916	2304	DllCommonsvc.exe	92
PID 2304 wrote to memory of 2916	2304	DllCommonsvc.exe	92
PID 2304 wrote to memory of 2828	2304	DllCommonsvc.exe	93
PID 2304 wrote to memory of 2828	2304	DllCommonsvc.exe	93
PID 2304 wrote to memory of 2828	2304	DllCommonsvc.exe	93
PID 2304 wrote to memory of 2728	2304	DllCommonsvc.exe	94
PID 2304 wrote to memory of 2728	2304	DllCommonsvc.exe	94
PID 2304 wrote to memory of 2728	2304	DllCommonsvc.exe	94
PID 2304 wrote to memory of 2996	2304	DllCommonsvc.exe	95
PID 2304 wrote to memory of 2996	2304	DllCommonsvc.exe	95
PID 2304 wrote to memory of 2996	2304	DllCommonsvc.exe	95
PID 2304 wrote to memory of 2896	2304	DllCommonsvc.exe	97
PID 2304 wrote to memory of 2896	2304	DllCommonsvc.exe	97
PID 2304 wrote to memory of 2896	2304	DllCommonsvc.exe	97
PID 2304 wrote to memory of 2852	2304	DllCommonsvc.exe	98
PID 2304 wrote to memory of 2852	2304	DllCommonsvc.exe	98
PID 2304 wrote to memory of 2852	2304	DllCommonsvc.exe	98
PID 2304 wrote to memory of 2624	2304	DllCommonsvc.exe	99
PID 2304 wrote to memory of 2624	2304	DllCommonsvc.exe	99
PID 2304 wrote to memory of 2624	2304	DllCommonsvc.exe	99
PID 2304 wrote to memory of 2580	2304	DllCommonsvc.exe	100
PID 2304 wrote to memory of 2580	2304	DllCommonsvc.exe	100
PID 2304 wrote to memory of 2580	2304	DllCommonsvc.exe	100
PID 2304 wrote to memory of 2628	2304	DllCommonsvc.exe	101
PID 2304 wrote to memory of 2628	2304	DllCommonsvc.exe	101
PID 2304 wrote to memory of 2628	2304	DllCommonsvc.exe	101
PID 2304 wrote to memory of 2876	2304	DllCommonsvc.exe	102
PID 2304 wrote to memory of 2876	2304	DllCommonsvc.exe	102
PID 2304 wrote to memory of 2876	2304	DllCommonsvc.exe	102
PID 2304 wrote to memory of 1676	2304	DllCommonsvc.exe	103
PID 2304 wrote to memory of 1676	2304	DllCommonsvc.exe	103
PID 2304 wrote to memory of 1676	2304	DllCommonsvc.exe	103
PID 2304 wrote to memory of 860	2304	DllCommonsvc.exe	104
PID 2304 wrote to memory of 860	2304	DllCommonsvc.exe	104
PID 2304 wrote to memory of 860	2304	DllCommonsvc.exe	104
PID 2304 wrote to memory of 2452	2304	DllCommonsvc.exe	105
PID 2304 wrote to memory of 2452	2304	DllCommonsvc.exe	105
PID 2304 wrote to memory of 2452	2304	DllCommonsvc.exe	105
PID 2304 wrote to memory of 2212	2304	DllCommonsvc.exe	106
PID 2304 wrote to memory of 2212	2304	DllCommonsvc.exe	106
PID 2304 wrote to memory of 2212	2304	DllCommonsvc.exe	106
PID 2304 wrote to memory of 1932	2304	DllCommonsvc.exe	107
PID 2304 wrote to memory of 1932	2304	DllCommonsvc.exe	107
PID 2304 wrote to memory of 1932	2304	DllCommonsvc.exe	107
PID 2304 wrote to memory of 1924	2304	DllCommonsvc.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_135df13e0ee875bf4d54b040a23d4910d243d3e32a0cf354cf81a3fb68f0a3f2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_135df13e0ee875bf4d54b040a23d4910d243d3e32a0cf354cf81a3fb68f0a3f2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\LocalService\Pictures\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
    - - C:\Users\Default\Recent\services.exe
        
        "C:\Users\Default\Recent\services.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"
        6⤵
        
        PID:2844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2344
        
        C:\Users\Default\Recent\services.exe
        
        "C:\Users\Default\Recent\services.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat"
        8⤵
        
        PID:3064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:672
        
        C:\Users\Default\Recent\services.exe
        
        "C:\Users\Default\Recent\services.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat"
        10⤵
        
        PID:2548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1860
        
        C:\Users\Default\Recent\services.exe
        
        "C:\Users\Default\Recent\services.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\owZfSNRP11.bat"
        12⤵
        
        PID:1604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1292
        
        C:\Users\Default\Recent\services.exe
        
        "C:\Users\Default\Recent\services.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"
        14⤵
        
        PID:2172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2120
        
        C:\Users\Default\Recent\services.exe
        
        "C:\Users\Default\Recent\services.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"
        16⤵
        
        PID:2828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1056
        
        C:\Users\Default\Recent\services.exe
        
        "C:\Users\Default\Recent\services.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat"
        18⤵
        
        PID:1548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2088
        
        C:\Users\Default\Recent\services.exe
        
        "C:\Users\Default\Recent\services.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GrfoiSU1wP.bat"
        20⤵
        
        PID:2260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2896
        
        C:\Users\Default\Recent\services.exe
        
        "C:\Users\Default\Recent\services.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat"
        22⤵
        
        PID:2196
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1480
        
        C:\Users\Default\Recent\services.exe
        
        "C:\Users\Default\Recent\services.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat"
        24⤵
        
        PID:1804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2488
        
        C:\Users\Default\Recent\services.exe
        
        "C:\Users\Default\Recent\services.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat"
        26⤵
        
        PID:1864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2616
        
        C:\Users\Default\Recent\services.exe
        
        "C:\Users\Default\Recent\services.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\LocalService\Pictures\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Pictures\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\LocalService\Pictures\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\CrashReports\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\CrashReports\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SchCache\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Recent\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Recent\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Recent\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34477f8ce165534224a36e2a1f23535c

SHA1
284e995ce5acc09661713df77e5c161ad3d1b5b7

SHA256
df16269b4904fe06786f177b60b7245e704121baa959e13d922806523f49dba6

SHA512
b30fed5769efbc5a57fdef9c360f36db49b057b95c16458ffc5b449c9ddb447d07cbdedbe4f5380870891087bb8324aa15eaf5d9d9f9539dd5c2ca7bcd612883

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93f4dc0ddbc556f23c29e8abbc074f4b

SHA1
95a5ee5f7b6e6e4cf52b548861ec5ba87f68e401

SHA256
81b16e5e485cc43b6684d94e4017737d40732869c81ef5058582653df32d9419

SHA512
a356281555171364ac7578f25cc0902887ad420a987318381e2a4bad35a92e7bdd63bf3b6852bd2c1ece871f5365d63ae1bbc2961d0e2bed1dd8003489592cbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6be665ad3c0ab915e7ed4b1163ed852b

SHA1
c3ac4a22e96231905d2c823a0a217f30369f8fee

SHA256
8f6ac98b4e781e87b5e5a189aa9f32c9e55c12614f210772282d86353f485e80

SHA512
08bf55174933aff8f970726c8ba98a16db574dadcbcb374eb82aebed84ef7fa63a287b0eb4e1c159420aa5c36e46d768788d4c4a55c7592925f5a9cdce0685c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db5ac60b0f5f731b3b1935e23c85d7dd

SHA1
d7c6116abafa9d7321e8e4244d1782ff379b447f

SHA256
b1efd8e91c41932d7d3b514db0b10043e334a70972366b93896d3dd9398e5275

SHA512
603b2cd77edb56e70cc64adf61fe6d239a5df54ca86ec103d3587c8a77510494b929c4414643a7b27aa9980027b86976b833dbe3f55cf0d971410ad4c3a0db51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44f20b10a4220224e5431b89fc902a92

SHA1
d0b9f2ab6ffa2470fcad794fae4b8d2728af77ee

SHA256
88957df762f3e80c3e94267870cd086bd69b374f970a7c53e04ac736ef0bd270

SHA512
23dc7de1ec3a79dcc7e82e4f70dac46f92a88140120c44f67ae463bc94c25e71266ed06871026ddf8dbf8d54fbdeea5c8d067c1692aba4035e671b2b420ef823

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0855bb46483b7bbb0c2f386afc199931

SHA1
ee2901200d3b05dd16e5fab02f14ad64c3885095

SHA256
0a8b3f677ef800c421613750f16698ab8751b4d7d085bf8d0551d6ab2ef2cf37

SHA512
6c5e822b8bcf05fa9752fbb19d1bcac82eb6cf61f3b56643bd9c6c7da7d529a6c602ad6e12ca081a56f533be7ba3963adbce29c016b4b09d19e6c620ab5f7c21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7895418d5112cc3a993d9477af806d1a

SHA1
79189071940f03c40b73588c21be8c6328dfcab7

SHA256
bc131d4a4eed55e2662691cf1ca6ce4e4685d7a1780992c1c1b8e340367383d6

SHA512
30cb4c5c2d55c15e4cf6f8bbbe7cb4c6b5d9b9aaec0bb04a365dcbf7fec3de74ac927f8848033e668db1d386697d381529475261bd8d383d6154b579abb389f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a4973d94464fa40c96c6e20431cec25

SHA1
6036569d2435ca150857d48418bc57ba87148fab

SHA256
d852089349b4c66f90db136734a475186b36f7544a615a1e685daf0f89a85af3

SHA512
010cb76906193bba18837ca55909292d0e286b5a9d88c1bd71fa269183b5b52ab9caaadcd48ece4c5f626769c8e7dd5e73b9a88c4263bbf6c952cf45e2ea6a0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
792de568d502c3c8f0c45ad3537590cd

SHA1
72cd457ea241ed6c599f409103720b5750b1c5a3

SHA256
a0bacdc621e775e2091035f7b52d57e53c857b8e34331e33198091812ee4e875

SHA512
ec94ada9b9bbd5026edc11e44fcfd0e579a7a2cd6a9a680d992830d731ce48cc00ac755baca8779d7f24c9833cbe726d53f27cfeb88ab21c6cd7c07c0a9a168b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b29849a55bc340b615701d36a193032

SHA1
890934de66df5a4b09f870ea011664fe3a6c9c02

SHA256
917767f823b38ffd2de2d6547ba461385e5b0f26ba9a20522511a732636520fb

SHA512
087fdd211b5bfde3f518f40621284fd7be18a09d9b92dd98185ce0469fa0a6c067f1a048f409a024063626f19b15b8150827db51fb59da86d703331a9601f41d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat

Filesize
201B

MD5
f1bb52055f23550fb892b8b16a6516b1

SHA1
faaf1e09716ffe6fe8a24ed714e1c65419fbdb6d

SHA256
795d069c856b9fd34c894c5fc55eb5b23aad1b2df80ac2320e9326249e59c77e

SHA512
f4233603ddcd024882b4ada7dac1ff3b3c8dae2123ad733dfde2d64d990caa50079b38f2070ff707e8f069b1213b4eb52c482a546be8da035366f85a70ac473b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat

Filesize
201B

MD5
be9ecf4cb7ee205136335667b10d7c14

SHA1
e956dfbd9dc5ecb16d7ea283998f6a462f8f8494

SHA256
25923d86956c3a1f288669e47a8744ada45815fab22365211cf45b232920170c

SHA512
61a0822a34c4a455d04dc0a34978dd26060a64105241062b04f6ce59125f2212f6251a7fcdb0ceab35655b00b7c9666cd9ffde2ad7fd5b8dd129eb84948da9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE005.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat

Filesize
201B

MD5
ebd4038fee0bd4fe935d700c513a3eba

SHA1
6d8b1add2cc64be7bfdcaff80eed703cc0e62d86

SHA256
906716c276870781593e66c00108482a24c30a281fbf161c2b768f09ba720fe1

SHA512
e76a53cca4343ea18e6804881b48c409fda758deb82b571fd6e9d606f9d37044bb5811e99515880c2ff5765f3a9feed83c8f2dd97779a62b4e00fa2252084899

Download Submit
C:\Users\Admin\AppData\Local\Temp\GrfoiSU1wP.bat

Filesize
201B

MD5
23d5a978738f4fffb4c987f567f5721d

SHA1
355b732d35095b8f74cfc9b0cbe9ee51285009a4

SHA256
9f7390c532687a6412710fe4856600bacd388031d7d74d7f890935e9c2ed6849

SHA512
acf6fde516b94db8e6310712eec79a09e65eb194e5a991716fbfab910edbb0d8c57b50ac7307cbd4c05c2dee738000228b97c6454becb3116eb4ad9131902c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat

Filesize
201B

MD5
17ae015b52c5d5c04133d2cfa2ab882e

SHA1
4105db5b4852c65071ce5b75ae6bc7e067ee99f6

SHA256
e90e5f04e22197ed33751da37d6f53713a9029166310495b1b446921075a175f

SHA512
92b3deb11b2fdf0501ab57c3305e620a9272aebb3c64355c55c949097cd7001b59804e230d399a5d4aa47ac6e7779e6952356744e4cc0cda864330b74063733e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat

Filesize
201B

MD5
16246c8e75b54ba9aa9e65b56f29d871

SHA1
41c044fd078ba228415adc48a21d481c273cb84a

SHA256
d4bebd469b4c3d004ff010ab33da1d5afc09478d931555faafeb8c93c8a05f18

SHA512
49d2ed613f3a49b9dcb8fdd6760de09b07ecfedc981112d77c4e6a85520d0cdaadc53d1993ee8abed653a812ddf8a0fa4a7e833249f4c791f7259896f3a2a018

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE065.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat

Filesize
201B

MD5
220bd7975f5d475ac99efa1b0465d483

SHA1
7b008f828fca44e51923c38fb312ebdf385d7b99

SHA256
91d70873578af56e0cb72c660b7f7004e31de2f263ade60cf0b5b8795bdf010c

SHA512
930ca067a763f5eb0502cc5e5775619e9b0288fa40d6d0ac3912f0fafa853d57ac552087436253970979f8ff03e18e2d90e7b2570432bf03f78e26a3813d1d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat

Filesize
201B

MD5
5221a72ebb2c438bd0d88fde0141ccc1

SHA1
d6ebd507f49a81f71bcf4d39087f963e9c7db9cf

SHA256
7abc2cc6656799de9b7a4d1a7e357902e72f388e78a6cc62be2152724a315748

SHA512
533fd1009e408b817a3201c7d054c8a4b14f8644dee079711b9765c74bf7132da0fb378852a3f9a572c364cb61eaa9cafa90cea973681c4553e8d165b9333062

Download Submit
C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat

Filesize
201B

MD5
0751d35a92baf5c6186d309678cc4b59

SHA1
f635ead0714f153f0148063150c68306ca60deb2

SHA256
a485ad7cfbafef5d9c95fdf1ea601364768bc01f8255ea6d4d5bcdedabb769d9

SHA512
0bafccd4f5d46c783cdc6faea777cc3b8e2b1387b750b2ebb12a4a78b0744d11bb0e64a357f2cc9c06024970819d9777ce71d0999e5581bf3d14a1fd425edc55

Download Submit
C:\Users\Admin\AppData\Local\Temp\owZfSNRP11.bat

Filesize
201B

MD5
df9280209c6c0fee031411ec8d134b4a

SHA1
23ac0407597c1f48db756d1a65b9e59c569a6dc9

SHA256
43fab307e0cfd79946ace36873fa645626033558f73710af2b948913d29ffba9

SHA512
a3efceb54481f08605e136ba4d64de558985a6991cc832dc13295341e7f90a05d1f0942e420628853b9d434fa77efcbdb234bf1b3da912beee0f2208ee0c299e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat

Filesize
201B

MD5
364f37925e5bbb6f05340b587344ba1a

SHA1
b5adb9220576e614624dacdc83291eed91ed3e3e

SHA256
7df4b023951d535f4b5477bbf0d77aa10f2bad4ec23e397535e87cfa1a4bba27

SHA512
d9071b6ef3d6fed3d02435600af52a9bdc98ae96e3c2c41c763121fd564e68baf91970412f3e6321c3c80e7ae5613e54a61ef11601929373b943c5a9eeab3c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7b76b5e31db959307c53b7cfc1ab0fb1

SHA1
bec3af00d583d39dc06c5822b36b5341608f9be4

SHA256
ae4d744b92739ae7fbbf4167270f391e1aaa89856935249460c232cac50a7c9d

SHA512
43e1d9becf673eb2d9694cea1213de9623d2b8d9343c00aca27cc6e2e59df796d2c783b6ae00bcc8b046d92054078d4f024b0c0bc90b9ee88d38d3bfcb735ff6

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/696-813-0x0000000000FB0000-0x00000000010C0000-memory.dmp

Filesize
1.1MB

Download
memory/1148-71-0x00000000012C0000-0x00000000013D0000-memory.dmp

Filesize
1.1MB

Download
memory/1708-394-0x0000000000A00000-0x0000000000B10000-memory.dmp

Filesize
1.1MB

Download
memory/1944-515-0x0000000000F10000-0x0000000001020000-memory.dmp

Filesize
1.1MB

Download
memory/2244-334-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2244-333-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/2304-14-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2304-16-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2304-15-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/2304-17-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/2304-13-0x0000000000020000-0x0000000000130000-memory.dmp

Filesize
1.1MB

Download
memory/2684-63-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2684-65-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2752-634-0x00000000012B0000-0x00000000013C0000-memory.dmp

Filesize
1.1MB

Download
memory/2952-455-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2952-454-0x0000000000CB0000-0x0000000000DC0000-memory.dmp

Filesize
1.1MB

Download
memory/2984-753-0x00000000001B0000-0x00000000002C0000-memory.dmp

Filesize
1.1MB

Download