dcrat | a4ccd2863f1407c0e15cbb065c2f94aad07a564bea24f994593ac0280fb53a9d

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a4ccd2863f1407c0e15cbb065c2f94aad07a564bea24f994593ac0280fb53a9d.exe
Size

1.3MB
MD5

2c622c2df88a06c117942495182533dc
SHA1

25c494b8d9577d92622ac1a9c5b753a90db5b750
SHA256

a4ccd2863f1407c0e15cbb065c2f94aad07a564bea24f994593ac0280fb53a9d
SHA512

c9fc42147381a696f1ec9dd8d560aeef230b8d828a0d3062299d49608d43d822033f79abfbb1a65a57b8b8b60bba4b4367264d7899b7d9e9f40d33474bac6edb
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	356	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	496	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	496	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016dbe-9.dat	dcrat
behavioral1/memory/2188-13-0x0000000000E50000-0x0000000000F60000-memory.dmp	dcrat
behavioral1/memory/1504-164-0x0000000000880000-0x0000000000990000-memory.dmp	dcrat
behavioral1/memory/2132-224-0x0000000001260000-0x0000000001370000-memory.dmp	dcrat
behavioral1/memory/1196-285-0x0000000000140000-0x0000000000250000-memory.dmp	dcrat
behavioral1/memory/2632-345-0x0000000000C50000-0x0000000000D60000-memory.dmp	dcrat
behavioral1/memory/788-406-0x0000000000190000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/2392-584-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
behavioral1/memory/2648-644-0x0000000001310000-0x0000000001420000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1528	powershell.exe
1580	powershell.exe
2056	powershell.exe
2428	powershell.exe
2548	powershell.exe
2152	powershell.exe
2156	powershell.exe
2032	powershell.exe
2372	powershell.exe
1864	powershell.exe
1448	powershell.exe
332	powershell.exe
1916	powershell.exe
1260	powershell.exe
2576	powershell.exe
2644	powershell.exe
2112	powershell.exe
2608	powershell.exe
2648	powershell.exe
2988	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2188	DllCommonsvc.exe
1504	conhost.exe
2132	conhost.exe
1196	conhost.exe
2632	conhost.exe
788	conhost.exe
1784	conhost.exe
3048	conhost.exe
2392	conhost.exe
2648	conhost.exe
916	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2792	cmd.exe
2792	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
22	raw.githubusercontent.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\fonts\sppsvc.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\fonts\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\24dbde2999530e	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\schemas\TSWorkSpace\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\Videos\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\Videos\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Windows\servicing\SQM\System.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a4ccd2863f1407c0e15cbb065c2f94aad07a564bea24f994593ac0280fb53a9d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1348	schtasks.exe
1620	schtasks.exe
324	schtasks.exe
1864	schtasks.exe
316	schtasks.exe
1112	schtasks.exe
2776	schtasks.exe
580	schtasks.exe
1364	schtasks.exe
1748	schtasks.exe
2256	schtasks.exe
2508	schtasks.exe
2212	schtasks.exe
1916	schtasks.exe
1140	schtasks.exe
3040	schtasks.exe
2780	schtasks.exe
356	schtasks.exe
1020	schtasks.exe
2904	schtasks.exe
892	schtasks.exe
2260	schtasks.exe
1276	schtasks.exe
1492	schtasks.exe
1808	schtasks.exe
1608	schtasks.exe
1572	schtasks.exe
2136	schtasks.exe
2196	schtasks.exe
1404	schtasks.exe
3024	schtasks.exe
2288	schtasks.exe
1860	schtasks.exe
2204	schtasks.exe
1596	schtasks.exe
1736	schtasks.exe
1716	schtasks.exe
2844	schtasks.exe
2208	schtasks.exe
3044	schtasks.exe
1948	schtasks.exe
2760	schtasks.exe
2404	schtasks.exe
2160	schtasks.exe
2268	schtasks.exe
1264	schtasks.exe
3028	schtasks.exe
552	schtasks.exe
1040	schtasks.exe
2912	schtasks.exe
2968	schtasks.exe
2220	schtasks.exe
2360	schtasks.exe
2276	schtasks.exe
1636	schtasks.exe
696	schtasks.exe
2756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2188	DllCommonsvc.exe
2188	DllCommonsvc.exe
2188	DllCommonsvc.exe
2188	DllCommonsvc.exe
2188	DllCommonsvc.exe
2188	DllCommonsvc.exe
2188	DllCommonsvc.exe
2188	DllCommonsvc.exe
2188	DllCommonsvc.exe
2576	powershell.exe
2608	powershell.exe
2428	powershell.exe
2648	powershell.exe
2056	powershell.exe
1528	powershell.exe
1916	powershell.exe
1580	powershell.exe
2372	powershell.exe
2152	powershell.exe
2644	powershell.exe
2112	powershell.exe
2988	powershell.exe
2156	powershell.exe
332	powershell.exe
1864	powershell.exe
1260	powershell.exe
1448	powershell.exe
2032	powershell.exe
2548	powershell.exe
1504	conhost.exe
2132	conhost.exe
1196	conhost.exe
2632	conhost.exe
788	conhost.exe
1784	conhost.exe
3048	conhost.exe
2392	conhost.exe
2648	conhost.exe
916	conhost.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	DllCommonsvc.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	1504	conhost.exe
Token: SeDebugPrivilege	2132	conhost.exe
Token: SeDebugPrivilege	1196	conhost.exe
Token: SeDebugPrivilege	2632	conhost.exe
Token: SeDebugPrivilege	788	conhost.exe
Token: SeDebugPrivilege	1784	conhost.exe
Token: SeDebugPrivilege	3048	conhost.exe
Token: SeDebugPrivilege	2392	conhost.exe
Token: SeDebugPrivilege	2648	conhost.exe
Token: SeDebugPrivilege	916	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 2808	1400	JaffaCakes118_a4ccd2863f1407c0e15cbb065c2f94aad07a564bea24f994593ac0280fb53a9d.exe	31
PID 1400 wrote to memory of 2808	1400	JaffaCakes118_a4ccd2863f1407c0e15cbb065c2f94aad07a564bea24f994593ac0280fb53a9d.exe	31
PID 1400 wrote to memory of 2808	1400	JaffaCakes118_a4ccd2863f1407c0e15cbb065c2f94aad07a564bea24f994593ac0280fb53a9d.exe	31
PID 1400 wrote to memory of 2808	1400	JaffaCakes118_a4ccd2863f1407c0e15cbb065c2f94aad07a564bea24f994593ac0280fb53a9d.exe	31
PID 2808 wrote to memory of 2792	2808	WScript.exe	32
PID 2808 wrote to memory of 2792	2808	WScript.exe	32
PID 2808 wrote to memory of 2792	2808	WScript.exe	32
PID 2808 wrote to memory of 2792	2808	WScript.exe	32
PID 2792 wrote to memory of 2188	2792	cmd.exe	34
PID 2792 wrote to memory of 2188	2792	cmd.exe	34
PID 2792 wrote to memory of 2188	2792	cmd.exe	34
PID 2792 wrote to memory of 2188	2792	cmd.exe	34
PID 2188 wrote to memory of 2576	2188	DllCommonsvc.exe	93
PID 2188 wrote to memory of 2576	2188	DllCommonsvc.exe	93
PID 2188 wrote to memory of 2576	2188	DllCommonsvc.exe	93
PID 2188 wrote to memory of 2608	2188	DllCommonsvc.exe	94
PID 2188 wrote to memory of 2608	2188	DllCommonsvc.exe	94
PID 2188 wrote to memory of 2608	2188	DllCommonsvc.exe	94
PID 2188 wrote to memory of 2548	2188	DllCommonsvc.exe	95
PID 2188 wrote to memory of 2548	2188	DllCommonsvc.exe	95
PID 2188 wrote to memory of 2548	2188	DllCommonsvc.exe	95
PID 2188 wrote to memory of 2648	2188	DllCommonsvc.exe	97
PID 2188 wrote to memory of 2648	2188	DllCommonsvc.exe	97
PID 2188 wrote to memory of 2648	2188	DllCommonsvc.exe	97
PID 2188 wrote to memory of 2644	2188	DllCommonsvc.exe	98
PID 2188 wrote to memory of 2644	2188	DllCommonsvc.exe	98
PID 2188 wrote to memory of 2644	2188	DllCommonsvc.exe	98
PID 2188 wrote to memory of 2032	2188	DllCommonsvc.exe	99
PID 2188 wrote to memory of 2032	2188	DllCommonsvc.exe	99
PID 2188 wrote to memory of 2032	2188	DllCommonsvc.exe	99
PID 2188 wrote to memory of 2372	2188	DllCommonsvc.exe	100
PID 2188 wrote to memory of 2372	2188	DllCommonsvc.exe	100
PID 2188 wrote to memory of 2372	2188	DllCommonsvc.exe	100
PID 2188 wrote to memory of 2152	2188	DllCommonsvc.exe	101
PID 2188 wrote to memory of 2152	2188	DllCommonsvc.exe	101
PID 2188 wrote to memory of 2152	2188	DllCommonsvc.exe	101
PID 2188 wrote to memory of 2112	2188	DllCommonsvc.exe	102
PID 2188 wrote to memory of 2112	2188	DllCommonsvc.exe	102
PID 2188 wrote to memory of 2112	2188	DllCommonsvc.exe	102
PID 2188 wrote to memory of 2156	2188	DllCommonsvc.exe	103
PID 2188 wrote to memory of 2156	2188	DllCommonsvc.exe	103
PID 2188 wrote to memory of 2156	2188	DllCommonsvc.exe	103
PID 2188 wrote to memory of 1528	2188	DllCommonsvc.exe	104
PID 2188 wrote to memory of 1528	2188	DllCommonsvc.exe	104
PID 2188 wrote to memory of 1528	2188	DllCommonsvc.exe	104
PID 2188 wrote to memory of 1864	2188	DllCommonsvc.exe	105
PID 2188 wrote to memory of 1864	2188	DllCommonsvc.exe	105
PID 2188 wrote to memory of 1864	2188	DllCommonsvc.exe	105
PID 2188 wrote to memory of 1580	2188	DllCommonsvc.exe	106
PID 2188 wrote to memory of 1580	2188	DllCommonsvc.exe	106
PID 2188 wrote to memory of 1580	2188	DllCommonsvc.exe	106
PID 2188 wrote to memory of 2988	2188	DllCommonsvc.exe	107
PID 2188 wrote to memory of 2988	2188	DllCommonsvc.exe	107
PID 2188 wrote to memory of 2988	2188	DllCommonsvc.exe	107
PID 2188 wrote to memory of 2056	2188	DllCommonsvc.exe	108
PID 2188 wrote to memory of 2056	2188	DllCommonsvc.exe	108
PID 2188 wrote to memory of 2056	2188	DllCommonsvc.exe	108
PID 2188 wrote to memory of 1448	2188	DllCommonsvc.exe	109
PID 2188 wrote to memory of 1448	2188	DllCommonsvc.exe	109
PID 2188 wrote to memory of 1448	2188	DllCommonsvc.exe	109
PID 2188 wrote to memory of 1916	2188	DllCommonsvc.exe	110
PID 2188 wrote to memory of 1916	2188	DllCommonsvc.exe	110
PID 2188 wrote to memory of 1916	2188	DllCommonsvc.exe	110
PID 2188 wrote to memory of 332	2188	DllCommonsvc.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a4ccd2863f1407c0e15cbb065c2f94aad07a564bea24f994593ac0280fb53a9d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a4ccd2863f1407c0e15cbb065c2f94aad07a564bea24f994593ac0280fb53a9d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\LocalService\Videos\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Application Data\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9j7oxTYCbI.bat"
        5⤵
        
        PID:592
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1740
      - C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x5nMQhEI33.bat"
        7⤵
        
        PID:2136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2384
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat"
        9⤵
        
        PID:2080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1852
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat"
        11⤵
        
        PID:1632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2844
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CMv1BFFgLz.bat"
        13⤵
        
        PID:1736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2276
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0SbqORFfit.bat"
        15⤵
        
        PID:2624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2732
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat"
        17⤵
        
        PID:2804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2188
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D2zd9hDRps.bat"
        19⤵
        
        PID:1996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2016
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat"
        21⤵
        
        PID:2112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2440
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svsOdT1nlB.bat"
        23⤵
        
        PID:2780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2252
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fonts\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\fonts\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\ServiceProfiles\LocalService\Videos\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Videos\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\ServiceProfiles\LocalService\Videos\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Application Data\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Application Data\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Templates\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Templates\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Templates\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1094c4a65ced5e17b1ac727e691c2457

SHA1
aca6120d715f146dbe25a5fbbe604314cd25dea1

SHA256
84b7455bf3a53abb7dc87e360c3acc14a491ad93c11bfd753c8b40f9345bfe4b

SHA512
508f03e065592546c65a87b88f7577a82f9e34b660f7ee0c8528038c91e2bf75dbe7da86c8d7fa8a837b08df564c0e747513e17c0635c814b0fad23800120eb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b31c832f3c6d26ea4f26071f6bc28dc

SHA1
26313414ef4de48ffd49708cf0709b83ff7114d7

SHA256
a94ad030f48b2d741d7a3d88737aac292b6df86b8361de3f1af75b3debf02d5e

SHA512
74d5cc80648292896f5865488993628aaafce6078fdf5e9930b74264f32a7e135e0145f8f9e9c8c222dcc2c76936033a677b0484f5d90d4da823f0fa83221d79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
485dc1c7a36f426bc2510b2290afaeae

SHA1
1e8cfac62a40cda3982c35a4b571272d36d1b09b

SHA256
c07cdb24286ea2d1568853553bf615d719ce343866552c9d978178ca8c715e6e

SHA512
d215b157949e8bc9f6bc385fb4ce6679afaec72c14f46f997178dd42418f2eddd25d0c30fd93b341f6809cfa97ddc00e966c0a70f5883f308868241e48390189

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ca1a0bfc554a754654ad9ff4be13372

SHA1
0337617f13c0ea6ac596e3d5152291b9c29f128f

SHA256
668d5dbf1c328e763fcc56611844ccb540661311d488ff5ce567963b7c812941

SHA512
f3130a42c6a18cf07526c56f69564491d43f4fb38d5f0a6be86f8b9c7afae82776d74d53ae4a6f0957b4d8ca0497e8eb28b5dad3261e34cbee3817420f82a55c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fe4922d3027f464739230704b262938

SHA1
ead9ccadd5962f2b770db9ce73aa73b9fb9c820f

SHA256
8fc65741511715a9f1ff723959c2060af5ef2de534deffc8f3110ec952f21e97

SHA512
01eab9eca0c18054d1579b14f853946a771b7dcb354ac0081821c5b6c4a11556e0065330d729a77a8945923dd5cae6d32df95eea29447030c0fcb6c2de705f5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28b4891de0adc6be17e7f930d833845a

SHA1
0e430a12cea7740eaa507bb613bc5d48342e5497

SHA256
2b474ee314451ab19e14e67f18537bafb63ed72dbf202d7add457037eaab860a

SHA512
9e9cb38c69d6fb81faff29971a52f26abe821f53d01c15df39d1aad0a41d2b3f60747ba739b202bbd22a1052c6dfebc05090811eea3c53453c5462e1418e3133

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2927513bb3fade3cd07edf6e889550d5

SHA1
114038a3445462da635445bee188a5472f79db43

SHA256
84bc681813d50870a38035ae1b277864c22b288de4da90fd95070a6a108b8439

SHA512
467c6b07dda718f4a01a923997a156536bdb7d8643c65a7973d5d417a74054c59007ca1e4521d80166b103215cb7da7f50334d42cd0b2b1b240f8ee3f95526f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d56f74ee28cd5fc4977a86e3b0941d1c

SHA1
7329dd927000322b59d1c3218fdf4fe0c6578de4

SHA256
0eaca949eeed6a7393c6aa839200171c24eec0e28e6bc458b19a36f244eeb419

SHA512
1c07520e46b96d2801c9b2d8b10173c29b47c35c6fc9158edac9d6bc4e8f6619fb49b66bb68bf4910350da7aba024b0671d685e38c85d7b81cedcf27f6185f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0SbqORFfit.bat

Filesize
194B

MD5
31e8cb12b623f5f3339c166c4f90351b

SHA1
5184691c732f854c616f0ce77a3dc24a89011339

SHA256
19ac74581e122275ec2be838c2bbecaea5d1fb8b1c8ffeb87b7f744370acedcf

SHA512
5cb4e9f562d34e833272717a947f330ebc08b4ad980eb8f66ce44ecf8f30352ab3ccfcd56e977eb11d1aa2c8190da5b4ef10d625d1ab0a0448be1346b56cf075

Download Submit
C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat

Filesize
194B

MD5
176d474280daf1d36f71af03bc211946

SHA1
618245ef221626d68a484296e4052f0289c0835a

SHA256
deffe41c5861a2cec69048ed26a8176952281e3770711149e331e72dcc4f78e7

SHA512
b79dec4fa6bf65aa65fdccd94292eea3d945175552060968aaf5aa68a0d77311835dfef5b13c08513fe30fd92668272ae1a1f7e34b8cb3adcf42f75b808260a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9j7oxTYCbI.bat

Filesize
194B

MD5
84e31ff24281c30b259a56c14f2fed01

SHA1
8f87bee11670a359e01d4663b961b65c525a1505

SHA256
83d5bc04fcc144ea93743f3bee92a6869e1e0ecd5d716bd2591690470310de33

SHA512
7eb808160ed02e31ade2084343379f139520d4e79ce87065757bf1b64447c50013597029d990c9dd689f1ba06f8760e0df71fae63e9edc38b4bcf3464d39df2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMv1BFFgLz.bat

Filesize
194B

MD5
c3e8074f0e2dcca46134fc195bbb4ef5

SHA1
afc6a9491e54a5f7629b9ce12a97dbb5df5673b5

SHA256
7ee211bb4a8f71a028111c4b118190bc77a697783b7b6e24efe2d0c90d845f6f

SHA512
fd3898dea39eefaf2135a9b648950387b76fe01c987ed413232b78ec11b60cfe5e2fafc9c0e4e8498e4adc298e5b6c90a14ef2f022d54815d49c1abc2004c2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4A2C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D2zd9hDRps.bat

Filesize
194B

MD5
f17dd1b9f31bfbbcab4cbb62343aa2e2

SHA1
5e6512ba666ea038bdeef7458e2c87f6ee5dc4ab

SHA256
af2eb3c09929fd1a0a46e5851fc8028bd9e948266dccd375323b39c4b69fbeaa

SHA512
86de49f6a163c49a752eecd08d85352ce3ab628f2eaa53932a030bf684c5db5e354dc8cc47b543087b9e9f101e5c57efff4550d6a5bbda5420d83483e4f5f7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat

Filesize
194B

MD5
7e3221d9c01276b6f90ce07046fe6377

SHA1
0f2e6eef71cd2783d18377f5bae3201051941fd4

SHA256
29dfbc3e8851e1085b39bc7cecac416f3fa4e4ef8d7cbf29fbeb186afe37635a

SHA512
51da9682675630c20b0378f5e83a8fe60a7d9aaa90d2b5f1aa1dde4355a9f99257b98b2ea31ac45b36127d309abecab1f8ef346b78f721b8abf495a0f88ab8c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat

Filesize
194B

MD5
aff7e2664bb5a98ca5cdbbc5c40c7df5

SHA1
537a694ac96e20d6b66b04ed53fd6481b9172b51

SHA256
ed018450a099b29c0d63e323b55ca464ef3b85de6b6b249c4dade0097bc8f0cb

SHA512
d516fde16418c147357f7cf59ee1c81ed408f27883887774bf7de07cd800e14585f5b9ea5d8f050d5efdf6049c7e48bfd3749e84f941ed9c87dc4436f54906c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4A3F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat

Filesize
194B

MD5
c2a89d64b6a27db4a68ad89a9395ec11

SHA1
7529d137ea29f18a92009dd6441ec0c364616729

SHA256
de5451a8a13e83728e5072997bc73122738fd108f4a4a7b2b8c90e6e631a39ef

SHA512
c1011efbbe052b1d6fc98f46c6318a79f470a90324130e5b9dac035874f0e351ae9ab9f6f09955d977d90064b11029057f1308cd9a29b20058c6ad2c133b85ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\svsOdT1nlB.bat

Filesize
194B

MD5
bfa76bee91947bbf04a904ce56518ff3

SHA1
404a67061b579be7dbcbe797bf4b03c35666e08f

SHA256
ed8c556b5406574dabbafd936f915a1707fbe376e05864689b7647e459dcde29

SHA512
b5842fb0f386466412462d64ae513c578799883fb1aec90a6d203d550f57aa814126d0e11e9ca906e07c2a36fbf0e69d4d1762aeded97f4cd23185d7eb587f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\x5nMQhEI33.bat

Filesize
194B

MD5
e177949423a2621c442711f4aea9693c

SHA1
40b9d3149716eea7aedc3676ab4b9021ab932d57

SHA256
f20c80b467df4100d896aa7d3ff96ac76052060e886606aff97293590f77722c

SHA512
9ea3e23e2538f1558bfbfb113c0b5f92038d1af12107358f49ec4a9b35724327d3e68ea47719a39d79c87eee01e4b8b9c4a7302aedb700bc99b6323c583d096c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a21a83aef68375ee38fa99e5272f290d

SHA1
b2bef1da969373a2aeed6ec3f3b916340c3f8787

SHA256
c0d37c88379dd35eb1f0f90cdbd796e610e9f42c2515d4ec0b18e0290e5c391a

SHA512
65c5c9647d9458dbc0c2aa425abb4d7dc69fc9a6d6378f0847f643da4fd78967a02788dbe6e9e0d0432f2d750327faf782c553e7e7d3e4d2cf7e73593efefe39

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/788-406-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download
memory/1196-285-0x0000000000140000-0x0000000000250000-memory.dmp

Filesize
1.1MB

Download
memory/1504-165-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/1504-164-0x0000000000880000-0x0000000000990000-memory.dmp

Filesize
1.1MB

Download
memory/2132-225-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2132-224-0x0000000001260000-0x0000000001370000-memory.dmp

Filesize
1.1MB

Download
memory/2188-13-0x0000000000E50000-0x0000000000F60000-memory.dmp

Filesize
1.1MB

Download
memory/2188-17-0x0000000000E00000-0x0000000000E0C000-memory.dmp

Filesize
48KB

Download
memory/2188-16-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/2188-15-0x0000000000E10000-0x0000000000E1C000-memory.dmp

Filesize
48KB

Download
memory/2188-14-0x0000000000B70000-0x0000000000B82000-memory.dmp

Filesize
72KB

Download
memory/2392-584-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/2576-72-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2576-70-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2632-345-0x0000000000C50000-0x0000000000D60000-memory.dmp

Filesize
1.1MB

Download
memory/2632-346-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2648-644-0x0000000001310000-0x0000000001420000-memory.dmp

Filesize
1.1MB

Download