dcrat | bf929edcdc817890d946bf38c43d7f92ff9a190d8d59407181989b64b61c0eba

Analysis

max time kernel
145s
max time network
143s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_bf929edcdc817890d946bf38c43d7f92ff9a190d8d59407181989b64b61c0eba.exe
Size

1.3MB
MD5

79af7750a6d09d81cea41f089e842019
SHA1

ae40725b41902458d4d8bfe1fd97d5036ab7af48
SHA256

bf929edcdc817890d946bf38c43d7f92ff9a190d8d59407181989b64b61c0eba
SHA512

5df626a5f4375e6d25a30c91f3448506f52981087452a0499f3a89ca01b72d0114797a45414f9b64acbe5a3a820fd7037e545253f270b29049e2cc19f1c4c6d3
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2252	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2252	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d0c-12.dat	dcrat
behavioral1/memory/2144-13-0x00000000002B0000-0x00000000003C0000-memory.dmp	dcrat
behavioral1/memory/2428-66-0x00000000009E0000-0x0000000000AF0000-memory.dmp	dcrat
behavioral1/memory/2436-275-0x0000000000AE0000-0x0000000000BF0000-memory.dmp	dcrat
behavioral1/memory/1644-335-0x0000000000DE0000-0x0000000000EF0000-memory.dmp	dcrat
behavioral1/memory/2504-395-0x0000000001090000-0x00000000011A0000-memory.dmp	dcrat
behavioral1/memory/3024-514-0x0000000000060000-0x0000000000170000-memory.dmp	dcrat
behavioral1/memory/2448-575-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/2268-635-0x00000000013D0000-0x00000000014E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2460	powershell.exe
2560	powershell.exe
1832	powershell.exe
1436	powershell.exe
2820	powershell.exe
2928	powershell.exe
3024	powershell.exe
2340	powershell.exe
2580	powershell.exe
2132	powershell.exe
2800	powershell.exe
1552	powershell.exe
2516	powershell.exe
2908	powershell.exe
2548	powershell.exe
1316	powershell.exe
1944	powershell.exe
2444	powershell.exe
984	powershell.exe
2860	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2144	DllCommonsvc.exe
2428	dwm.exe
2900	dwm.exe
2436	dwm.exe
1644	dwm.exe
2504	dwm.exe
536	dwm.exe
3024	dwm.exe
2448	dwm.exe
2268	dwm.exe
1436	dwm.exe
696	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
2004	cmd.exe
2004	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Mahjong\fr-FR\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Mahjong\fr-FR\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\csrss.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\IME\IMEJP10\help\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\IME\IMEJP10\help\b75386f1303e64	DllCommonsvc.exe
File created	C:\Windows\Resources\Themes\Aero\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Resources\Themes\Aero\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bf929edcdc817890d946bf38c43d7f92ff9a190d8d59407181989b64b61c0eba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1340	schtasks.exe
2268	schtasks.exe
1320	schtasks.exe
1128	schtasks.exe
3024	schtasks.exe
2656	schtasks.exe
1996	schtasks.exe
2880	schtasks.exe
1356	schtasks.exe
2016	schtasks.exe
2800	schtasks.exe
1352	schtasks.exe
1760	schtasks.exe
2408	schtasks.exe
2380	schtasks.exe
2992	schtasks.exe
1056	schtasks.exe
696	schtasks.exe
756	schtasks.exe
2284	schtasks.exe
2976	schtasks.exe
1424	schtasks.exe
1204	schtasks.exe
2704	schtasks.exe
2188	schtasks.exe
2212	schtasks.exe
2536	schtasks.exe
1652	schtasks.exe
1780	schtasks.exe
560	schtasks.exe
2784	schtasks.exe
2136	schtasks.exe
1544	schtasks.exe
2104	schtasks.exe
2088	schtasks.exe
588	schtasks.exe
2052	schtasks.exe
2672	schtasks.exe
2480	schtasks.exe
1872	schtasks.exe
2264	schtasks.exe
1820	schtasks.exe
2224	schtasks.exe
1132	schtasks.exe
1952	schtasks.exe
544	schtasks.exe
760	schtasks.exe
2324	schtasks.exe
2260	schtasks.exe
2568	schtasks.exe
1308	schtasks.exe
1524	schtasks.exe
2192	schtasks.exe
2404	schtasks.exe
768	schtasks.exe
2376	schtasks.exe
2956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2144	DllCommonsvc.exe
2144	DllCommonsvc.exe
2144	DllCommonsvc.exe
2144	DllCommonsvc.exe
2144	DllCommonsvc.exe
2144	DllCommonsvc.exe
2144	DllCommonsvc.exe
1316	powershell.exe
2516	powershell.exe
984	powershell.exe
2928	powershell.exe
1832	powershell.exe
2428	dwm.exe
2444	powershell.exe
1552	powershell.exe
1944	powershell.exe
2580	powershell.exe
2800	powershell.exe
2548	powershell.exe
2860	powershell.exe
3024	powershell.exe
2560	powershell.exe
1436	powershell.exe
2460	powershell.exe
2132	powershell.exe
2820	powershell.exe
2908	powershell.exe
2340	powershell.exe
2900	dwm.exe
2436	dwm.exe
1644	dwm.exe
2504	dwm.exe
536	dwm.exe
3024	dwm.exe
2448	dwm.exe
2268	dwm.exe
1436	dwm.exe
696	dwm.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	DllCommonsvc.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	2428	dwm.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	2900	dwm.exe
Token: SeDebugPrivilege	2436	dwm.exe
Token: SeDebugPrivilege	1644	dwm.exe
Token: SeDebugPrivilege	2504	dwm.exe
Token: SeDebugPrivilege	536	dwm.exe
Token: SeDebugPrivilege	3024	dwm.exe
Token: SeDebugPrivilege	2448	dwm.exe
Token: SeDebugPrivilege	2268	dwm.exe
Token: SeDebugPrivilege	1436	dwm.exe
Token: SeDebugPrivilege	696	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1456	1740	JaffaCakes118_bf929edcdc817890d946bf38c43d7f92ff9a190d8d59407181989b64b61c0eba.exe	30
PID 1740 wrote to memory of 1456	1740	JaffaCakes118_bf929edcdc817890d946bf38c43d7f92ff9a190d8d59407181989b64b61c0eba.exe	30
PID 1740 wrote to memory of 1456	1740	JaffaCakes118_bf929edcdc817890d946bf38c43d7f92ff9a190d8d59407181989b64b61c0eba.exe	30
PID 1740 wrote to memory of 1456	1740	JaffaCakes118_bf929edcdc817890d946bf38c43d7f92ff9a190d8d59407181989b64b61c0eba.exe	30
PID 1456 wrote to memory of 2004	1456	WScript.exe	31
PID 1456 wrote to memory of 2004	1456	WScript.exe	31
PID 1456 wrote to memory of 2004	1456	WScript.exe	31
PID 1456 wrote to memory of 2004	1456	WScript.exe	31
PID 2004 wrote to memory of 2144	2004	cmd.exe	33
PID 2004 wrote to memory of 2144	2004	cmd.exe	33
PID 2004 wrote to memory of 2144	2004	cmd.exe	33
PID 2004 wrote to memory of 2144	2004	cmd.exe	33
PID 2144 wrote to memory of 2516	2144	DllCommonsvc.exe	92
PID 2144 wrote to memory of 2516	2144	DllCommonsvc.exe	92
PID 2144 wrote to memory of 2516	2144	DllCommonsvc.exe	92
PID 2144 wrote to memory of 2928	2144	DllCommonsvc.exe	93
PID 2144 wrote to memory of 2928	2144	DllCommonsvc.exe	93
PID 2144 wrote to memory of 2928	2144	DllCommonsvc.exe	93
PID 2144 wrote to memory of 1552	2144	DllCommonsvc.exe	95
PID 2144 wrote to memory of 1552	2144	DllCommonsvc.exe	95
PID 2144 wrote to memory of 1552	2144	DllCommonsvc.exe	95
PID 2144 wrote to memory of 1316	2144	DllCommonsvc.exe	96
PID 2144 wrote to memory of 1316	2144	DllCommonsvc.exe	96
PID 2144 wrote to memory of 1316	2144	DllCommonsvc.exe	96
PID 2144 wrote to memory of 984	2144	DllCommonsvc.exe	97
PID 2144 wrote to memory of 984	2144	DllCommonsvc.exe	97
PID 2144 wrote to memory of 984	2144	DllCommonsvc.exe	97
PID 2144 wrote to memory of 2820	2144	DllCommonsvc.exe	98
PID 2144 wrote to memory of 2820	2144	DllCommonsvc.exe	98
PID 2144 wrote to memory of 2820	2144	DllCommonsvc.exe	98
PID 2144 wrote to memory of 2800	2144	DllCommonsvc.exe	99
PID 2144 wrote to memory of 2800	2144	DllCommonsvc.exe	99
PID 2144 wrote to memory of 2800	2144	DllCommonsvc.exe	99
PID 2144 wrote to memory of 2548	2144	DllCommonsvc.exe	105
PID 2144 wrote to memory of 2548	2144	DllCommonsvc.exe	105
PID 2144 wrote to memory of 2548	2144	DllCommonsvc.exe	105
PID 2144 wrote to memory of 2908	2144	DllCommonsvc.exe	106
PID 2144 wrote to memory of 2908	2144	DllCommonsvc.exe	106
PID 2144 wrote to memory of 2908	2144	DllCommonsvc.exe	106
PID 2144 wrote to memory of 2132	2144	DllCommonsvc.exe	107
PID 2144 wrote to memory of 2132	2144	DllCommonsvc.exe	107
PID 2144 wrote to memory of 2132	2144	DllCommonsvc.exe	107
PID 2144 wrote to memory of 2444	2144	DllCommonsvc.exe	108
PID 2144 wrote to memory of 2444	2144	DllCommonsvc.exe	108
PID 2144 wrote to memory of 2444	2144	DllCommonsvc.exe	108
PID 2144 wrote to memory of 2580	2144	DllCommonsvc.exe	109
PID 2144 wrote to memory of 2580	2144	DllCommonsvc.exe	109
PID 2144 wrote to memory of 2580	2144	DllCommonsvc.exe	109
PID 2144 wrote to memory of 1436	2144	DllCommonsvc.exe	110
PID 2144 wrote to memory of 1436	2144	DllCommonsvc.exe	110
PID 2144 wrote to memory of 1436	2144	DllCommonsvc.exe	110
PID 2144 wrote to memory of 1944	2144	DllCommonsvc.exe	111
PID 2144 wrote to memory of 1944	2144	DllCommonsvc.exe	111
PID 2144 wrote to memory of 1944	2144	DllCommonsvc.exe	111
PID 2144 wrote to memory of 1832	2144	DllCommonsvc.exe	112
PID 2144 wrote to memory of 1832	2144	DllCommonsvc.exe	112
PID 2144 wrote to memory of 1832	2144	DllCommonsvc.exe	112
PID 2144 wrote to memory of 2860	2144	DllCommonsvc.exe	113
PID 2144 wrote to memory of 2860	2144	DllCommonsvc.exe	113
PID 2144 wrote to memory of 2860	2144	DllCommonsvc.exe	113
PID 2144 wrote to memory of 2560	2144	DllCommonsvc.exe	115
PID 2144 wrote to memory of 2560	2144	DllCommonsvc.exe	115
PID 2144 wrote to memory of 2560	2144	DllCommonsvc.exe	115
PID 2144 wrote to memory of 2460	2144	DllCommonsvc.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bf929edcdc817890d946bf38c43d7f92ff9a190d8d59407181989b64b61c0eba.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bf929edcdc817890d946bf38c43d7f92ff9a190d8d59407181989b64b61c0eba.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\Aero\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\de-DE\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Mahjong\fr-FR\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\IMEJP10\help\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
    - - C:\MSOCache\All Users\dwm.exe
        
        "C:\MSOCache\All Users\dwm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat"
        6⤵
        
        PID:1780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1712
        
        C:\MSOCache\All Users\dwm.exe
        
        "C:\MSOCache\All Users\dwm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat"
        8⤵
        
        PID:1496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2596
        
        C:\MSOCache\All Users\dwm.exe
        
        "C:\MSOCache\All Users\dwm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"
        10⤵
        
        PID:932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2592
        
        C:\MSOCache\All Users\dwm.exe
        
        "C:\MSOCache\All Users\dwm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KteTxDTZHh.bat"
        12⤵
        
        PID:2968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1164
        
        C:\MSOCache\All Users\dwm.exe
        
        "C:\MSOCache\All Users\dwm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat"
        14⤵
        
        PID:2896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3044
        
        C:\MSOCache\All Users\dwm.exe
        
        "C:\MSOCache\All Users\dwm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\d8IMWcflW5.bat"
        16⤵
        
        PID:2436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2800
        
        C:\MSOCache\All Users\dwm.exe
        
        "C:\MSOCache\All Users\dwm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OrAhl4fNEA.bat"
        18⤵
        
        PID:1312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2676
        
        C:\MSOCache\All Users\dwm.exe
        
        "C:\MSOCache\All Users\dwm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat"
        20⤵
        
        PID:1152
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2192
        
        C:\MSOCache\All Users\dwm.exe
        
        "C:\MSOCache\All Users\dwm.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat"
        22⤵
        
        PID:2032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2472
        
        C:\MSOCache\All Users\dwm.exe
        
        "C:\MSOCache\All Users\dwm.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1kSioVLOLD.bat"
        24⤵
        
        PID:820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:964
        
        C:\MSOCache\All Users\dwm.exe
        
        "C:\MSOCache\All Users\dwm.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Application Data\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Themes\Aero\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Themes\Aero\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\Mahjong\fr-FR\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Mahjong\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Mahjong\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\IME\IMEJP10\help\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\IME\IMEJP10\help\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\IME\IMEJP10\help\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee222b1b0edef2e203258b45e066845e

SHA1
391bd7f7582fdbb87455c30557c9fdc7d5d98daf

SHA256
7fc119971c1236e0a70fe090f5087666eac94aa8150db71ff799ccbc182344e1

SHA512
7f62d13e6a069b0d96bef6af7d3c3bf575473510de72afdadb7754b6d2c33c8d7e5a0725aa1494656864e319fd88d0fa03c9bac2fbd38904ab95e87dd7e63d8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0543a24863fa5440b4d39fe37bc1149

SHA1
a25050a5f2656ba3a0ea33f805ae2afe22e6b88a

SHA256
2dcc58d9f94ba80aaf2f53c2431412ff2ca08629f388274ab2b0200eaf5223d3

SHA512
c41dcef7bef81723af03afacd6daad10f8640ef026b1b79f039aa30454aa92a9bcc9c2d35f117d05ee6b79223aed0ddcb6a3960945175ac73718518b9f01ca43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f408e0a317f8d560d2f4234f1c75a864

SHA1
7a073a55bfdc71bba62f217a462a9ff57e444c87

SHA256
c2e0013f2998490d9f2605e7f2e7972e6f82de117d5d5d9c835432abcdde00b5

SHA512
50501e9321112dcbdde70fc5b3af21e9b7e4595a65bcc2d80753698ab7944f2edbf46c055fcac146124a701ffbde766d7dc0d336bbb777d60577a4ff31c5d971

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12e7d79514eaf2210d78e4e4b5a31df6

SHA1
d7a1bc901d708f9d1a76c08233d4d74625168ffb

SHA256
4ae83556f2792cee193e03b5ced95d9ee0e8e5699ec9c811b074a59fd2c3a19b

SHA512
bc7a25312e754fe4e822442e9a048dcb5b2ecaf833538115bd56f31986869954745a223755f33ff429e883fbab128c793d6308ac05ddb9acd0dcb3d9b32e5e07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
803e833553bcb00457c9ac1c8ff631e4

SHA1
05ba25f8193657b106310ab09b5305e12a7abd97

SHA256
6fa425d886d4a9d5eeebb0d311add20680e95d23ad836094ac95ea761f7cbc10

SHA512
6eb0f0a70884682531408a5c2935531a547717de764775422a8079af01e371960231fff9b8b824258e0c767195decceb9f930aee8ea99ef91864b23c30f34352

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
133be108bc7d102103f07d4554681fc1

SHA1
04704148046be522bff2829740b47d3b2eaca5e6

SHA256
486135f06b040af40cfd6350d35d03dc209755bb04dcb7913a73445b524f2fc6

SHA512
a14d07d9a32ea37179b1a08c6aca786f4ce8c13764dc237ca4ac176fa5a309a39e60947d9c3d22897c8a62879aeddd28438f5fceecaa069d4d45b579c533b35e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2efb29ca35c63465a9781043e1a467d

SHA1
aeb2c6ceb6850fe2566ac10063514090f4233527

SHA256
3d807f8a52a40420cd0d695c04bba44dab913cd19df9b700aa688d50d26ec3b0

SHA512
5779825c27507817f57c4ee14e2f651b0cc5e0fff8d5a3c2a901a81d87961bed90dcbd367a1091919b1e4f4ca858492b88f7a3318075df318e8d9d8012bec076

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3cf897acafe2007f24c4d397583d34cb

SHA1
a6f4f78a2613735123b5f875936a3024a04c26a8

SHA256
e7fce4780da468e03bde975f4162b90066afca3340ae5011e4b6ee479563e3a2

SHA512
2e7901c990e39440ce845b62a4b1494c05fe9fc413602f64daee353b3feb52604d29a0ddcd332b6534c63c339d28aba49b6164372cb425e93cd2cfbfa6346d11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df5bc93ca22cee5cb01ed3a7d52c6d79

SHA1
50033b0f8fd4dd8634685dfa74759b3a8412a6a6

SHA256
5d2dc2f3a32a481abce8c6b16e1bb2563964f72cf1833702f660533117184b58

SHA512
100f6b3a506efef69697bc099f674118b5db141388b31f15401700fb8a93e781b24e83c0b525713c6f1a3f4dd8283482a3ba320eccd2f1c88d98a91842767c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\1kSioVLOLD.bat

Filesize
194B

MD5
882ce06092fce5f859b6efc97770a409

SHA1
be25faea19fb27c715687d9051b6ae6b0e7e9ff9

SHA256
604f6c6dd74d5f63bd1d43d2d168b71529ec767ec52c2e54c0ad1c0407d5ee70

SHA512
d41173dd752af4069ac6071527bc40b91a7831f87901feae150ba317e52b8b0617f019a16db74ef5b0a798127041b810fb2edc6adb3344b697b86b0c9ee579c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat

Filesize
194B

MD5
cf6b2ae7844466b343d40b14afa370f9

SHA1
e47f823cdb60492de069e7cd0d9d69f9d1638a07

SHA256
e08025fa88e394d1b7e00a691c9a6149a3fd47b1ab45949d129799055c6fdbdc

SHA512
85a0dbd0e0fd54f840b0609284ebf55995f2a6f23152692b50d46bec12439e93b4ac9a11625f5323b3dea70711e8d14292f187b6e921de013c3a5014c637e8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF1B1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat

Filesize
194B

MD5
b99b684a7d6c95a3df509102aba1954c

SHA1
f0521bc3b30f63bab8863066700580c30f673846

SHA256
f8db2535369cb0d43e5700edcf51f49c2a2cb9f1968fa0ea971c01b9bcfc5f00

SHA512
51cf4946ff1fcf3e1c5641223bbbdddf112ee6735eb2641fd8b06741def7c89099e481446472cc25de7e65b896ed1131775e82354977ad4bff988bc25623c458

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat

Filesize
194B

MD5
890ef5f635b3eb0bbf2fb443fc5443a5

SHA1
a367d9937933cce1b2ae0237a53ac931aa1c6f97

SHA256
305815b03013ff5f69bd43a2493344b9a154a5ceee37559f300aebd59378f9f3

SHA512
feef02b91778eb96e29be55508790aad3dd519b4843c7e4c6394055cc26d4aac15b8c0154bfa57501aa57d691e875ae9aab5a54f5fabef58d0d625c0125cbc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KteTxDTZHh.bat

Filesize
194B

MD5
6b6bafe346630f2eacb5914095c9a169

SHA1
ccb297c599cf0baf58116038d52ca7c2abb21c53

SHA256
723e0cd7f2eb1478c4b4710ca1b0403e74108f42084e933f1fd36cb14dd5461e

SHA512
a3def256f02d871d1524b565195e45d8a98027862db17fd7be010848961191e804537a5b32f77bc1327adaa10a5d5eeb031551ebcbc9b0b163a1edc98d0edf17

Download Submit
C:\Users\Admin\AppData\Local\Temp\OrAhl4fNEA.bat

Filesize
194B

MD5
989c1e9034e2e2fc8c47d257abadf57a

SHA1
b422647496123d050f6cdfa70940cd5945650147

SHA256
9c60e6b28a5bfa3b212023cc90d93d50afd6097a05e0901874ecf40a9b009a10

SHA512
1adf5ef2c0a59fcbdb32ccb268d0c411296ea542577341f25fb27b6d59dd8f0924b79a0d4938bf0bb4e21a604059a7d413f356be6e019d43cac2f887d9a9b911

Download Submit
C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat

Filesize
194B

MD5
450363e8c780948a3687e42b76aba52e

SHA1
93e6e9cb638f0999abd7047611c250ed0a9dc4e6

SHA256
f088405ee82781e3b9c6d18dfa9743715ca122c3f7824a31af3e58628fbeee31

SHA512
622202866735b4c6206fca97bc4c9413cdc06711ccd2cb12d145a2087ca6a3df2e75d17c0e20ff7783a7838eb6770083a32d46fbde13d60de2c3c8e1a4f1a1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF231.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat

Filesize
194B

MD5
e9fc5c4893f4d80370b06e8d402039b4

SHA1
8bad16200328903cfbca70c3cf003e1e397e1709

SHA256
783b545e5747fd8780ebe52f39a4ba18a0f10ad50d54cd69679b2f52b6de4399

SHA512
a1428a37f6971d05f4f7d04cbe59c7f57f1407daf894756f89e1ce39696e18795410cd0a2225ec77f197ce7c8bc92fe697e389a79e2f5e8ee99d7c3781c376ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8IMWcflW5.bat

Filesize
194B

MD5
e796446fdf96cf572f3d9cea73e557ba

SHA1
6bc4a14f1bcb4adf2ef8debf94c612941e7ca801

SHA256
d27e85215ca1a97e18f99eea33fb221ceb81643b198e2c6fde23fb1d3d5851af

SHA512
b16db182d5e2c1210c0549607fd7957d1af26c8e2af7fbe251e5faeea3df8772caa8eec1c3e512342b07299c37d5b7286d2531d271e723bafa31b6b2e5a658db

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat

Filesize
194B

MD5
7a48930951f89b9f642e6b7196da1d03

SHA1
bdd0a14e8b6eaa892d1e70e99cde49ac87c0d29a

SHA256
5d324dd279cd4d1062b4f60754b2ec78aa52ce3cc85e15f43e8dd4f8ced37b3b

SHA512
6e97e7820cb323acb3f770074434aac48bed091746a3e51cf636a0a8f70cc89dc475f6064796c5982687b2e828a728b10e33bdc5f1668696afe9763b5791fcee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8095f754e1adc0ccec10af57fe34e384

SHA1
f8a51bc1df680d18fe85014535b81ed12147e11f

SHA256
544b4b9dbfcdc7f07dce946bc4b579c3383dc72540905be92c4305b5a22367f1

SHA512
8a5f06ca3d8d58fa12e49c8de61238bf5545943e9fd4c1e2f389cd59f77688eb2e1d1a9e863aa025a4505e01a5267ccccf09b5ad8a8e18d3da787f055b459aa6

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1436-695-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1644-335-0x0000000000DE0000-0x0000000000EF0000-memory.dmp

Filesize
1.1MB

Download
memory/2144-13-0x00000000002B0000-0x00000000003C0000-memory.dmp

Filesize
1.1MB

Download
memory/2144-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2144-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2144-16-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2144-17-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2268-635-0x00000000013D0000-0x00000000014E0000-memory.dmp

Filesize
1.1MB

Download
memory/2428-66-0x00000000009E0000-0x0000000000AF0000-memory.dmp

Filesize
1.1MB

Download
memory/2436-275-0x0000000000AE0000-0x0000000000BF0000-memory.dmp

Filesize
1.1MB

Download
memory/2448-575-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/2504-395-0x0000000001090000-0x00000000011A0000-memory.dmp

Filesize
1.1MB

Download
memory/2516-80-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/2516-81-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/3024-515-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/3024-514-0x0000000000060000-0x0000000000170000-memory.dmp

Filesize
1.1MB

Download