dcrat | 7e718e3d85945f59491f0792abf163097ab61100b0aabd2b3c1855a531bc97bc

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7e718e3d85945f59491f0792abf163097ab61100b0aabd2b3c1855a531bc97bc.exe
Size

1.3MB
MD5

aaba96c96dfa7d7a795c069095afddf9
SHA1

a7e6f3dc3757e5bf84e2b6185efa21ea551183dd
SHA256

7e718e3d85945f59491f0792abf163097ab61100b0aabd2b3c1855a531bc97bc
SHA512

a198a8a8e5680ed9a7338216049a608c742c0f594d4c85ce8688eafff367a54c578e33c2346ea132842946f68a05d96f4cebb5cf75729de66faec2db0ea9d8c8
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2636	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016cd7-9.dat	dcrat
behavioral1/memory/3068-13-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/1868-157-0x0000000001110000-0x0000000001220000-memory.dmp	dcrat
behavioral1/memory/1480-216-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/1724-277-0x0000000000820000-0x0000000000930000-memory.dmp	dcrat
behavioral1/memory/2148-337-0x0000000000AB0000-0x0000000000BC0000-memory.dmp	dcrat
behavioral1/memory/2736-397-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/684-457-0x0000000001310000-0x0000000001420000-memory.dmp	dcrat
behavioral1/memory/896-517-0x00000000013A0000-0x00000000014B0000-memory.dmp	dcrat
behavioral1/memory/2888-636-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/2076-696-0x0000000000B70000-0x0000000000C80000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2872	powershell.exe
1776	powershell.exe
1840	powershell.exe
2680	powershell.exe
2032	powershell.exe
2860	powershell.exe
2844	powershell.exe
2776	powershell.exe
1996	powershell.exe
2800	powershell.exe
2732	powershell.exe
2208	powershell.exe
2772	powershell.exe
656	powershell.exe
2688	powershell.exe
2608	powershell.exe
684	powershell.exe
2836	powershell.exe
2784	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
3068	DllCommonsvc.exe
1868	lsm.exe
1480	lsm.exe
1724	lsm.exe
2148	lsm.exe
2736	lsm.exe
684	lsm.exe
896	lsm.exe
1684	lsm.exe
2888	lsm.exe
2076	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2760	cmd.exe
2760	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
31	raw.githubusercontent.com
38	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
5	raw.githubusercontent.com
20	raw.githubusercontent.com
34	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\explorer.exe	DllCommonsvc.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\27d1bcfc3c54e0	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\Resources\Themes\services.exe	DllCommonsvc.exe
File created	C:\Windows\Resources\Themes\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\Tasks\services.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7e718e3d85945f59491f0792abf163097ab61100b0aabd2b3c1855a531bc97bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2140	schtasks.exe
900	schtasks.exe
2152	schtasks.exe
2144	schtasks.exe
1772	schtasks.exe
1636	schtasks.exe
2196	schtasks.exe
1596	schtasks.exe
2756	schtasks.exe
1292	schtasks.exe
1760	schtasks.exe
2812	schtasks.exe
888	schtasks.exe
3040	schtasks.exe
2884	schtasks.exe
2888	schtasks.exe
1852	schtasks.exe
1568	schtasks.exe
2292	schtasks.exe
2240	schtasks.exe
1332	schtasks.exe
692	schtasks.exe
448	schtasks.exe
1992	schtasks.exe
1860	schtasks.exe
2116	schtasks.exe
872	schtasks.exe
1960	schtasks.exe
332	schtasks.exe
3008	schtasks.exe
1164	schtasks.exe
1192	schtasks.exe
1612	schtasks.exe
2444	schtasks.exe
2308	schtasks.exe
2472	schtasks.exe
2188	schtasks.exe
2524	schtasks.exe
1812	schtasks.exe
2112	schtasks.exe
616	schtasks.exe
884	schtasks.exe
2244	schtasks.exe
1768	schtasks.exe
964	schtasks.exe
3024	schtasks.exe
2180	schtasks.exe
1336	schtasks.exe
2540	schtasks.exe
2952	schtasks.exe
1876	schtasks.exe
1608	schtasks.exe
1480	schtasks.exe
1688	schtasks.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
3068	DllCommonsvc.exe
3068	DllCommonsvc.exe
3068	DllCommonsvc.exe
3068	DllCommonsvc.exe
3068	DllCommonsvc.exe
3068	DllCommonsvc.exe
3068	DllCommonsvc.exe
3068	DllCommonsvc.exe
3068	DllCommonsvc.exe
3068	DllCommonsvc.exe
3068	DllCommonsvc.exe
2776	powershell.exe
1996	powershell.exe
2872	powershell.exe
684	powershell.exe
2032	powershell.exe
2800	powershell.exe
656	powershell.exe
2844	powershell.exe
2208	powershell.exe
2608	powershell.exe
2680	powershell.exe
2688	powershell.exe
2772	powershell.exe
1776	powershell.exe
2836	powershell.exe
2784	powershell.exe
2860	powershell.exe
1840	powershell.exe
2732	powershell.exe
1868	lsm.exe
1480	lsm.exe
1724	lsm.exe
2148	lsm.exe
2736	lsm.exe
684	lsm.exe
896	lsm.exe
1684	lsm.exe
2888	lsm.exe
2076	lsm.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	DllCommonsvc.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	656	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	1868	lsm.exe
Token: SeDebugPrivilege	1480	lsm.exe
Token: SeDebugPrivilege	1724	lsm.exe
Token: SeDebugPrivilege	2148	lsm.exe
Token: SeDebugPrivilege	2736	lsm.exe
Token: SeDebugPrivilege	684	lsm.exe
Token: SeDebugPrivilege	896	lsm.exe
Token: SeDebugPrivilege	1684	lsm.exe
Token: SeDebugPrivilege	2888	lsm.exe
Token: SeDebugPrivilege	2076	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2776	2504	JaffaCakes118_7e718e3d85945f59491f0792abf163097ab61100b0aabd2b3c1855a531bc97bc.exe	30
PID 2504 wrote to memory of 2776	2504	JaffaCakes118_7e718e3d85945f59491f0792abf163097ab61100b0aabd2b3c1855a531bc97bc.exe	30
PID 2504 wrote to memory of 2776	2504	JaffaCakes118_7e718e3d85945f59491f0792abf163097ab61100b0aabd2b3c1855a531bc97bc.exe	30
PID 2504 wrote to memory of 2776	2504	JaffaCakes118_7e718e3d85945f59491f0792abf163097ab61100b0aabd2b3c1855a531bc97bc.exe	30
PID 2776 wrote to memory of 2760	2776	WScript.exe	31
PID 2776 wrote to memory of 2760	2776	WScript.exe	31
PID 2776 wrote to memory of 2760	2776	WScript.exe	31
PID 2776 wrote to memory of 2760	2776	WScript.exe	31
PID 2760 wrote to memory of 3068	2760	cmd.exe	33
PID 2760 wrote to memory of 3068	2760	cmd.exe	33
PID 2760 wrote to memory of 3068	2760	cmd.exe	33
PID 2760 wrote to memory of 3068	2760	cmd.exe	33
PID 3068 wrote to memory of 2844	3068	DllCommonsvc.exe	89
PID 3068 wrote to memory of 2844	3068	DllCommonsvc.exe	89
PID 3068 wrote to memory of 2844	3068	DllCommonsvc.exe	89
PID 3068 wrote to memory of 2784	3068	DllCommonsvc.exe	90
PID 3068 wrote to memory of 2784	3068	DllCommonsvc.exe	90
PID 3068 wrote to memory of 2784	3068	DllCommonsvc.exe	90
PID 3068 wrote to memory of 2836	3068	DllCommonsvc.exe	91
PID 3068 wrote to memory of 2836	3068	DllCommonsvc.exe	91
PID 3068 wrote to memory of 2836	3068	DllCommonsvc.exe	91
PID 3068 wrote to memory of 2776	3068	DllCommonsvc.exe	92
PID 3068 wrote to memory of 2776	3068	DllCommonsvc.exe	92
PID 3068 wrote to memory of 2776	3068	DllCommonsvc.exe	92
PID 3068 wrote to memory of 2872	3068	DllCommonsvc.exe	94
PID 3068 wrote to memory of 2872	3068	DllCommonsvc.exe	94
PID 3068 wrote to memory of 2872	3068	DllCommonsvc.exe	94
PID 3068 wrote to memory of 2772	3068	DllCommonsvc.exe	95
PID 3068 wrote to memory of 2772	3068	DllCommonsvc.exe	95
PID 3068 wrote to memory of 2772	3068	DllCommonsvc.exe	95
PID 3068 wrote to memory of 2860	3068	DllCommonsvc.exe	96
PID 3068 wrote to memory of 2860	3068	DllCommonsvc.exe	96
PID 3068 wrote to memory of 2860	3068	DllCommonsvc.exe	96
PID 3068 wrote to memory of 2680	3068	DllCommonsvc.exe	97
PID 3068 wrote to memory of 2680	3068	DllCommonsvc.exe	97
PID 3068 wrote to memory of 2680	3068	DllCommonsvc.exe	97
PID 3068 wrote to memory of 1776	3068	DllCommonsvc.exe	99
PID 3068 wrote to memory of 1776	3068	DllCommonsvc.exe	99
PID 3068 wrote to memory of 1776	3068	DllCommonsvc.exe	99
PID 3068 wrote to memory of 2688	3068	DllCommonsvc.exe	100
PID 3068 wrote to memory of 2688	3068	DllCommonsvc.exe	100
PID 3068 wrote to memory of 2688	3068	DllCommonsvc.exe	100
PID 3068 wrote to memory of 1840	3068	DllCommonsvc.exe	102
PID 3068 wrote to memory of 1840	3068	DllCommonsvc.exe	102
PID 3068 wrote to memory of 1840	3068	DllCommonsvc.exe	102
PID 3068 wrote to memory of 2032	3068	DllCommonsvc.exe	103
PID 3068 wrote to memory of 2032	3068	DllCommonsvc.exe	103
PID 3068 wrote to memory of 2032	3068	DllCommonsvc.exe	103
PID 3068 wrote to memory of 1996	3068	DllCommonsvc.exe	104
PID 3068 wrote to memory of 1996	3068	DllCommonsvc.exe	104
PID 3068 wrote to memory of 1996	3068	DllCommonsvc.exe	104
PID 3068 wrote to memory of 2800	3068	DllCommonsvc.exe	105
PID 3068 wrote to memory of 2800	3068	DllCommonsvc.exe	105
PID 3068 wrote to memory of 2800	3068	DllCommonsvc.exe	105
PID 3068 wrote to memory of 2732	3068	DllCommonsvc.exe	106
PID 3068 wrote to memory of 2732	3068	DllCommonsvc.exe	106
PID 3068 wrote to memory of 2732	3068	DllCommonsvc.exe	106
PID 3068 wrote to memory of 2608	3068	DllCommonsvc.exe	107
PID 3068 wrote to memory of 2608	3068	DllCommonsvc.exe	107
PID 3068 wrote to memory of 2608	3068	DllCommonsvc.exe	107
PID 3068 wrote to memory of 684	3068	DllCommonsvc.exe	108
PID 3068 wrote to memory of 684	3068	DllCommonsvc.exe	108
PID 3068 wrote to memory of 684	3068	DllCommonsvc.exe	108
PID 3068 wrote to memory of 656	3068	DllCommonsvc.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e718e3d85945f59491f0792abf163097ab61100b0aabd2b3c1855a531bc97bc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e718e3d85945f59491f0792abf163097ab61100b0aabd2b3c1855a531bc97bc.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\plugins\video_output\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hjIkebQfpg.bat"
        5⤵
        
        PID:1576
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1860
      - C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat"
        7⤵
        
        PID:2968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2380
        
        C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat"
        9⤵
        
        PID:1836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2836
        
        C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat"
        11⤵
        
        PID:3024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1728
        
        C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pi2dGiCBJ7.bat"
        13⤵
        
        PID:2004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2288
        
        C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OrAhl4fNEA.bat"
        15⤵
        
        PID:2216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1468
        
        C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat"
        17⤵
        
        PID:2608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:796
        
        C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat"
        19⤵
        
        PID:2820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3060
        
        C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat"
        21⤵
        
        PID:792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2952
        
        C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat"
        23⤵
        
        PID:1736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1652
        
        C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"
        25⤵
        
        PID:1592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Themes\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\Themes\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\plugins\video_output\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\video_output\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\plugins\video_output\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Tasks\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71f18d7dffd0b0e8c8d9006985c66744

SHA1
7eb40ca3d035b5899f246909f3633e8e252f853c

SHA256
1e801606862b3e0734540a569376c873d682a35bd2ddde1e92a7e430d23a65a4

SHA512
027180407bf99455d4576b0870ea8bc993cff5fc3dbac9d554fa6cbe50eb6365daa265f91f90eef88e353021a21bc2c608e3ff2093715ef639288c6780b5c758

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de8dff0636364ef21ed50a9bb606874d

SHA1
4f90d042360bac0776c22c6a8fed83a428035bae

SHA256
ac2091adbca574946194ef8753def72e9d19b343f017a55550ad2df5718da899

SHA512
9d2448e85466b70abc2169aeef01e7e2db80999e8bdd8d227a75d1d39b95f458d3a803c1784dbfac9e3d07a7ad36f74302d1e27b3543d2c0a89860ce179de894

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d67f4fea6b3319a998eea5e5b4985521

SHA1
e497c90d417aedf0fcd5e0484cef591c7326ed4c

SHA256
9e21cee5be94457ebc6145be2cf2b37cb2809bacc5a1d45b8ffcbfed060c2113

SHA512
e33fd9891fa9a54e672c14307d1250324025526086868d769411c1848da37e53d2ffbf52efae29bbf979ef607d985d43f6c988e1e7da5a5b7af39b74c617acd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd8f13b39552857b3150e6ac7d89226f

SHA1
e663c57488a22b0a0f59444f227dea63cfac1e5f

SHA256
27fa9c64c4f4972ba11b086df69e064ba5c89552c67121bbf3124bd51bdc3340

SHA512
b02a42e9ccc0edbb2e132a06194a2e5cd4d3f870c98794f7756caf666abd8aa258b61f2fa6fb4f3d92ffee99abcae6214e7ea8be0fec887ff739415cac853a7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a9ce272dbb0f5350afe74d15d301e47

SHA1
d2e4a77fc6e8ab5e18d76c52047c2d2e04b7a5b6

SHA256
6d18ca697c3148105c80a50431e2c22f3fba624468c9a4479a29fab5964fb460

SHA512
d0a41da49529e33daa7862f13450d7a8f0a6f4f6e91d782e4ac48bee2cc1d8c948d9fd8bfb3d8c4f4cce22eca16fdb6ceac9d5e5b7a8dbcf87d5cb94b1a43563

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ddf7831567debafc029a28cc40b454df

SHA1
8874949cafd14f358e5bb85d7b3f6a9247b5ed3e

SHA256
012cdb9088d99fffe8972111a6ca83a823a4ee032b1567ec68088b0641a06894

SHA512
44fd88aaaec11fe817ab87731eb777d525818f35718a8e2eeebfca2bd603704e515280c62a6af4f33fa9e42e779137bbea8c31dda950dc36e5f2abddc3dd7bc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
379b522ff348bf03029f808e924620f4

SHA1
ec0b96cedc3248b5a1a61a2188f3d7e56b8ad8dc

SHA256
641ec52d46d8c3c89eaa2a3fa3e4039cc3f66e0ce3a149396c34be86706d444a

SHA512
f3f216e5ccc35320c8a0f7a258fbafb4eefe153ad2f19ad023ee9fa7992cb7d903b5d8fe717b0687fcb29f8979401ed0a87bd177fe8dfb7a953301c9cf0186ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66165353268c03eb49b5957c5daf6ab1

SHA1
d86fe4e4dcfe03051ec08884492ae1641fd2541d

SHA256
6fa5eaa1b34f6146f988e8bf355d89ebbeaeef481ffc525e36a16fd89404d431

SHA512
cc57b741017563ef9c41043ce6e7048334db254f58ae9549b502948de50b5ad366cd47124dd9ada8aec3b8d3e1dffbf57ebd4d5ba9de3d50426514f9145ec19d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd448c831325585d41b5dea4010e9502

SHA1
4455284722826ccef78419c0442db6b6d565636c

SHA256
27b51be08f5f2cc2bcad6b50119922e0165cc0818ae04dc4619e31c13475a62b

SHA512
6b76cdb0546aa648237e36fc7788a5828d5902a6a83036e53e9275056995bc40f2e109e8aa5fa2494be502bf3fa5dc0054767fe4b8b7fd1938680ccebc57f703

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat

Filesize
194B

MD5
297506048d96d65835d0735a497a50d5

SHA1
b810998caf45703f835026c53a1db0de1658bfda

SHA256
c17cc5a5e081b61a0e486557c44264a7c31c508cdcc7bb28ac86799d6c283e4b

SHA512
b8913978793d2fee0ac5f230d135f4c97ac6571d12b00463a2a4a5c22fe7efdd07e51114327ea18c2f1fb793b47b5ad10728d2955c7d4009b2ec666e546a48db

Download Submit
C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat

Filesize
194B

MD5
58e29f0176b322c5251f674942eb2c5b

SHA1
2f71c7a167d390080deb285cb555e39e0e1a180d

SHA256
ab3ba32bb4682c835795b002ddacd638aebbcf27e9dd14bdb75607a6f1345d93

SHA512
1fa5786bf815270efcabf2b6fde9389b11f0e5858c1aec1612069bbed18f94e14f68832d7b26d9265aa1200ab6425cee357f80d0f9c2423c60ea84ce91a89783

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC66D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat

Filesize
194B

MD5
8e5fc5f5f56ae7d650d2b1eb4e4fdcc5

SHA1
07565903922e3443b908c391d86e4b87c0c96efd

SHA256
bc7ecba242ada551a9182b586ba96472a5f75cf1bba0c04a5e4041e8bcbcd8ce

SHA512
e4b986d8b0c83dea42e215b4796623c73841da8c918cd5535ad9e45d9671a88d137bebdd2ad9774f883240023442689221afcfe146696e9cd4b417d74a1f3403

Download Submit
C:\Users\Admin\AppData\Local\Temp\OrAhl4fNEA.bat

Filesize
194B

MD5
358c67affe0acd3471e4cedc9b234b66

SHA1
5301282fee0d2d71884e3fe1310588a6690beb7f

SHA256
401a242fe1705737ab52ae8ef2bf1aa2a97ba65c0e3b0c39d344d58c0a2cce74

SHA512
f81131d7081215ea0b5006708b2b4958507ea18194f941b9048c2df70ee1346c487d570347ae23e3cdfa9aeaa7f773971cdfdc3ab54215eaa398a7cfe9d8e536

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat

Filesize
194B

MD5
8da4f0218d2f35cb464d156609baeefd

SHA1
199cbfc11fc6ee316492502b86b369c33b6e0cb6

SHA256
f51c5402f6a85d3e7540aac3cb517da54897ed344e783f9d422cfec70920cdbe

SHA512
8784b2cf5b2de1cab7dda99a9442ef1dd7501509b0f376758b9c07de291c9335437a75e4dd00046bde093a89af79ba15dd13d516e952d78376088a29472398e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pi2dGiCBJ7.bat

Filesize
194B

MD5
a603b4f0b6225a37b4f1456adeb19ebb

SHA1
f9927d29399a502bae3c185133ab7ec81e50ccba

SHA256
616054707b829c4ead7362b9c472a8f80d18c004a5ccff4ec8266de780f9e82c

SHA512
1a41cf036cf42411def6d631915261a936745ebed3f88c2ba3ba111e14f47d37775ed726437a7c461108bf281f03fe49f5e32357be4b33907af6ec4e9a853181

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC67F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat

Filesize
194B

MD5
9d00e0a5a284c81e37f410854cd3dc5c

SHA1
0483aec22611b4a317aed94e9efdc6812f810513

SHA256
9d1ee6657dc2b3d4bdcb4189d90a0fbb0c4f87dac79050af8bcf60b2aa93fab7

SHA512
1e60062db025044018bcd7ec48c2b8f5930bd73c457bd38336c0643160540278c35a629b39b2549a150df96e73fd78f87d8f85d0f5bbdc182a6203db807e6e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat

Filesize
194B

MD5
f1cd353c5d3dc638dc87b65dd77b388b

SHA1
6b4d30272f2e9caa12ae31f26ec3b6a970dff2d2

SHA256
c7a7120d8c14b9ff296f1c58e78e7f4d22c1edbd52dcb40a847c5e1e0e76b468

SHA512
41d38c3e1de94fa8fc599469a7589165321ec0ef676cfff4b162d11f29b96c2e4dbc20d7a0396b369672f11af4b80a128cbda21f7d4b54112fd50f590b27614b

Download Submit
C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat

Filesize
194B

MD5
6b51d0128c27b5503a20b4f38ab8462c

SHA1
77f88d1f38097a737fc4771c629ce3a3d809bca9

SHA256
5578e294b5d1cebaea045fa816d004bf95d3b97f97272d4ee1d67b0e69153c1f

SHA512
0fabde2ed25153f925fb60cbb0bf1d39aa6c14ea0af7f3806a8b298fa004a5cce7d219381ee2bc788781375980db1db90e56fa55a6dfe9e9af5f20767b780aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat

Filesize
194B

MD5
337964e4b6506dfc4600a0f465d33783

SHA1
c252d2d1bc8f7f754e788523ae8fcc07f8b38195

SHA256
ba1c8d898c279148676417d7c144f3367fb1331c6b40b74ca1cdfb836d0e20ea

SHA512
5ca329c6e06dec8f34d8c310cb0051fab52a35a11353e81598916b64489dfb95cc6d832bc3928845f44176d816dfda0a1a62406e2beec82ee35ff006bf4e5cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\hjIkebQfpg.bat

Filesize
194B

MD5
5365d6c26718d4f74ca7fa9d57364fca

SHA1
40bf80fe9f333c5d53cea50d50336d2b7c4370fe

SHA256
ef757e7e90e93eb8e3a9d7e44c572abba7a5b3a7be6800466bf92f82ca1de7ca

SHA512
a3321123ff5758b94c440db64f1c2aadc5288dc221d7ba62720882e4e0de71f72bcd643e49dcdead8225352e6c6843bf0ea0aca0bb781535afd3b085d90902cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8D7FZR4JA3HHCPVNTT2A.temp

Filesize
7KB

MD5
5fae1f14aaf6a87ff1290eebf00053ce

SHA1
3b9a7030c6effb695c527a796be2a7b0bc67e4e2

SHA256
e5a2d1f505701c711431fc1c2cbca25bcc4218a2feab25cc37055ab89973a3a0

SHA512
70927117292f01a6dcaaadad9f99ec3f720aa803e21af4fd4cbd247e7a571cf9c799810326ca33b06e14cc0ba52677a46ec1f3ea9db9d564e899f6ca4fdbc678

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/684-457-0x0000000001310000-0x0000000001420000-memory.dmp

Filesize
1.1MB

Download
memory/896-517-0x00000000013A0000-0x00000000014B0000-memory.dmp

Filesize
1.1MB

Download
memory/1480-217-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1480-216-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/1724-277-0x0000000000820000-0x0000000000930000-memory.dmp

Filesize
1.1MB

Download
memory/1868-157-0x0000000001110000-0x0000000001220000-memory.dmp

Filesize
1.1MB

Download
memory/1996-71-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/1996-115-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2076-696-0x0000000000B70000-0x0000000000C80000-memory.dmp

Filesize
1.1MB

Download
memory/2148-337-0x0000000000AB0000-0x0000000000BC0000-memory.dmp

Filesize
1.1MB

Download
memory/2736-397-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/2888-636-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/3068-17-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/3068-16-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/3068-15-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/3068-14-0x0000000000370000-0x0000000000382000-memory.dmp

Filesize
72KB

Download
memory/3068-13-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download