dcrat | a42c1b99cb5b3e5374801aea56d1181187ed34c8a15c35e2b190aa89dbae56d4

Analysis

max time kernel
145s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/12/2024, 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a42c1b99cb5b3e5374801aea56d1181187ed34c8a15c35e2b190aa89dbae56d4.exe
Size

1.3MB
MD5

b02780fe26f301f340c8d5b909e5df32
SHA1

fb0d072d1a0d35446af2fcf615920b0dfb337601
SHA256

a42c1b99cb5b3e5374801aea56d1181187ed34c8a15c35e2b190aa89dbae56d4
SHA512

1da3e5d0cdf62f0b9879f0de1c2902b0a48e62eded3fb87d2f9ffec804e72c52e0dc35c20144881d377708f5c69675362886cc560f673ace288bc148ba3e21a0
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2796	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000018697-10.dat	dcrat
behavioral1/memory/2520-13-0x00000000002B0000-0x00000000003C0000-memory.dmp	dcrat
behavioral1/memory/1588-156-0x0000000001350000-0x0000000001460000-memory.dmp	dcrat
behavioral1/memory/2936-334-0x0000000001360000-0x0000000001470000-memory.dmp	dcrat
behavioral1/memory/2176-454-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/2068-515-0x0000000000890000-0x00000000009A0000-memory.dmp	dcrat
behavioral1/memory/2460-575-0x0000000000240000-0x0000000000350000-memory.dmp	dcrat
behavioral1/memory/936-635-0x0000000000910000-0x0000000000A20000-memory.dmp	dcrat
behavioral1/memory/2952-754-0x00000000009D0000-0x0000000000AE0000-memory.dmp	dcrat
behavioral1/memory/2360-815-0x0000000000250000-0x0000000000360000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2628	powershell.exe
1048	powershell.exe
2720	powershell.exe
2936	powershell.exe
2600	powershell.exe
2632	powershell.exe
2756	powershell.exe
2868	powershell.exe
1036	powershell.exe
2392	powershell.exe
2160	powershell.exe
2684	powershell.exe
2792	powershell.exe
2836	powershell.exe
2588	powershell.exe
2776	powershell.exe
2940	powershell.exe
2848	powershell.exe
2212	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2520	DllCommonsvc.exe
1588	OSPPSVC.exe
1216	OSPPSVC.exe
2620	OSPPSVC.exe
2936	OSPPSVC.exe
2172	OSPPSVC.exe
2176	OSPPSVC.exe
2068	OSPPSVC.exe
2460	OSPPSVC.exe
936	OSPPSVC.exe
1784	OSPPSVC.exe
2952	OSPPSVC.exe
2360	OSPPSVC.exe

Loads dropped DLL 2 IoCs

pid	Process
2524	cmd.exe
2524	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com
31	raw.githubusercontent.com
12	raw.githubusercontent.com
18	raw.githubusercontent.com
22	raw.githubusercontent.com
35	raw.githubusercontent.com
38	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Adobe\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\c5b4cb5e9653cc	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\rescache\rc0005\smss.exe	DllCommonsvc.exe
File created	C:\Windows\en-US\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\en-US\56085415360792	DllCommonsvc.exe
File created	C:\Windows\ehome\en-US\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\ehome\en-US\b75386f1303e64	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a42c1b99cb5b3e5374801aea56d1181187ed34c8a15c35e2b190aa89dbae56d4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1940	schtasks.exe
1960	schtasks.exe
1356	schtasks.exe
3064	schtasks.exe
2176	schtasks.exe
1716	schtasks.exe
2260	schtasks.exe
2004	schtasks.exe
2044	schtasks.exe
2448	schtasks.exe
1628	schtasks.exe
1672	schtasks.exe
2928	schtasks.exe
2648	schtasks.exe
2076	schtasks.exe
3016	schtasks.exe
1284	schtasks.exe
2828	schtasks.exe
1584	schtasks.exe
2576	schtasks.exe
1688	schtasks.exe
2880	schtasks.exe
2040	schtasks.exe
832	schtasks.exe
976	schtasks.exe
2664	schtasks.exe
800	schtasks.exe
2924	schtasks.exe
2564	schtasks.exe
2616	schtasks.exe
2744	schtasks.exe
1656	schtasks.exe
1528	schtasks.exe
2840	schtasks.exe
1788	schtasks.exe
1096	schtasks.exe
2512	schtasks.exe
1296	schtasks.exe
352	schtasks.exe
2324	schtasks.exe
2900	schtasks.exe
980	schtasks.exe
2112	schtasks.exe
2276	schtasks.exe
2100	schtasks.exe
2704	schtasks.exe
1644	schtasks.exe
1732	schtasks.exe
3032	schtasks.exe
3008	schtasks.exe
2124	schtasks.exe
1892	schtasks.exe
1952	schtasks.exe
2708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2520	DllCommonsvc.exe
2520	DllCommonsvc.exe
2520	DllCommonsvc.exe
2836	powershell.exe
2756	powershell.exe
2936	powershell.exe
2720	powershell.exe
2792	powershell.exe
1048	powershell.exe
2684	powershell.exe
2848	powershell.exe
2392	powershell.exe
2212	powershell.exe
2600	powershell.exe
1036	powershell.exe
2588	powershell.exe
2632	powershell.exe
2160	powershell.exe
2868	powershell.exe
2628	powershell.exe
2940	powershell.exe
2776	powershell.exe
1588	OSPPSVC.exe
1216	OSPPSVC.exe
2620	OSPPSVC.exe
2936	OSPPSVC.exe
2172	OSPPSVC.exe
2176	OSPPSVC.exe
2068	OSPPSVC.exe
2460	OSPPSVC.exe
936	OSPPSVC.exe
1784	OSPPSVC.exe
2952	OSPPSVC.exe
2360	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	DllCommonsvc.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	1588	OSPPSVC.exe
Token: SeDebugPrivilege	1216	OSPPSVC.exe
Token: SeDebugPrivilege	2620	OSPPSVC.exe
Token: SeDebugPrivilege	2936	OSPPSVC.exe
Token: SeDebugPrivilege	2172	OSPPSVC.exe
Token: SeDebugPrivilege	2176	OSPPSVC.exe
Token: SeDebugPrivilege	2068	OSPPSVC.exe
Token: SeDebugPrivilege	2460	OSPPSVC.exe
Token: SeDebugPrivilege	936	OSPPSVC.exe
Token: SeDebugPrivilege	1784	OSPPSVC.exe
Token: SeDebugPrivilege	2952	OSPPSVC.exe
Token: SeDebugPrivilege	2360	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2496	2236	JaffaCakes118_a42c1b99cb5b3e5374801aea56d1181187ed34c8a15c35e2b190aa89dbae56d4.exe	30
PID 2236 wrote to memory of 2496	2236	JaffaCakes118_a42c1b99cb5b3e5374801aea56d1181187ed34c8a15c35e2b190aa89dbae56d4.exe	30
PID 2236 wrote to memory of 2496	2236	JaffaCakes118_a42c1b99cb5b3e5374801aea56d1181187ed34c8a15c35e2b190aa89dbae56d4.exe	30
PID 2236 wrote to memory of 2496	2236	JaffaCakes118_a42c1b99cb5b3e5374801aea56d1181187ed34c8a15c35e2b190aa89dbae56d4.exe	30
PID 2496 wrote to memory of 2524	2496	WScript.exe	32
PID 2496 wrote to memory of 2524	2496	WScript.exe	32
PID 2496 wrote to memory of 2524	2496	WScript.exe	32
PID 2496 wrote to memory of 2524	2496	WScript.exe	32
PID 2524 wrote to memory of 2520	2524	cmd.exe	34
PID 2524 wrote to memory of 2520	2524	cmd.exe	34
PID 2524 wrote to memory of 2520	2524	cmd.exe	34
PID 2524 wrote to memory of 2520	2524	cmd.exe	34
PID 2520 wrote to memory of 2756	2520	DllCommonsvc.exe	90
PID 2520 wrote to memory of 2756	2520	DllCommonsvc.exe	90
PID 2520 wrote to memory of 2756	2520	DllCommonsvc.exe	90
PID 2520 wrote to memory of 2684	2520	DllCommonsvc.exe	91
PID 2520 wrote to memory of 2684	2520	DllCommonsvc.exe	91
PID 2520 wrote to memory of 2684	2520	DllCommonsvc.exe	91
PID 2520 wrote to memory of 2720	2520	DllCommonsvc.exe	92
PID 2520 wrote to memory of 2720	2520	DllCommonsvc.exe	92
PID 2520 wrote to memory of 2720	2520	DllCommonsvc.exe	92
PID 2520 wrote to memory of 2776	2520	DllCommonsvc.exe	93
PID 2520 wrote to memory of 2776	2520	DllCommonsvc.exe	93
PID 2520 wrote to memory of 2776	2520	DllCommonsvc.exe	93
PID 2520 wrote to memory of 2792	2520	DllCommonsvc.exe	94
PID 2520 wrote to memory of 2792	2520	DllCommonsvc.exe	94
PID 2520 wrote to memory of 2792	2520	DllCommonsvc.exe	94
PID 2520 wrote to memory of 2940	2520	DllCommonsvc.exe	95
PID 2520 wrote to memory of 2940	2520	DllCommonsvc.exe	95
PID 2520 wrote to memory of 2940	2520	DllCommonsvc.exe	95
PID 2520 wrote to memory of 2936	2520	DllCommonsvc.exe	96
PID 2520 wrote to memory of 2936	2520	DllCommonsvc.exe	96
PID 2520 wrote to memory of 2936	2520	DllCommonsvc.exe	96
PID 2520 wrote to memory of 2868	2520	DllCommonsvc.exe	97
PID 2520 wrote to memory of 2868	2520	DllCommonsvc.exe	97
PID 2520 wrote to memory of 2868	2520	DllCommonsvc.exe	97
PID 2520 wrote to memory of 2848	2520	DllCommonsvc.exe	98
PID 2520 wrote to memory of 2848	2520	DllCommonsvc.exe	98
PID 2520 wrote to memory of 2848	2520	DllCommonsvc.exe	98
PID 2520 wrote to memory of 2600	2520	DllCommonsvc.exe	99
PID 2520 wrote to memory of 2600	2520	DllCommonsvc.exe	99
PID 2520 wrote to memory of 2600	2520	DllCommonsvc.exe	99
PID 2520 wrote to memory of 2836	2520	DllCommonsvc.exe	100
PID 2520 wrote to memory of 2836	2520	DllCommonsvc.exe	100
PID 2520 wrote to memory of 2836	2520	DllCommonsvc.exe	100
PID 2520 wrote to memory of 2632	2520	DllCommonsvc.exe	101
PID 2520 wrote to memory of 2632	2520	DllCommonsvc.exe	101
PID 2520 wrote to memory of 2632	2520	DllCommonsvc.exe	101
PID 2520 wrote to memory of 2588	2520	DllCommonsvc.exe	102
PID 2520 wrote to memory of 2588	2520	DllCommonsvc.exe	102
PID 2520 wrote to memory of 2588	2520	DllCommonsvc.exe	102
PID 2520 wrote to memory of 1036	2520	DllCommonsvc.exe	103
PID 2520 wrote to memory of 1036	2520	DllCommonsvc.exe	103
PID 2520 wrote to memory of 1036	2520	DllCommonsvc.exe	103
PID 2520 wrote to memory of 2392	2520	DllCommonsvc.exe	104
PID 2520 wrote to memory of 2392	2520	DllCommonsvc.exe	104
PID 2520 wrote to memory of 2392	2520	DllCommonsvc.exe	104
PID 2520 wrote to memory of 2628	2520	DllCommonsvc.exe	105
PID 2520 wrote to memory of 2628	2520	DllCommonsvc.exe	105
PID 2520 wrote to memory of 2628	2520	DllCommonsvc.exe	105
PID 2520 wrote to memory of 1048	2520	DllCommonsvc.exe	106
PID 2520 wrote to memory of 1048	2520	DllCommonsvc.exe	106
PID 2520 wrote to memory of 1048	2520	DllCommonsvc.exe	106
PID 2520 wrote to memory of 2212	2520	DllCommonsvc.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a42c1b99cb5b3e5374801aea56d1181187ed34c8a15c35e2b190aa89dbae56d4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a42c1b99cb5b3e5374801aea56d1181187ed34c8a15c35e2b190aa89dbae56d4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\en-US\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FUrPKKMybJ.bat"
        5⤵
        
        PID:2644
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1660
      - C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat"
        7⤵
        
        PID:2716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2144
        
        C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat"
        9⤵
        
        PID:2192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:904
        
        C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat"
        11⤵
        
        PID:2800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1660
        
        C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat"
        13⤵
        
        PID:1988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:980
        
        C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f70LHM7oRz.bat"
        15⤵
        
        PID:2860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1764
        
        C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat"
        17⤵
        
        PID:2136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1584
        
        C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"
        19⤵
        
        PID:2232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2924
        
        C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat"
        21⤵
        
        PID:2144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2532
        
        C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat"
        23⤵
        
        PID:2892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1476
        
        C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\etpQuxQFPn.bat"
        25⤵
        
        PID:1284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1836
        
        C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat"
        27⤵
        
        PID:2196
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2616
        
        C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Recorded TV\Sample Media\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\Sample Media\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Adobe\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\ehome\en-US\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\ehome\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\ehome\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\providercommon\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e0df4b247f62fbc0b89fd7baf5a18d6

SHA1
5bdc8c765fffddedf30018f8c34c5e62428f5c8c

SHA256
5dc0a4c379ce1d976be98b2364ea4448f3028318a13251fcd7c39659ef0610c8

SHA512
b49412bc8ccf00c7f4af28133cf8ac15c769f51d0d4e2022f47403a4cee2d957af319b461c8e0239f25b8fa2971e4d7f4c7a3fa1b9ec0701b9ba3ff9b2e6aebc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
557eb308d70de2b21b42eda6286f828a

SHA1
21090454f42d1e390997c6996804c729b859f2e7

SHA256
2108702ccd5e16ebf0878a8f79aacffc52e1f60fd01ab37868a2b270cdc2ece6

SHA512
2b49b57ea8dbf3a9844410ae7afac4f89ddf84638d9712fa4229f2a55000a5e49cc9bf104c9544e03d73424c2033a6d2d6785a9d5953dbed2ff7ba1cb142d9d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1723e0fa3438784a30863636ecd60670

SHA1
da553207a38f7c01fd7a275c324e67d07b0f15a8

SHA256
f3ad90543642b1cefc04baba3f682bd3284f8029278c20c66835d2c394776d3b

SHA512
6f4b6d4435dc74adf942c8613e05c19c943b64fe50d1f09e7cb9f98fa706b591f15721d3232d7dc46d00347b8e09636d78cc1ca818c77f321ff9697a74d7e989

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3fa8cc832f55e08dc4b38ea6577ee15

SHA1
b35e93e6f346064730e43f9c006c397e8726f597

SHA256
637a7b38094ed7e8a9a2f3b27c8cd481a17676a09a3db17efe5f0d673d23798c

SHA512
78d9df183d00354683f9f36a30cf6acfde4c44d462c2a4a5adec23d9e79046bc732bcdc7e1fc682969e4e6a34e789667bc44fe7d060723900bfacea98527489f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b3bc99bc86124fb3963e7aac32fd02f

SHA1
73b3c0ff804b14cffebdd9a48882791ebc8a9494

SHA256
9e41810bba3690774ceabc5efa53c6ca8eb95ccb86b971259243d297c60b1d27

SHA512
a4ef5ad0d8a7cc21ee7d11f514d403a341f5fd3271689a1b058f6a4bfadcd3fd8fd19a01bd499e9470082ff64645e4354eb093b7fb652ae64e4c29805d384a2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77c97f617461459163d9993927acb9d9

SHA1
4a8694bcc7588fbd83ac50aea6d469256e034035

SHA256
19bb20f74fefc0f4b00bf534ed1c1b1db4c075efb42a1900077d067ac979feb5

SHA512
35fe0a87a1dcd8f8e55137e86933e42d0c0f32f552280392f1831a1c7712e51f00c14296deb5d59225c9728392088704c7f42416971cde5a62abee8125e44c74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b175409fe74caa2e41f4b403993201fe

SHA1
3eee748cbd620b867de8781a2deb6c170d64e7a6

SHA256
cd46846cfa7fd320a523398ba75a9fef1f2b3e448a8757f605689b1506a709e0

SHA512
cc12a1cc46f28726eac45d1a7b50cd8a7c5b550d6a117355ce3ff8889ed8b963d697a86b93cb0f947f15adc70c08fae4aea6ea9633513fa92ee8df53dd40bca3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d034b890f71f389bff23cb727839b480

SHA1
27f1195922377ff45d3de1958ef3588947ab8787

SHA256
50bf2c57456a1de60a3b930a7caca4c4c4b8e93f7c3501acc80c3f28e743d460

SHA512
944e6f5084ed08859de2e2b414b19181aa88bebcae8c8a231defc2364305162be18ad44bc9f63a263ffeaf0bddb1d2bb7e620f80de3c3ac4659fd30ef633c708

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ae4a20598506ff6caec61b7f5e4db3b

SHA1
4c2f6c4b2fa3ada24ddc526ec23853a50ac62439

SHA256
893058ddb113bce794525540f976921f76ee65f2a2903667b6d5229fbdcc0cf5

SHA512
3ec675db272caf50dfac1487cea03dda18cc970a298d5f09608e6494cd96a9315da893f2f63e51a6a4a48ca7d2b6b09796ede0d2ac930806c54deb0870aa00d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0deba53da6aecf3fc7ded18b6099ad8a

SHA1
c34f384fe2e98ebd8262ba7df62bb0ea78e55545

SHA256
ced9bb8071a522a7df23e0b76322989fdeb8364e7c24b0a94292090736175755

SHA512
b408a8285e7b3091e8d5c79c50a83ea2b796418509ab43651518850d0e24e2c89001081bab14e70601c30b3a4a1bb410a8b04d8abe74b9fd22e51e2280669166

Download Submit
C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat

Filesize
218B

MD5
6136896774c36b81267affe3f47e20b8

SHA1
81bd393088b9792eb364f6b8305624b5c633e418

SHA256
9e0c45e87f259a2214eb38f56da39640d809ca4b39fcbca8edf436070be1a82b

SHA512
7ce340846b5cd412dc18e9f209ff141a8adfb174ec592c5e0f116d727c312eab1405b5509542a6de266dd0ef1f14c6da89d22abba666a2b0c00ca4745cd3b4e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat

Filesize
218B

MD5
083ee670896ef1019ab14b43ef45de20

SHA1
dfcf29a884c34316f58de0c71c71143cb708d7be

SHA256
64ef68755e73cb03d73f598da8f95fe886ee596a137c3909193ee83c51ebf46c

SHA512
451711fafbfbbbaa7cc11fb3284bf16af33bd52d3e06c30a1b6cd02d5e38989fd71c076b933e80858f1cfd748ba381b79ffde65670dfe16994d4a11879eca94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1DB0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FUrPKKMybJ.bat

Filesize
218B

MD5
708fc103d65aaa2843926c7a57aab7db

SHA1
2b9917abddc21bea8dacacc09df5f4cd8c312434

SHA256
941df239830249056482e5404a15a2eb3d38730489dc97371a6fe81ca18000cc

SHA512
35955ce4aa7175c4481e6be4029de5b1082c3eb62487c824bcc819c3f819e820479e288513ecc7ccd9b609b80e0799986a0b9a1d343c051193c7785a21933261

Download Submit
C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat

Filesize
218B

MD5
7770aea52bb0ddf1522d8fdb346d4d86

SHA1
9f97645df07a180ec6eef7ae0a48ed8fa9991072

SHA256
b569bbd85436665b8ecf936830d8e2ba29f952f1fa066e4d6a010e49ef57ce3d

SHA512
7377f24d1248b20afc1d83d4637903692c8ac3c74c306b56071690af796e7e3fc47679bf85ef224a8b3f9b527201930a30316abd4dc04ee4f80c64b9231f7d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1DC3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat

Filesize
218B

MD5
b41cd5b14f95b4772f990d14a4ef5836

SHA1
4d65203ba7c159b0302a51f356f92d3f2d130b9e

SHA256
15ffd6aeaafc5cf3a1e757ca42856fcb1b90c7aa24bca271080a0fa93e153835

SHA512
af847f87fb95494566428c98d469dc5becb48fe5927ec082b9104920ebc05b5fc756f3ed6b1edea421c4af77e6f4f9c4d8012222302f416311f4a7f52e82d70c

Download Submit
C:\Users\Admin\AppData\Local\Temp\etpQuxQFPn.bat

Filesize
218B

MD5
4a9018c42b4c62fcbcc17e6474fbea9c

SHA1
adb88467507f943feef32ae88e905b472ac6024e

SHA256
67e17f947be8ede0c846646bc6e609e373555c86873a964f516e04c4e3b9e3e1

SHA512
5df7e5b5475d686e2a913dab3a47acae363af6d872b997f7eee043e6e312c43e0de3015f629a5fd84db43a5ad96affe9c3a8804cae33c5f297a620dc32b4ed4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat

Filesize
218B

MD5
1457aaf770d8bfff92191ef642743b62

SHA1
eed9d4eaca141d354b7b7bcd0e1f131daf7f4277

SHA256
931b78dfd973b94d994ed2f70f9391615ef8f09b6d03e94ae6c92624e4ba91dc

SHA512
dda6ed55852b80be4f470d1fc6a9d5d77176bc619a580c2ac1e0975f6b321253cd36289f2c46803cce4262257534018e907dcabe3fceb49a64deecdc5a0873c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f70LHM7oRz.bat

Filesize
218B

MD5
46264804d1c0a611c2e1610eccdcd9e7

SHA1
372a47add8b5484b67c87b271614257292761180

SHA256
10846c27cb35c96e5b2bf67e6741ca67165448e3abec7ea7ad8612fbcf0f1795

SHA512
f856e85a57027c06e4557a7a8ba570eb4da98021f8d8ff4617a75a2ff244b7f5dcdb8e9a5b7defe26e4050cd79850c91d22dedc727a3412e93494dbdd0e6c69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat

Filesize
218B

MD5
3de55edbc37293326a4c6d90efae15e2

SHA1
fefe7fa0d2242baafdd8f24dffed5480ad16b846

SHA256
046119f2ae3a8bfa1d0de344d779cf083449ca516ce79fd42cd5a172ff3e2df2

SHA512
46d1c0d48559c231cdd21a946131de494107023bb2e6bcbb5e7d9ab3eb7b89dd81fc15d6b9fa145e18a68468e0633772241b3b571acc7025cdc36d2fed26fc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat

Filesize
218B

MD5
1588fb5bbb6279e445437d17d4971d07

SHA1
be112b4bbf52329f25c00e0096a9b5fe8445713a

SHA256
110cd6b42b82d6069dee828983da980711cfcaba45d81bb2c3089a89fdec0f0c

SHA512
58204d846879930f1965deffc53496f09dc656730978d0ca8340f2abb9c0a760d6664dd0d886cb03732ba49aa594e0c03e23309d689fe913b11a547b097b7115

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat

Filesize
218B

MD5
dfc9e3493028afddd0effb1eebbeea9c

SHA1
05535d9f2c30466d47695303786b414368e227db

SHA256
e92004dd751fdaa39ed47869349f12cc5486c1491fa2b6c6bb0ae3e43a7ba9a6

SHA512
9386ae3232b73d62df96e712f0946e4d0ffd3d6bd95c5056f335d322a212747235931652060b86112c104cc6a459c18eeb9d75dde7a1e692307264659596320c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat

Filesize
218B

MD5
1f4c70d8aa85c933b5aa3f58faca2d50

SHA1
25b291926972d621c8b65ab5d68803647923b569

SHA256
b96148c59f208b6a058fd29e01524809ae1f060e7134de4255706fb302243059

SHA512
32f789f39e0df83f2f6b183419512d5e7eefde68413668df47c016d180d107ca9d4218f106c989c8d7e94607f4ce16e4838b1a540f572ec48d457fdf8fb62c53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c6380b7107b9c77e09c9d994f2d53342

SHA1
4e5925c426da50c8ffe3e98b13589d158efb7eae

SHA256
510a87b5f1a5b2a1c5ba961080a98c1e8d66f2860490383f13fcce508eed311d

SHA512
be0effcd6dfe044099eb08ad7fe4f6d6b221a2b22432fecbddd512e6bfa0310f7d83e318e9248d23eee836362eefa73dfb75e07d66a9872e230cc0ab86790f29

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/936-635-0x0000000000910000-0x0000000000A20000-memory.dmp

Filesize
1.1MB

Download
memory/1216-215-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1588-156-0x0000000001350000-0x0000000001460000-memory.dmp

Filesize
1.1MB

Download
memory/2068-515-0x0000000000890000-0x00000000009A0000-memory.dmp

Filesize
1.1MB

Download
memory/2172-394-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2176-454-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/2176-455-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/2360-816-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2360-815-0x0000000000250000-0x0000000000360000-memory.dmp

Filesize
1.1MB

Download
memory/2460-575-0x0000000000240000-0x0000000000350000-memory.dmp

Filesize
1.1MB

Download
memory/2520-13-0x00000000002B0000-0x00000000003C0000-memory.dmp

Filesize
1.1MB

Download
memory/2520-16-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2520-14-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2520-17-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2520-15-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2756-89-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2836-90-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2936-334-0x0000000001360000-0x0000000001470000-memory.dmp

Filesize
1.1MB

Download
memory/2952-754-0x00000000009D0000-0x0000000000AE0000-memory.dmp

Filesize
1.1MB

Download
memory/2952-755-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download