dcrat | e5ad122396e9ce99baecbdc6bf4b9a63e59f87091c527ce839883022975a90ba

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e5ad122396e9ce99baecbdc6bf4b9a63e59f87091c527ce839883022975a90ba.exe
Size

1.3MB
MD5

3515a2c22c5806faabf5cf995ea139b3
SHA1

085e962a959cd994b4754453f4142ed08d3f7cc9
SHA256

e5ad122396e9ce99baecbdc6bf4b9a63e59f87091c527ce839883022975a90ba
SHA512

64e47cdff3814e2d70b0bf117aa097cfb89d274849795a0b8ebae39c7202a9ebb3f1c4539519a2202586a7426472ce084e4f3cd30adb92d66d5f4c3d93ca532d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2724	schtasks.exe	34

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000018634-10.dat	dcrat
behavioral1/memory/2456-13-0x0000000000EB0000-0x0000000000FC0000-memory.dmp	dcrat
behavioral1/memory/2712-164-0x0000000000B70000-0x0000000000C80000-memory.dmp	dcrat
behavioral1/memory/1808-223-0x0000000000CF0000-0x0000000000E00000-memory.dmp	dcrat
behavioral1/memory/2860-283-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/2080-343-0x0000000000AA0000-0x0000000000BB0000-memory.dmp	dcrat
behavioral1/memory/2792-404-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat
behavioral1/memory/2688-464-0x0000000000F70000-0x0000000001080000-memory.dmp	dcrat
behavioral1/memory/1768-524-0x00000000010E0000-0x00000000011F0000-memory.dmp	dcrat
behavioral1/memory/2728-584-0x00000000012E0000-0x00000000013F0000-memory.dmp	dcrat
behavioral1/memory/556-645-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/1308-705-0x0000000000A80000-0x0000000000B90000-memory.dmp	dcrat
behavioral1/memory/2964-765-0x0000000000C00000-0x0000000000D10000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2952	powershell.exe
2668	powershell.exe
2940	powershell.exe
2212	powershell.exe
1772	powershell.exe
1476	powershell.exe
2956	powershell.exe
2212	powershell.exe
2692	powershell.exe
2968	powershell.exe
2624	powershell.exe
1108	powershell.exe
2780	powershell.exe
2976	powershell.exe
2680	powershell.exe
2720	powershell.exe
1720	powershell.exe
2368	powershell.exe
2668	powershell.exe
1136	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2456	DllCommonsvc.exe
2312	DllCommonsvc.exe
2712	taskhost.exe
1808	taskhost.exe
2860	taskhost.exe
2080	taskhost.exe
2792	taskhost.exe
2688	taskhost.exe
1768	taskhost.exe
2728	taskhost.exe
556	taskhost.exe
1308	taskhost.exe
2964	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2364	cmd.exe
2364	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
16	raw.githubusercontent.com
26	raw.githubusercontent.com
23	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
19	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\taskhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\886983d96e3d3e	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\system\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\DigitalLocker\en-US\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\DigitalLocker\en-US\cc11b995f2a76d	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e5ad122396e9ce99baecbdc6bf4b9a63e59f87091c527ce839883022975a90ba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2996	schtasks.exe
1760	schtasks.exe
2320	schtasks.exe
444	schtasks.exe
1480	schtasks.exe
2516	schtasks.exe
2132	schtasks.exe
1944	schtasks.exe
2532	schtasks.exe
2196	schtasks.exe
2948	schtasks.exe
1032	schtasks.exe
1552	schtasks.exe
3040	schtasks.exe
2604	schtasks.exe
2860	schtasks.exe
2624	schtasks.exe
1092	schtasks.exe
1348	schtasks.exe
1604	schtasks.exe
2716	schtasks.exe
2692	schtasks.exe
1448	schtasks.exe
2656	schtasks.exe
1596	schtasks.exe
2304	schtasks.exe
3068	schtasks.exe
2620	schtasks.exe
2812	schtasks.exe
852	schtasks.exe
1868	schtasks.exe
2684	schtasks.exe
2900	schtasks.exe
2972	schtasks.exe
2248	schtasks.exe
2716	schtasks.exe
1444	schtasks.exe
1076	schtasks.exe
2004	schtasks.exe
3020	schtasks.exe
1044	schtasks.exe
556	schtasks.exe
1812	schtasks.exe
2916	schtasks.exe
2076	schtasks.exe
2060	schtasks.exe
1640	schtasks.exe
2264	schtasks.exe
1636	schtasks.exe
2384	schtasks.exe
2832	schtasks.exe
2576	schtasks.exe
304	schtasks.exe
2344	schtasks.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
2456	DllCommonsvc.exe
2720	powershell.exe
2668	powershell.exe
2212	powershell.exe
2312	DllCommonsvc.exe
2312	DllCommonsvc.exe
2312	DllCommonsvc.exe
2312	DllCommonsvc.exe
2312	DllCommonsvc.exe
2312	DllCommonsvc.exe
2312	DllCommonsvc.exe
2312	DllCommonsvc.exe
2312	DllCommonsvc.exe
2312	DllCommonsvc.exe
2312	DllCommonsvc.exe
2312	DllCommonsvc.exe
2312	DllCommonsvc.exe
2312	DllCommonsvc.exe
2312	DllCommonsvc.exe
2968	powershell.exe
1720	powershell.exe
1772	powershell.exe
2940	powershell.exe
2692	powershell.exe
2668	powershell.exe
2956	powershell.exe
2368	powershell.exe
1476	powershell.exe
1136	powershell.exe
2976	powershell.exe
2212	powershell.exe
1108	powershell.exe
2624	powershell.exe
2680	powershell.exe
2780	powershell.exe
2952	powershell.exe
2712	taskhost.exe
1808	taskhost.exe
2860	taskhost.exe
2080	taskhost.exe
2792	taskhost.exe
2688	taskhost.exe
1768	taskhost.exe
2728	taskhost.exe
556	taskhost.exe
1308	taskhost.exe
2964	taskhost.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2456	DllCommonsvc.exe
Token: SeDebugPrivilege	2312	DllCommonsvc.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2712	taskhost.exe
Token: SeDebugPrivilege	1808	taskhost.exe
Token: SeDebugPrivilege	2860	taskhost.exe
Token: SeDebugPrivilege	2080	taskhost.exe
Token: SeDebugPrivilege	2792	taskhost.exe
Token: SeDebugPrivilege	2688	taskhost.exe
Token: SeDebugPrivilege	1768	taskhost.exe
Token: SeDebugPrivilege	2728	taskhost.exe
Token: SeDebugPrivilege	556	taskhost.exe
Token: SeDebugPrivilege	1308	taskhost.exe
Token: SeDebugPrivilege	2964	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2524	1244	JaffaCakes118_e5ad122396e9ce99baecbdc6bf4b9a63e59f87091c527ce839883022975a90ba.exe	30
PID 1244 wrote to memory of 2524	1244	JaffaCakes118_e5ad122396e9ce99baecbdc6bf4b9a63e59f87091c527ce839883022975a90ba.exe	30
PID 1244 wrote to memory of 2524	1244	JaffaCakes118_e5ad122396e9ce99baecbdc6bf4b9a63e59f87091c527ce839883022975a90ba.exe	30
PID 1244 wrote to memory of 2524	1244	JaffaCakes118_e5ad122396e9ce99baecbdc6bf4b9a63e59f87091c527ce839883022975a90ba.exe	30
PID 2524 wrote to memory of 2364	2524	WScript.exe	31
PID 2524 wrote to memory of 2364	2524	WScript.exe	31
PID 2524 wrote to memory of 2364	2524	WScript.exe	31
PID 2524 wrote to memory of 2364	2524	WScript.exe	31
PID 2364 wrote to memory of 2456	2364	cmd.exe	33
PID 2364 wrote to memory of 2456	2364	cmd.exe	33
PID 2364 wrote to memory of 2456	2364	cmd.exe	33
PID 2364 wrote to memory of 2456	2364	cmd.exe	33
PID 2456 wrote to memory of 2668	2456	DllCommonsvc.exe	41
PID 2456 wrote to memory of 2668	2456	DllCommonsvc.exe	41
PID 2456 wrote to memory of 2668	2456	DllCommonsvc.exe	41
PID 2456 wrote to memory of 2720	2456	DllCommonsvc.exe	42
PID 2456 wrote to memory of 2720	2456	DllCommonsvc.exe	42
PID 2456 wrote to memory of 2720	2456	DllCommonsvc.exe	42
PID 2456 wrote to memory of 2212	2456	DllCommonsvc.exe	43
PID 2456 wrote to memory of 2212	2456	DllCommonsvc.exe	43
PID 2456 wrote to memory of 2212	2456	DllCommonsvc.exe	43
PID 2456 wrote to memory of 2312	2456	DllCommonsvc.exe	47
PID 2456 wrote to memory of 2312	2456	DllCommonsvc.exe	47
PID 2456 wrote to memory of 2312	2456	DllCommonsvc.exe	47
PID 2312 wrote to memory of 2692	2312	DllCommonsvc.exe	97
PID 2312 wrote to memory of 2692	2312	DllCommonsvc.exe	97
PID 2312 wrote to memory of 2692	2312	DllCommonsvc.exe	97
PID 2312 wrote to memory of 2680	2312	DllCommonsvc.exe	98
PID 2312 wrote to memory of 2680	2312	DllCommonsvc.exe	98
PID 2312 wrote to memory of 2680	2312	DllCommonsvc.exe	98
PID 2312 wrote to memory of 2624	2312	DllCommonsvc.exe	99
PID 2312 wrote to memory of 2624	2312	DllCommonsvc.exe	99
PID 2312 wrote to memory of 2624	2312	DllCommonsvc.exe	99
PID 2312 wrote to memory of 1772	2312	DllCommonsvc.exe	100
PID 2312 wrote to memory of 1772	2312	DllCommonsvc.exe	100
PID 2312 wrote to memory of 1772	2312	DllCommonsvc.exe	100
PID 2312 wrote to memory of 2940	2312	DllCommonsvc.exe	101
PID 2312 wrote to memory of 2940	2312	DllCommonsvc.exe	101
PID 2312 wrote to memory of 2940	2312	DllCommonsvc.exe	101
PID 2312 wrote to memory of 1720	2312	DllCommonsvc.exe	102
PID 2312 wrote to memory of 1720	2312	DllCommonsvc.exe	102
PID 2312 wrote to memory of 1720	2312	DllCommonsvc.exe	102
PID 2312 wrote to memory of 2780	2312	DllCommonsvc.exe	103
PID 2312 wrote to memory of 2780	2312	DllCommonsvc.exe	103
PID 2312 wrote to memory of 2780	2312	DllCommonsvc.exe	103
PID 2312 wrote to memory of 2976	2312	DllCommonsvc.exe	104
PID 2312 wrote to memory of 2976	2312	DllCommonsvc.exe	104
PID 2312 wrote to memory of 2976	2312	DllCommonsvc.exe	104
PID 2312 wrote to memory of 2968	2312	DllCommonsvc.exe	106
PID 2312 wrote to memory of 2968	2312	DllCommonsvc.exe	106
PID 2312 wrote to memory of 2968	2312	DllCommonsvc.exe	106
PID 2312 wrote to memory of 2212	2312	DllCommonsvc.exe	108
PID 2312 wrote to memory of 2212	2312	DllCommonsvc.exe	108
PID 2312 wrote to memory of 2212	2312	DllCommonsvc.exe	108
PID 2312 wrote to memory of 1108	2312	DllCommonsvc.exe	110
PID 2312 wrote to memory of 1108	2312	DllCommonsvc.exe	110
PID 2312 wrote to memory of 1108	2312	DllCommonsvc.exe	110
PID 2312 wrote to memory of 1476	2312	DllCommonsvc.exe	111
PID 2312 wrote to memory of 1476	2312	DllCommonsvc.exe	111
PID 2312 wrote to memory of 1476	2312	DllCommonsvc.exe	111
PID 2312 wrote to memory of 2956	2312	DllCommonsvc.exe	112
PID 2312 wrote to memory of 2956	2312	DllCommonsvc.exe	112
PID 2312 wrote to memory of 2956	2312	DllCommonsvc.exe	112
PID 2312 wrote to memory of 2368	2312	DllCommonsvc.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e5ad122396e9ce99baecbdc6bf4b9a63e59f87091c527ce839883022975a90ba.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e5ad122396e9ce99baecbdc6bf4b9a63e59f87091c527ce839883022975a90ba.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\taskhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\taskhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\uninstall\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\explorer.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\spoolsv.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\en-US\winlogon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mniRqRLGTz.bat"
        6⤵
        
        PID:1028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:824
        
        C:\Program Files (x86)\Microsoft Office\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft Office\taskhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UyITBGB0nG.bat"
        8⤵
        
        PID:2144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2384
        
        C:\Program Files (x86)\Microsoft Office\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft Office\taskhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat"
        10⤵
        
        PID:2412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:568
        
        C:\Program Files (x86)\Microsoft Office\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft Office\taskhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2pbp0wsTa1.bat"
        12⤵
        
        PID:2968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1092
        
        C:\Program Files (x86)\Microsoft Office\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft Office\taskhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat"
        14⤵
        
        PID:1852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1196
        
        C:\Program Files (x86)\Microsoft Office\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft Office\taskhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"
        16⤵
        
        PID:832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1064
        
        C:\Program Files (x86)\Microsoft Office\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft Office\taskhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat"
        18⤵
        
        PID:2628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1640
        
        C:\Program Files (x86)\Microsoft Office\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft Office\taskhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat"
        20⤵
        
        PID:1620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2868
        
        C:\Program Files (x86)\Microsoft Office\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft Office\taskhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"
        22⤵
        
        PID:2232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2140
        
        C:\Program Files (x86)\Microsoft Office\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft Office\taskhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat"
        24⤵
        
        PID:316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1108
        
        C:\Program Files (x86)\Microsoft Office\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft Office\taskhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y23Kn3rQqK.bat"
        26⤵
        
        PID:2912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2020
        
        C:\Program Files (x86)\Microsoft Office\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft Office\taskhost.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\system\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\system\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\system\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Application Data\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Application Data\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Application Data\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\uninstall\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\uninstall\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Templates\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Templates\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\en-US\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfb0cc7642497b8b2088fd574a7e5bc5

SHA1
50e2647144c2426dbf883b69ba0e944a00754d45

SHA256
9ab071c30b197cf2eeca35750dab51930dbd41698535c0d9005e14d7ed231c63

SHA512
11701194a295586e06c0ce81517a2bc081c99bb742c9025f8670cab7dba44d1b9e8fdab9d93def7776157775a9af436a7eff05f0eed24d021cd646ec4b8f040e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
015998224b0635dd8b261a1670e04621

SHA1
794c2f129308859daa977a2b37e21d7487077cda

SHA256
00d4d84867b9337642aece9a5723b4b3b0aee1e3127b78ceca465ad086b33bba

SHA512
72b35e2e723a627ce972e292e78780675c0f6f893b9e570dcbae322c469f19c5755ce15d35b95b4bd3ff26870df8d6b784c077fcacd59bcf3ecd4100278865ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f72e3ddae30fe265116c98b63c8bd92b

SHA1
60cbd4f4fa2bf481891394b72646a305a8c7c9e0

SHA256
29122de8506b062c799061e3052e51e45df2fbbf3c01b59103eeb966a95e38e5

SHA512
ceedc091c2eee944568f5788c2b31dbcaf0106cee3543b6a3a51f04ccbaf7cd041ef404adc97358e389c84b1164f9fc506206e7426d9cb0689f318d5b2302312

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
594f8bd336cb7ea3042cbfce47d875f4

SHA1
93732eb2bb41499de5deb9f675b993e514210d41

SHA256
485b8e847e992a04a01f3f644daa2a9abc7ea7d634e621845350f7abdf9cc6aa

SHA512
96ce2bcf0468481b8fd3445b1f8fe6997e8e70dfc26890f1cda18b299d60cdfdd780bfd6a34d3899d39fef81187bd481b55eb84ef4010ec36176a40809f8be77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
feab14d12b013f28dfbce6fdd7c2b745

SHA1
16951f2e269f1268041beee204a82ada05b6939e

SHA256
874ff75a09b484e59166f0876e6747c7791b9fecf3dc83b3847dd7de7a8c4a89

SHA512
7705fff9788bd0858d036c3b971b9bbe25e8a1984d6f8f56f4b47144b06b10baf6b77962e7d75f4cfee1bd3fd4859fae3308acfb2e228e35753d75536da4c95e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
265ba008d959b7e819c4f09ab8c3f6b6

SHA1
4511d7696a81549df22f0d5a41f3f69bac7190b5

SHA256
5d3eb62b9c59c73d3a48e7acdab4d9b1f119c61e3750de79ff22bfd8881e8ac3

SHA512
65f32a477c3112414f2f2cc2f84d9396cb0ea4b6744c29101cd21417df9e0e52613cd95fce20973289a755198424b4479470e03c8a53cd34c808188766af1102

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6c22bdc7b29a452e80667740d0afde8

SHA1
d62bee67900e98c3adddac875f94e83e9194ba9b

SHA256
ddb52b6219ea58b2b498726406c51f2536edd00b538aa8334061361f719055a8

SHA512
a96fb5ac72da8323a2690c1d77a77aeafb453d3acdb642f6ba139ae51046fb03ab01f080a51316bdd18f650c2ad11be25a04204dd84e232b1ade9b00623050fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22a1a070c9abb9656ae710bd9014adaa

SHA1
8a9e8fa15238b54ae8b6f4303bdcb5727a226285

SHA256
9eb52929c5b506bb2924b58289536cf5e1a160c6d2cd59f3f711206f12fcf601

SHA512
454ad8c8aecc56f31aaf5d5c7f9acceb448055f8b6fa44221c6e21b3e21201766334dd768d41de9de91ab8249a4f3c34ebae9976cb46c940d64c080f6e2212ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c85b7fde1152c163f2714d7ab6c191f9

SHA1
7f6c39f20d5f604dd36c0f45cd2ae577581712d5

SHA256
745b9eae8ab32cf88694cd2c30181a3afcdb586307c5a98ad7655caa10ac3074

SHA512
18bf267c84abfcacc021b106401a0eb851269a4f3462c9fff08be93c0dc67873d4c7104146f124e50ae2e9971f5000243f7b96fb1137a5d2ac737da99cd2dfa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2pbp0wsTa1.bat

Filesize
217B

MD5
c1443377eba0c044cb943bf0e4a303d8

SHA1
4ae12b936740caf1c35a7672639250bdf253de2a

SHA256
a6a8ba9ce2475ec5bd08c5f012b70bffe672e311410f0df917ef7fe931648628

SHA512
62845cff70f1501a40cc85954f727aa0455bc860701d4ad6f0e8fcf22c14f410d67621fe00ff2d546a47fdcf5dd22dd0468ee5534daf6951f725c123eea31d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat

Filesize
217B

MD5
6bb4b4090f92b702bc371e1da8950817

SHA1
8cb475a109a1cbc758ef637fcbb1a68ef3af0530

SHA256
25c6f45c6872984a42c8d1a377b786c00d4f4f75ab0488fb6d717ce583f24c8a

SHA512
8b781598a286e35ff030caaf59d865300b4a04244aeee2ba88c31d42a4ed67f9f35bd44dd3b9c72bb55b5a15bae92589135a0ca51125506d3a10d40f8b506e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1BBD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat

Filesize
217B

MD5
71893ec1c3bdf5f6c85658f43052aff0

SHA1
94dd0cf42f7ad29c0924bb32c1ea049031c33235

SHA256
776760914dc0ae5fba2085a449108349cd88e440941e664ab8aacd8408f18bb9

SHA512
7d14b37ee6c08c724e664342fe49966574f25dc990e24afd11a61d55aad02320506ae93d503be3b68e23812dfddb53c33cf4c92c3076a16734913f5917c14c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1BEF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UyITBGB0nG.bat

Filesize
217B

MD5
681acfd249d74f99075443010cb9a8e3

SHA1
8056054cb788a77575687f8f90115fd90971447d

SHA256
3408c02abc27568e10b549558dcf79c328a6f4bd446ef5be9b2a361d55c1db27

SHA512
6f3d90483704de5f13ea87609899778b3f3a8a04d2d78206ae93ff43283c463df7d03bebb55afcc7cd389c7b538bc0bd94a15e6d0ffaec06779314a7811013ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y23Kn3rQqK.bat

Filesize
217B

MD5
9c7fd98f12ad1a1776ab6545a90032b3

SHA1
46f531f2811618c58d85afbb64cac9387427b8b9

SHA256
cc07e4a86c5656be34fd4f0c6de90fca57982f10680645fe80a26330fecab47b

SHA512
e9a6b94997dc977e08d72f7bf5f101f23b4370bf8fd793878f41a65417737fde0c5bdebd3a55f49fedadda4c74fd51e8c07fc7b20af53966cc30a814dcd8a090

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat

Filesize
217B

MD5
a564ae964ae2c3671080ef3e67b66476

SHA1
81efb2ef8aa117695d594ef7692bf1d3aa6278a4

SHA256
2aeef8fdd7f8eb0723199707861a5fdbb336d9b19ec07404d2dc554f414dc097

SHA512
80b0b94d833e26f2c9eeb5845a028777f4eabf2bb55d5c93419938f3c8bbf0b47a8d5f905a7b754a7eb165599591f4e40da303a1bd06bb0193c849b80d0aa30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mniRqRLGTz.bat

Filesize
217B

MD5
d2e92293df6a2d7696bca9cb4aec757d

SHA1
c1c21508ef5cf728b3e6d76942e21658b7fec963

SHA256
6809d83c391caa7d0b1bd518c4b11e393119f25631fb13e4c5200ce9413bf525

SHA512
d11c92dbcc680e9c88f3f8cdb2aaf1764ff127dabfb4f79bc5ae4bfce3dfc702622c516e0ca325d9030f2060a2c4f3f96b0e1f81debc4ae8ff59f745c7637a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat

Filesize
217B

MD5
fe6bb89797034fd2598ed7d118f7d299

SHA1
a9fa57844f3281be7ba9c35ca8bb691fe41348df

SHA256
32ee36bfa6fd0045d3ab6fe2de36226f552afc879190926f4119b504ac28a4b1

SHA512
eb6e21db8327ffdb71a0f60c7e0dab7987d5d04b76636fe22ef00c8a2da7f67f9b3bb7f8d82581902570782deeebfdbe3f45973fee23982b703072e0e91feb02

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat

Filesize
217B

MD5
b2dd4386f395e4cfb0e1db7acaff5e46

SHA1
e54201e584277a85b3bd15de9c550adafeb48585

SHA256
29a2ad8402594298dc1a50a3021af40052144183097428444b759eb36f801a2d

SHA512
00eff38cba1db952860802f4bc1fdc8e8bf118952494fd32e80eb66f297adfb55ecbfb1313e422852ffdbf4bf3f940cd50d7979b2099ce9a5641f591cdbc40d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat

Filesize
217B

MD5
8d3aaa845acf4cc766f21eb6f0b3b03b

SHA1
7ec8588b47b2dcead636a6bbc1f4a450a8db8bb3

SHA256
3a1c238ba91e1b7c31dcf456e8922ab4742fad5de55007704844ee30b9fdba47

SHA512
7bd00878b7e3e8ff2520ec169232101f52a856405919385a936ad1937c66d8547063a5a4a4efac056bb9c8aff1ac230cf0bdc03a549a9dd8e174519fb8077c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat

Filesize
217B

MD5
eeb91ccdefa3eb5265eaafbb28f31cdb

SHA1
675f48de95aaded9983dbf67b62858ffdd1eff5e

SHA256
75b33ca3072ff7157ca7116b8ebf21bf71679ae48688e4ac1f98d906d89144e2

SHA512
37a5054417ae78ca11ec2cf8b0372395d3f74af24f81618641bb57123dd24b849d95face75d050f0e6feeebfc83d40d139c260da614c7b54d7feaf35ed5ec775

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5ce78a8417d01c0d0b7fee8bdb13149c

SHA1
d809f7cc5d49fa50242cf5e0e5fca9eee359c57a

SHA256
b31a6483d48fd1d1ee1ffa7b46a31de4def8a47ae93b514d9f1e55fbbcac88c7

SHA512
8ee6aaaa27c80f9218cffb5c0f9b79accccd40716f020bea6c6c5ea8ec58d293bc8e3f690bcc80f6ef2f64589f399b63ecac52733c6558bef1a60780e3f1e2c9

Download Submit
C:\providercommon\1610b97d3ab4a7

Filesize
181B

MD5
569497a1e276101dc1b9e4601eff3c64

SHA1
1e639eced65f1a933d0d59d79329fd4996984efe

SHA256
98ac929034301b96ddd62e08e8c48227b630cdacba6a61fa13e735ec3f7446a4

SHA512
209cc36501df8268f0e733822be8e00b0969ee6a22d9953dd19dac7d75b7d826d6147ae764ef2cdc5f30617261a46e4445018118c9c9572197e8c5eda7f3719a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/556-645-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/1308-705-0x0000000000A80000-0x0000000000B90000-memory.dmp

Filesize
1.1MB

Download
memory/1768-524-0x00000000010E0000-0x00000000011F0000-memory.dmp

Filesize
1.1MB

Download
memory/1772-88-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/1808-223-0x0000000000CF0000-0x0000000000E00000-memory.dmp

Filesize
1.1MB

Download
memory/2080-343-0x0000000000AA0000-0x0000000000BB0000-memory.dmp

Filesize
1.1MB

Download
memory/2080-344-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2456-15-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2456-16-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2456-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2456-17-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/2456-13-0x0000000000EB0000-0x0000000000FC0000-memory.dmp

Filesize
1.1MB

Download
memory/2668-37-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/2688-464-0x0000000000F70000-0x0000000001080000-memory.dmp

Filesize
1.1MB

Download
memory/2712-164-0x0000000000B70000-0x0000000000C80000-memory.dmp

Filesize
1.1MB

Download
memory/2720-38-0x00000000020D0000-0x00000000020D8000-memory.dmp

Filesize
32KB

Download
memory/2728-585-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2728-584-0x00000000012E0000-0x00000000013F0000-memory.dmp

Filesize
1.1MB

Download
memory/2792-404-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/2860-283-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/2964-765-0x0000000000C00000-0x0000000000D10000-memory.dmp

Filesize
1.1MB

Download
memory/2968-98-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download