dcrat | 60d8e73a791882333ba7c35de391863b33e3f7f873fd7d89b9afa5b0225eac43

Analysis

max time kernel
148s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_60d8e73a791882333ba7c35de391863b33e3f7f873fd7d89b9afa5b0225eac43.exe
Size

1.3MB
MD5

f837438076c31b473a7e5d9aa65aca7f
SHA1

04f7f9142bcf479df0443266bd0a66e360b5fbf4
SHA256

60d8e73a791882333ba7c35de391863b33e3f7f873fd7d89b9afa5b0225eac43
SHA512

928f5d609a93efaaf66f9487df05ec1c654be9a8d10ebcd46c60d42aae619c760d306d46a9e1c6e8dd08f1723e056a9e5f3bac9ed6b91a6a8bb967ac5cc4a53e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2980	schtasks.exe	35

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016e74-9.dat	dcrat
behavioral1/memory/568-13-0x0000000000A90000-0x0000000000BA0000-memory.dmp	dcrat
behavioral1/memory/1880-159-0x0000000000BF0000-0x0000000000D00000-memory.dmp	dcrat
behavioral1/memory/2724-218-0x0000000001220000-0x0000000001330000-memory.dmp	dcrat
behavioral1/memory/1688-278-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/2844-338-0x00000000010F0000-0x0000000001200000-memory.dmp	dcrat
behavioral1/memory/600-517-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/2172-577-0x0000000000CC0000-0x0000000000DD0000-memory.dmp	dcrat
behavioral1/memory/1892-637-0x0000000000D00000-0x0000000000E10000-memory.dmp	dcrat
behavioral1/memory/2060-756-0x0000000000D20000-0x0000000000E30000-memory.dmp	dcrat
behavioral1/memory/2956-817-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2680	powershell.exe
2600	powershell.exe
2588	powershell.exe
1632	powershell.exe
2028	powershell.exe
2604	powershell.exe
2932	powershell.exe
2728	powershell.exe
1064	powershell.exe
1904	powershell.exe
2564	powershell.exe
2724	powershell.exe
1680	powershell.exe
2648	powershell.exe
1156	powershell.exe
2628	powershell.exe
2880	powershell.exe
2576	powershell.exe
2688	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
568	DllCommonsvc.exe
1880	smss.exe
2724	smss.exe
1688	smss.exe
2844	smss.exe
1860	smss.exe
3032	smss.exe
600	smss.exe
2172	smss.exe
1892	smss.exe
2244	smss.exe
2060	smss.exe
2956	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
108	cmd.exe
108	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
35	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
23	raw.githubusercontent.com
32	raw.githubusercontent.com
39	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\spoolsv.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\en-US\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\en-US\a76d7bf15d8370	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\LiveKernelReports\System.exe	DllCommonsvc.exe
File created	C:\Windows\LiveKernelReports\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\Tasks\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\56085415360792	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_60d8e73a791882333ba7c35de391863b33e3f7f873fd7d89b9afa5b0225eac43.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2460	schtasks.exe
2924	schtasks.exe
2604	schtasks.exe
1724	schtasks.exe
856	schtasks.exe
1272	schtasks.exe
1880	schtasks.exe
2096	schtasks.exe
2620	schtasks.exe
2884	schtasks.exe
2024	schtasks.exe
2944	schtasks.exe
2268	schtasks.exe
1736	schtasks.exe
1240	schtasks.exe
1712	schtasks.exe
2368	schtasks.exe
3000	schtasks.exe
2456	schtasks.exe
2960	schtasks.exe
444	schtasks.exe
1796	schtasks.exe
1060	schtasks.exe
2444	schtasks.exe
988	schtasks.exe
1668	schtasks.exe
1884	schtasks.exe
616	schtasks.exe
744	schtasks.exe
2712	schtasks.exe
2576	schtasks.exe
736	schtasks.exe
3020	schtasks.exe
1304	schtasks.exe
976	schtasks.exe
2844	schtasks.exe
3044	schtasks.exe
2840	schtasks.exe
2132	schtasks.exe
1380	schtasks.exe
2508	schtasks.exe
2964	schtasks.exe
1872	schtasks.exe
2224	schtasks.exe
1764	schtasks.exe
560	schtasks.exe
2068	schtasks.exe
1440	schtasks.exe
1336	schtasks.exe
2796	schtasks.exe
2076	schtasks.exe
2172	schtasks.exe
2468	schtasks.exe
2380	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
568	DllCommonsvc.exe
2028	powershell.exe
2932	powershell.exe
2680	powershell.exe
2588	powershell.exe
2688	powershell.exe
2728	powershell.exe
2576	powershell.exe
2724	powershell.exe
1064	powershell.exe
2880	powershell.exe
2604	powershell.exe
1632	powershell.exe
1904	powershell.exe
2564	powershell.exe
1680	powershell.exe
2648	powershell.exe
2600	powershell.exe
2628	powershell.exe
1156	powershell.exe
1880	smss.exe
2724	smss.exe
1688	smss.exe
2844	smss.exe
1860	smss.exe
3032	smss.exe
600	smss.exe
2172	smss.exe
1892	smss.exe
2244	smss.exe
2060	smss.exe
2956	smss.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	568	DllCommonsvc.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	1880	smss.exe
Token: SeDebugPrivilege	2724	smss.exe
Token: SeDebugPrivilege	1688	smss.exe
Token: SeDebugPrivilege	2844	smss.exe
Token: SeDebugPrivilege	1860	smss.exe
Token: SeDebugPrivilege	3032	smss.exe
Token: SeDebugPrivilege	600	smss.exe
Token: SeDebugPrivilege	2172	smss.exe
Token: SeDebugPrivilege	1892	smss.exe
Token: SeDebugPrivilege	2244	smss.exe
Token: SeDebugPrivilege	2060	smss.exe
Token: SeDebugPrivilege	2956	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 744	1920	JaffaCakes118_60d8e73a791882333ba7c35de391863b33e3f7f873fd7d89b9afa5b0225eac43.exe	31
PID 1920 wrote to memory of 744	1920	JaffaCakes118_60d8e73a791882333ba7c35de391863b33e3f7f873fd7d89b9afa5b0225eac43.exe	31
PID 1920 wrote to memory of 744	1920	JaffaCakes118_60d8e73a791882333ba7c35de391863b33e3f7f873fd7d89b9afa5b0225eac43.exe	31
PID 1920 wrote to memory of 744	1920	JaffaCakes118_60d8e73a791882333ba7c35de391863b33e3f7f873fd7d89b9afa5b0225eac43.exe	31
PID 744 wrote to memory of 108	744	WScript.exe	32
PID 744 wrote to memory of 108	744	WScript.exe	32
PID 744 wrote to memory of 108	744	WScript.exe	32
PID 744 wrote to memory of 108	744	WScript.exe	32
PID 108 wrote to memory of 568	108	cmd.exe	34
PID 108 wrote to memory of 568	108	cmd.exe	34
PID 108 wrote to memory of 568	108	cmd.exe	34
PID 108 wrote to memory of 568	108	cmd.exe	34
PID 568 wrote to memory of 2680	568	DllCommonsvc.exe	90
PID 568 wrote to memory of 2680	568	DllCommonsvc.exe	90
PID 568 wrote to memory of 2680	568	DllCommonsvc.exe	90
PID 568 wrote to memory of 2724	568	DllCommonsvc.exe	91
PID 568 wrote to memory of 2724	568	DllCommonsvc.exe	91
PID 568 wrote to memory of 2724	568	DllCommonsvc.exe	91
PID 568 wrote to memory of 2728	568	DllCommonsvc.exe	92
PID 568 wrote to memory of 2728	568	DllCommonsvc.exe	92
PID 568 wrote to memory of 2728	568	DllCommonsvc.exe	92
PID 568 wrote to memory of 2932	568	DllCommonsvc.exe	95
PID 568 wrote to memory of 2932	568	DllCommonsvc.exe	95
PID 568 wrote to memory of 2932	568	DllCommonsvc.exe	95
PID 568 wrote to memory of 2600	568	DllCommonsvc.exe	96
PID 568 wrote to memory of 2600	568	DllCommonsvc.exe	96
PID 568 wrote to memory of 2600	568	DllCommonsvc.exe	96
PID 568 wrote to memory of 2688	568	DllCommonsvc.exe	97
PID 568 wrote to memory of 2688	568	DllCommonsvc.exe	97
PID 568 wrote to memory of 2688	568	DllCommonsvc.exe	97
PID 568 wrote to memory of 2880	568	DllCommonsvc.exe	98
PID 568 wrote to memory of 2880	568	DllCommonsvc.exe	98
PID 568 wrote to memory of 2880	568	DllCommonsvc.exe	98
PID 568 wrote to memory of 2588	568	DllCommonsvc.exe	99
PID 568 wrote to memory of 2588	568	DllCommonsvc.exe	99
PID 568 wrote to memory of 2588	568	DllCommonsvc.exe	99
PID 568 wrote to memory of 2648	568	DllCommonsvc.exe	100
PID 568 wrote to memory of 2648	568	DllCommonsvc.exe	100
PID 568 wrote to memory of 2648	568	DllCommonsvc.exe	100
PID 568 wrote to memory of 2628	568	DllCommonsvc.exe	102
PID 568 wrote to memory of 2628	568	DllCommonsvc.exe	102
PID 568 wrote to memory of 2628	568	DllCommonsvc.exe	102
PID 568 wrote to memory of 1156	568	DllCommonsvc.exe	104
PID 568 wrote to memory of 1156	568	DllCommonsvc.exe	104
PID 568 wrote to memory of 1156	568	DllCommonsvc.exe	104
PID 568 wrote to memory of 2604	568	DllCommonsvc.exe	106
PID 568 wrote to memory of 2604	568	DllCommonsvc.exe	106
PID 568 wrote to memory of 2604	568	DllCommonsvc.exe	106
PID 568 wrote to memory of 2028	568	DllCommonsvc.exe	107
PID 568 wrote to memory of 2028	568	DllCommonsvc.exe	107
PID 568 wrote to memory of 2028	568	DllCommonsvc.exe	107
PID 568 wrote to memory of 2564	568	DllCommonsvc.exe	108
PID 568 wrote to memory of 2564	568	DllCommonsvc.exe	108
PID 568 wrote to memory of 2564	568	DllCommonsvc.exe	108
PID 568 wrote to memory of 1904	568	DllCommonsvc.exe	109
PID 568 wrote to memory of 1904	568	DllCommonsvc.exe	109
PID 568 wrote to memory of 1904	568	DllCommonsvc.exe	109
PID 568 wrote to memory of 1680	568	DllCommonsvc.exe	110
PID 568 wrote to memory of 1680	568	DllCommonsvc.exe	110
PID 568 wrote to memory of 1680	568	DllCommonsvc.exe	110
PID 568 wrote to memory of 2576	568	DllCommonsvc.exe	111
PID 568 wrote to memory of 2576	568	DllCommonsvc.exe	111
PID 568 wrote to memory of 2576	568	DllCommonsvc.exe	111
PID 568 wrote to memory of 1064	568	DllCommonsvc.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60d8e73a791882333ba7c35de391863b33e3f7f873fd7d89b9afa5b0225eac43.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60d8e73a791882333ba7c35de391863b33e3f7f873fd7d89b9afa5b0225eac43.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:108
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gt2U4zX4U5.bat"
        5⤵
        
        PID:2764
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1696
      - C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nlAvT1Qihc.bat"
        7⤵
        
        PID:1884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:680
        
        C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\574RqM7W2b.bat"
        9⤵
        
        PID:3032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:876
        
        C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat"
        11⤵
        
        PID:2320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2628
        
        C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat"
        13⤵
        
        PID:2684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2172
        
        C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat"
        15⤵
        
        PID:1184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1904
        
        C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat"
        17⤵
        
        PID:1696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2764
        
        C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat"
        19⤵
        
        PID:1852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2292
        
        C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat"
        21⤵
        
        PID:1272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:896
        
        C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat"
        23⤵
        
        PID:2148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1728
        
        C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat"
        25⤵
        
        PID:1724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2268
        
        C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"
        27⤵
        
        PID:856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1304
        
        C:\MSOCache\All Users\smss.exe
        
        "C:\MSOCache\All Users\smss.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\en-US\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\en-US\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Tasks\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Downloads\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\Sample Music\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\Sample Music\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72287f06eb09f4d791b337a5ac7c6b9f

SHA1
e125834ca58a7b3770551cac95f3326119e54680

SHA256
8817ee377584bdd8f3002bfd37fc9d9fd85f65e0d13e3c7e67c042f3400ca6c2

SHA512
053a5dbe89d91316710132145f6d6a5ae1ef8f608a5238a06319e916cba9c5a0edfcd2c3ad1a778b94463e9548d46ef89f15d04b7a229908c17c15dac7e65105

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12b8424ab934fb0518852abfbc2e87e5

SHA1
9c6187f6704c325740b3bff937cafdb6b56705dd

SHA256
7689e209b93bec1cf2071cb7dc38b279040eabd0c7cd53512727f5bfbbb8e79c

SHA512
49233f889035b5c63d4df2c5c4a0aaec108c679657a7a075dcf3132c5f052702a2d3cd31e44a272a06e7a7ce05269d7eb9f1ddc1e221a94593097085c0fb1337

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f989846f30b290ca04c65d403aa82e76

SHA1
a3b01538bb4a8143a501f82352603e25e5a04212

SHA256
7b5b5054398ae4ef6c4514073e344094b110f6a90f4c058173249b2f875459c4

SHA512
b432c4dc1c1c335ab4dcb17686a7bfc370543ae763e5658b6167f1429760a2b5228e0d6078e8f448495f330ffb02abe5318dd811a6b7566f37b187c5e7ddc6a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1ccf962448206cea712bcdfb3be45b1

SHA1
48e4776943a1a40af4e165f270ec2f3917bee047

SHA256
8bfb62f5291ecd598e01c5338181384248a14cec3ef2e920dbda1692ceb8ecca

SHA512
76a900b10f9aec31c3313c9394d58a31da82c8520c95841841564099c475d60d94c552ab95fe6e88d47a94784bc8965b14d2648a24a92f9cb3db8e79d51ad8c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f37a873889da000691cb0de0562e0f06

SHA1
162e46b58bf42fd2303c69bf93fa1b7b4f1b40fa

SHA256
ebd29194c699f95967bf3b2b42c4c25a4281279cdd3a3772c1ca70c5977997dd

SHA512
bb2fbf4caeb6c4ed497350251abfaf1976e3bc8e39be5766c9ed50a65bc8caed8499cd3790ca9e8cfc88c3bb61e8fead48aabde19d54809962232360066e99c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9bfcee6e0051fd616011d2ed5027f67d

SHA1
33a63a2b04b37994952614474879db2e3a97710c

SHA256
472603f4d49b9ac2b8876e6f59564dd7f252c809556fcbe762f5c039c28d2fe2

SHA512
fc57d9c1f36dd2c038d64c8b46ebf41b1b4b8f50f40672924ae710f2c88ed6cc66fc8d69b68508585e78d158d29e8f07c2b10455e48fac738b95068df5719063

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3959fdd8a1e6baa68823f61f99480b75

SHA1
9cd96cceea43c72406140c33241a00c6eb146a08

SHA256
b0a83952a18c63e7e76de9cf96031b1945025869449091d60ea9685e0553bb7b

SHA512
b565d60fe24934e5c0925bc03c61e9d098dc21d845242c88fc157aa96fb436d2db68381c896bbb39fe31dde6ab0c12caab80bd626e6fb743660febc8a029ec2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af9b00daceb1480cab13961d7d5f65a2

SHA1
05e32193eb36a771b79f84429203e2b1af46c80c

SHA256
f615de85106d61209936684b8a53e5a4ea5581d21a3e0ba91858f1080592b8a0

SHA512
cce42955e39072b303077ac5ecfd0984d5b3d3c8df5a9b18a4ed10c7e19a53b412eaed8843fa8a941408f4bcd1f7a3a08f7dfd7e930fe246d5f06e8009dd8b11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c675198884eb39dcaac4c2eb89d1da8

SHA1
efd4c896e21f360fe277eea6dd46ad1387284cf6

SHA256
c83f2fc56f869b9985055cc2073d3c6cbcad06ac6431cc02b123b9247b41e374

SHA512
bca8e7d95461ccb152ecdbcf303fbdacf1bc350e2506c445c07d2ca10d98b0b1b9c6781c84775c1e34e362e1a872f3aef79bb06547ca2857442262d4bc2bab82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afb388da852d532c55011ddd6d553095

SHA1
2044d5a4375fe825edfe53ee5e36c0cb70c48d07

SHA256
3472f6a2070909cf5ddf55856177c1a5943195388bf22006cd6fb4cc8c04b986

SHA512
0aedcfd3dffaafc00eb98d599d674e8f3db18d570ebc3d3b3653052a5698e873e5830896ba9d514cd736ed39cf505d2a7399ca48355915cbbb52d0fa09865ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat

Filesize
195B

MD5
8ff2379f9f4458c20728a16576da77d3

SHA1
313bd214d20de7b544b382049a12ea26613411df

SHA256
2a9042f2e60297eed7eb9d0440f247c2f932219761c5735649cb1ad1e65a4c89

SHA512
0ec6613687f8542bbd620ee08603ef83cc9724c71808daa3950fd715a69fe68b1c9d47fdfcbce880bfa1e6ac8a405d76317fd4feedb818d428c92cce4accc4a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\574RqM7W2b.bat

Filesize
195B

MD5
6523befd1ac36dc5584480bf03aa5a7c

SHA1
2e3b63f9ca67027b7a79259476c89e853594e13b

SHA256
e3099c092165045807103e0c3c5f8dbfc7135c1675f5dcbdbbb262cbf639dbea

SHA512
314c1dcd5c29dea60f45bfb16219ef51abee91ce29c4ec92df0ac8b0f684d3cf064e151442161f54878cda7a000f9cac46160ffb17cb412216cadc651112eb12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab17C7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gt2U4zX4U5.bat

Filesize
195B

MD5
7e2aa7c5d18f7aacfece0dd1396d82d3

SHA1
8c4fa6dd1bcc1c432096aea0673455baa58d89bf

SHA256
b0b9d146c12edca39aa3bca4082553c2c7bcec98fe2f214bfffa486d7a5ca947

SHA512
d4e714c74c7bd31821c60c6cf7a8fea533effed7e3069cd8fb814a7c91f2fa2243fb256cc23e96595f5db50c80a24228a626a45d43eded502748b5e4ab8dc209

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat

Filesize
195B

MD5
63bf27ed6c379a102590a0999d174bd6

SHA1
b832db39a09ed02ece2bd59f6a14ded8ab6b0c05

SHA256
bd9a0f64ffa71c3fbe2112954ddd7db57e8968c079cb257c0b2bb8ca34819468

SHA512
5f741f16ecf96fbdf1da70f4f5f303884c5e4f7d6c434da23785c0192e60f3e4302ca7da0743ebf22c09db7568d5d6295505de4edf8061f344a420a978108f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat

Filesize
195B

MD5
0c32034a3ad0522128849c20e57d64f4

SHA1
b29b32e736e3987b90a37a10cb598c4462932e6b

SHA256
be842075709fa5127c022958b21bc85d0591634846714984d1b5188621c7373d

SHA512
bda8a216a9ecdc1c48178202d076d3c5dbf130ac1dec8b9dd0ae642b7026a2f19c3dc02d7205593b7d4255c09cec924122217633dad85b45fefa5b0b7cc0acb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat

Filesize
195B

MD5
bd7c2ba85f1bd5d54db3a26a7003fed6

SHA1
cb9a4086705475d1c0ce536209e2c0072bbf322f

SHA256
bc4ccb57e7f7bdeba6679182263273e987d5383167d0fabce2560cc2c0cb77b1

SHA512
651610246e58623487e1919c5bbd988be294496235db9517722a33253182f8ff033f4e2ae8677874912acaf60fc647e8bd1afd66d116435116ff2701f7805655

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar17F9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat

Filesize
195B

MD5
55d912b89563316029f19fa15ededbe6

SHA1
fd6eb07e491a5e3cc8dbfba5debc89c653f3b256

SHA256
d8215c0ceb7309c885dde30ae65b0593d0986dc026ec71cbff5211fcbe7c757a

SHA512
2a811ab600fb4e7d624c1c35b246709d52d669b53a11e4f6c269171fe00391dbfe68b6e2b7228a3d1f6854f70d4f5684e2aa1336081a9104869ce966661fb349

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat

Filesize
195B

MD5
9038895501594c79e722af8e9893110f

SHA1
121fe867b7484c197aff7b49aaff1aa97800f4d9

SHA256
73c73aa6f799bf0192a0088c046b433a5eeece19d2e7d92a079ba3dde0c06992

SHA512
27b001357a38594ab369dd0aed4ddff9df3130e67fb0fae831b57f1cd6dfef2a582cfa05722c8549ed11a92536c297011a515ed2895ac9b0ac59c14475fd45d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nlAvT1Qihc.bat

Filesize
195B

MD5
6f17569468e193127f3d9c72944c2316

SHA1
6403f9204575dcde1fbee7ecdf9ea57c48e4c82e

SHA256
912b1b15c39027e8f7850d9089e2bbadabf615740829bd7378210d090dc788c3

SHA512
0a4f33dfc1226fd01873a88dc8cc239aa9bda5c3f44374ef3d0e1a73123b0553e46a74dc8bae8737441363dc9b88b344f6955c8ad3d0abd78e432198f27ccdb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat

Filesize
195B

MD5
880ca8f7e36b3ce076e3d62f51926514

SHA1
05316528addf58abf825d8b8de0d0302079902cc

SHA256
2535badc83cfb334844dc0d5a8c2d50122c563c0ef9eb4f2c4b4ac172d03c423

SHA512
022ae8759fdbd2379ea04312778bc6a8f69179d45725b32f98c761dabe788228fb514cd28cd900e8918a4b2a1c62c6bbe0eb98934206dd7cf8b97912fcdb8e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat

Filesize
195B

MD5
3a1a4f11b71c50f03c77c26f4788ca51

SHA1
50b238b746b05d679441fad9ca8af1bad3292147

SHA256
e5f8f706e4a1760f5d8919374ee9de18472c5fe2c5a4ea28080a51ac22384791

SHA512
b9b7e737099cde7cd623d5c9139a0031112a23211d2e4439891a3e2c728591ddc6eaf630294982c043ae301dac2c82675eca02fd494299b023cc356513f53619

Download Submit
C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat

Filesize
195B

MD5
04a5737ed9a28f1874feddd464a38d93

SHA1
6487d4ebea45eee52d16497830d31a57aad07943

SHA256
8bcf79004c6413c86cc6c053c9aac57f2cfe9d98a318d9be6fa478fa43e3d0c3

SHA512
f8539a178fa066345e0eec268c94f8136dece8d9ffedb7dc1bf3c0501c01006fcd214202f601ac53bbf62a88a46ba9cca994c012417a14e20a4af1112960dcbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
eabaca263cdd950aea1b96a9529aaac5

SHA1
c06651dfd31e656f3f549c006d039e23442ca072

SHA256
8306383902148696f3b27ba639941de2e2bf7f5c996d16cf559313fc16175c16

SHA512
955d0303fe21634f44bd1e2438273160632501d529d4e30ed7d72f74bbf33a551b217fcf675af6974e6f184cd27a8f6e3e04030dc9f28a3eefb822c68bb58f6a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/568-13-0x0000000000A90000-0x0000000000BA0000-memory.dmp

Filesize
1.1MB

Download
memory/568-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/568-16-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/568-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/568-14-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/600-517-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/1688-278-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/1860-398-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/1880-159-0x0000000000BF0000-0x0000000000D00000-memory.dmp

Filesize
1.1MB

Download
memory/1892-637-0x0000000000D00000-0x0000000000E10000-memory.dmp

Filesize
1.1MB

Download
memory/2028-75-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/2060-756-0x0000000000D20000-0x0000000000E30000-memory.dmp

Filesize
1.1MB

Download
memory/2060-757-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2172-577-0x0000000000CC0000-0x0000000000DD0000-memory.dmp

Filesize
1.1MB

Download
memory/2680-73-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/2724-218-0x0000000001220000-0x0000000001330000-memory.dmp

Filesize
1.1MB

Download
memory/2844-338-0x00000000010F0000-0x0000000001200000-memory.dmp

Filesize
1.1MB

Download
memory/2956-817-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download