dcrat | 3e367d03e64f62485250b49da032d765febfafdbc8e0e18bdbb9eba2e806ba36

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3e367d03e64f62485250b49da032d765febfafdbc8e0e18bdbb9eba2e806ba36.exe
Size

1.3MB
MD5

c3009d02e08dc8f2d32d6087ca0be1fa
SHA1

68f6c6880520857d6edbca88d2e23b172b7033ed
SHA256

3e367d03e64f62485250b49da032d765febfafdbc8e0e18bdbb9eba2e806ba36
SHA512

bdb90fab0b1cd18e5530cc8b032b9939c3f0f8c588c8850da96fcdbbd10ba4ffa1e08a8f2b6f9dce57669c1b92e57f4bd7dbd305577e82cce7986fc27d66b9eb
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2980	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2980	schtasks.exe	35

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d31-12.dat	dcrat
behavioral1/memory/2844-13-0x0000000001340000-0x0000000001450000-memory.dmp	dcrat
behavioral1/memory/2700-60-0x0000000001090000-0x00000000011A0000-memory.dmp	dcrat
behavioral1/memory/2420-216-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat
behavioral1/memory/2596-689-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/2792-749-0x0000000000B90000-0x0000000000CA0000-memory.dmp	dcrat
behavioral1/memory/2044-810-0x0000000000CF0000-0x0000000000E00000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2956	powershell.exe
2628	powershell.exe
2548	powershell.exe
2600	powershell.exe
1852	powershell.exe
2252	powershell.exe
2644	powershell.exe
2704	powershell.exe
2728	powershell.exe
2832	powershell.exe
2192	powershell.exe
2284	powershell.exe
2868	powershell.exe
2612	powershell.exe
1836	powershell.exe
2900	powershell.exe
1896	powershell.exe
2556	powershell.exe
2576	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2844	DllCommonsvc.exe
2700	smss.exe
2420	smss.exe
1016	smss.exe
2552	smss.exe
2740	smss.exe
2344	smss.exe
1784	smss.exe
1488	smss.exe
2740	smss.exe
2596	smss.exe
2792	smss.exe
2044	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
2400	cmd.exe
2400	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
44	raw.githubusercontent.com
41	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\nl-NL\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\System32\nl-NL\6ccacd8608530f	DllCommonsvc.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\SIGNUP\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\Idle.exe	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\diagnostics\index\taskhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3e367d03e64f62485250b49da032d765febfafdbc8e0e18bdbb9eba2e806ba36.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2896	schtasks.exe
2456	schtasks.exe
2236	schtasks.exe
2948	schtasks.exe
2428	schtasks.exe
2488	schtasks.exe
2008	schtasks.exe
2368	schtasks.exe
2328	schtasks.exe
2888	schtasks.exe
2652	schtasks.exe
2740	schtasks.exe
2764	schtasks.exe
2916	schtasks.exe
608	schtasks.exe
2432	schtasks.exe
2824	schtasks.exe
2136	schtasks.exe
2152	schtasks.exe
1976	schtasks.exe
2928	schtasks.exe
2264	schtasks.exe
1048	schtasks.exe
2068	schtasks.exe
1652	schtasks.exe
1768	schtasks.exe
2584	schtasks.exe
1776	schtasks.exe
1460	schtasks.exe
1844	schtasks.exe
660	schtasks.exe
1732	schtasks.exe
2060	schtasks.exe
2716	schtasks.exe
2016	schtasks.exe
1916	schtasks.exe
3048	schtasks.exe
2392	schtasks.exe
624	schtasks.exe
2032	schtasks.exe
1244	schtasks.exe
292	schtasks.exe
2304	schtasks.exe
404	schtasks.exe
524	schtasks.exe
2840	schtasks.exe
752	schtasks.exe
1612	schtasks.exe
1604	schtasks.exe
872	schtasks.exe
348	schtasks.exe
1268	schtasks.exe
2120	schtasks.exe
800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2844	DllCommonsvc.exe
2844	DllCommonsvc.exe
2844	DllCommonsvc.exe
2844	DllCommonsvc.exe
2844	DllCommonsvc.exe
2844	DllCommonsvc.exe
2844	DllCommonsvc.exe
2956	powershell.exe
2548	powershell.exe
2600	powershell.exe
2900	powershell.exe
2832	powershell.exe
2576	powershell.exe
2284	powershell.exe
2704	powershell.exe
2728	powershell.exe
2252	powershell.exe
2628	powershell.exe
2556	powershell.exe
2612	powershell.exe
1852	powershell.exe
1836	powershell.exe
2192	powershell.exe
1896	powershell.exe
2644	powershell.exe
2868	powershell.exe
2700	smss.exe
2420	smss.exe
1016	smss.exe
2552	smss.exe
2740	smss.exe
2344	smss.exe
1784	smss.exe
1488	smss.exe
2740	smss.exe
2596	smss.exe
2792	smss.exe
2044	smss.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	DllCommonsvc.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2700	smss.exe
Token: SeDebugPrivilege	2420	smss.exe
Token: SeDebugPrivilege	1016	smss.exe
Token: SeDebugPrivilege	2552	smss.exe
Token: SeDebugPrivilege	2740	smss.exe
Token: SeDebugPrivilege	2344	smss.exe
Token: SeDebugPrivilege	1784	smss.exe
Token: SeDebugPrivilege	1488	smss.exe
Token: SeDebugPrivilege	2740	smss.exe
Token: SeDebugPrivilege	2596	smss.exe
Token: SeDebugPrivilege	2792	smss.exe
Token: SeDebugPrivilege	2044	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2672	2652	JaffaCakes118_3e367d03e64f62485250b49da032d765febfafdbc8e0e18bdbb9eba2e806ba36.exe	31
PID 2652 wrote to memory of 2672	2652	JaffaCakes118_3e367d03e64f62485250b49da032d765febfafdbc8e0e18bdbb9eba2e806ba36.exe	31
PID 2652 wrote to memory of 2672	2652	JaffaCakes118_3e367d03e64f62485250b49da032d765febfafdbc8e0e18bdbb9eba2e806ba36.exe	31
PID 2652 wrote to memory of 2672	2652	JaffaCakes118_3e367d03e64f62485250b49da032d765febfafdbc8e0e18bdbb9eba2e806ba36.exe	31
PID 2672 wrote to memory of 2400	2672	WScript.exe	32
PID 2672 wrote to memory of 2400	2672	WScript.exe	32
PID 2672 wrote to memory of 2400	2672	WScript.exe	32
PID 2672 wrote to memory of 2400	2672	WScript.exe	32
PID 2400 wrote to memory of 2844	2400	cmd.exe	34
PID 2400 wrote to memory of 2844	2400	cmd.exe	34
PID 2400 wrote to memory of 2844	2400	cmd.exe	34
PID 2400 wrote to memory of 2844	2400	cmd.exe	34
PID 2844 wrote to memory of 2900	2844	DllCommonsvc.exe	90
PID 2844 wrote to memory of 2900	2844	DllCommonsvc.exe	90
PID 2844 wrote to memory of 2900	2844	DllCommonsvc.exe	90
PID 2844 wrote to memory of 2728	2844	DllCommonsvc.exe	91
PID 2844 wrote to memory of 2728	2844	DllCommonsvc.exe	91
PID 2844 wrote to memory of 2728	2844	DllCommonsvc.exe	91
PID 2844 wrote to memory of 2832	2844	DllCommonsvc.exe	92
PID 2844 wrote to memory of 2832	2844	DllCommonsvc.exe	92
PID 2844 wrote to memory of 2832	2844	DllCommonsvc.exe	92
PID 2844 wrote to memory of 2192	2844	DllCommonsvc.exe	93
PID 2844 wrote to memory of 2192	2844	DllCommonsvc.exe	93
PID 2844 wrote to memory of 2192	2844	DllCommonsvc.exe	93
PID 2844 wrote to memory of 2628	2844	DllCommonsvc.exe	94
PID 2844 wrote to memory of 2628	2844	DllCommonsvc.exe	94
PID 2844 wrote to memory of 2628	2844	DllCommonsvc.exe	94
PID 2844 wrote to memory of 2548	2844	DllCommonsvc.exe	95
PID 2844 wrote to memory of 2548	2844	DllCommonsvc.exe	95
PID 2844 wrote to memory of 2548	2844	DllCommonsvc.exe	95
PID 2844 wrote to memory of 2284	2844	DllCommonsvc.exe	96
PID 2844 wrote to memory of 2284	2844	DllCommonsvc.exe	96
PID 2844 wrote to memory of 2284	2844	DllCommonsvc.exe	96
PID 2844 wrote to memory of 1896	2844	DllCommonsvc.exe	97
PID 2844 wrote to memory of 1896	2844	DllCommonsvc.exe	97
PID 2844 wrote to memory of 1896	2844	DllCommonsvc.exe	97
PID 2844 wrote to memory of 2556	2844	DllCommonsvc.exe	98
PID 2844 wrote to memory of 2556	2844	DllCommonsvc.exe	98
PID 2844 wrote to memory of 2556	2844	DllCommonsvc.exe	98
PID 2844 wrote to memory of 2576	2844	DllCommonsvc.exe	99
PID 2844 wrote to memory of 2576	2844	DllCommonsvc.exe	99
PID 2844 wrote to memory of 2576	2844	DllCommonsvc.exe	99
PID 2844 wrote to memory of 2600	2844	DllCommonsvc.exe	100
PID 2844 wrote to memory of 2600	2844	DllCommonsvc.exe	100
PID 2844 wrote to memory of 2600	2844	DllCommonsvc.exe	100
PID 2844 wrote to memory of 2644	2844	DllCommonsvc.exe	101
PID 2844 wrote to memory of 2644	2844	DllCommonsvc.exe	101
PID 2844 wrote to memory of 2644	2844	DllCommonsvc.exe	101
PID 2844 wrote to memory of 1852	2844	DllCommonsvc.exe	102
PID 2844 wrote to memory of 1852	2844	DllCommonsvc.exe	102
PID 2844 wrote to memory of 1852	2844	DllCommonsvc.exe	102
PID 2844 wrote to memory of 2252	2844	DllCommonsvc.exe	103
PID 2844 wrote to memory of 2252	2844	DllCommonsvc.exe	103
PID 2844 wrote to memory of 2252	2844	DllCommonsvc.exe	103
PID 2844 wrote to memory of 2704	2844	DllCommonsvc.exe	104
PID 2844 wrote to memory of 2704	2844	DllCommonsvc.exe	104
PID 2844 wrote to memory of 2704	2844	DllCommonsvc.exe	104
PID 2844 wrote to memory of 2868	2844	DllCommonsvc.exe	105
PID 2844 wrote to memory of 2868	2844	DllCommonsvc.exe	105
PID 2844 wrote to memory of 2868	2844	DllCommonsvc.exe	105
PID 2844 wrote to memory of 2612	2844	DllCommonsvc.exe	106
PID 2844 wrote to memory of 2612	2844	DllCommonsvc.exe	106
PID 2844 wrote to memory of 2612	2844	DllCommonsvc.exe	106
PID 2844 wrote to memory of 2956	2844	DllCommonsvc.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e367d03e64f62485250b49da032d765febfafdbc8e0e18bdbb9eba2e806ba36.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e367d03e64f62485250b49da032d765febfafdbc8e0e18bdbb9eba2e806ba36.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\en-US\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\nl-NL\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\SIGNUP\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
    - - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat"
        6⤵
        
        PID:2132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3060
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat"
        8⤵
        
        PID:1076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1544
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat"
        10⤵
        
        PID:1008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2864
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat"
        12⤵
        
        PID:1604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2128
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat"
        14⤵
        
        PID:2392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2284
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat"
        16⤵
        
        PID:1312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2648
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NpgWdIWSbT.bat"
        18⤵
        
        PID:2932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2776
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat"
        20⤵
        
        PID:2548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3060
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat"
        22⤵
        
        PID:552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1052
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat"
        24⤵
        
        PID:872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2652
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat"
        26⤵
        
        PID:2216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1468
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Desktop\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Recent\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Recent\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Recent\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\en-US\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\System32\nl-NL\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\System32\nl-NL\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\nl-NL\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\SIGNUP\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\SIGNUP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ee2de5ba1738ff1b6b859f03fb07c4f

SHA1
14bd7b2c7cf42c7e3ac668f869de590866c73588

SHA256
a26621e2c11b08b7836edc232f7b7be342a7646515fd9625e038b833399441f7

SHA512
1fbb56fee27618bfdab1774771e92050773c931c49aa9631c1b2166a57a2cfb21615d3f87d561a242cadf26c29b4e4723108efc84ab15f31eed7745604a17204

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0ce621921d6b4f4700d8d13226f974e

SHA1
fd9a6c18e19b771eab4a5ab99d62a9bf4a7b6d4d

SHA256
f433c66f50ada796f6f8243d7b070dadfeeeb969bff94b22cd003c95808a36e3

SHA512
27ba49809cdce6665fb2251beb13b515cedbc3c574db577b35613051864df8f97cf72f278252396b17c118ec1df3b665741c67da483aacf417a7381769976982

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
773fb019feeeb609e00a3a02f8235416

SHA1
5f95400ad77c93fe437aa8ff86ac428f300acc0d

SHA256
4fcdf930336286adb06737ae8e5614610959b77b411f7ae13f9fcb67f30fa8cf

SHA512
61ded8abed5bc14560e4ab032fd5cb79a0473969fbbec2425db5387397149e7413469a714bdda6030c6d4f65e413beea54f34e9b408671055ffd70947d91887d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab443f801b195647bcbd286e18a110ec

SHA1
9a7441bc8cd075472da6c8f613397788e50a7237

SHA256
9fca04271cc0216f7bc97c5863538f860fc0e261c09ea9eb502e44ffe2a0f062

SHA512
997a2fdb9d79c937e319c225001c8b3c7df19ac987633a8c1318cfe4831c3dd37416a4ca914786e67411e1bc7c9e7520433c9e420949c09f734b04c33157ad63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2a3c7acf067c2fec3bb6305b5f858f8

SHA1
7c2bffb979523d377e714121367ea492b3722bd9

SHA256
57ee68cf79e00dee65013f9fd1e31b0fec99174ae1d1aea1163fc9c5d9690281

SHA512
d51f24485f34d350ea8e3845413d8f2fa594204d126278b295e7ef4acfd82fea71827ed2b115b249f9e6e8afc37e33d6e28de178ce6dd7662317ba814998d29f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86aceddd04607c731951678e8fcee3ff

SHA1
1f7f904b6b1bb287072cb6e3081b0b1beecd32a6

SHA256
f926ec1443976717f709aeeaf0d389fff51098bfeb4de5cbc88e3f9d4bffcdab

SHA512
7fcdc185cc5c96d9402a7fe781c5f336ad9d324969e2522ad999f45c166867c61fc60b7bfcc30b26981768e002ce1e35cdeac6dc27153c7b6be8d38ae02c000c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89fe0fc0ac001cfe3c2f02a1fa8f7e99

SHA1
448d085201d15130b233da17ec35209940a08c79

SHA256
abd4d635baf6cbcef61b4573450646f698515891bfff227000b776210f969073

SHA512
f863aa52fbe693c0ab86e8c3337b2ac1281f9157d6018d6169c11f4886080c1c0473d35368205a0d2c15cf6d0b8f52dac509e43c2e9e440ded16f0d4c8e35f61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b5c59b91d6ea6e991b80bd04775cdbc

SHA1
966e701077c3c7739853c15893e35b8aa18dc88c

SHA256
332ecac1dbc88514c3740fcb1d93b47878230b9df64afc0b7e968aa63c9a3cd7

SHA512
6c88b85fb37737169079bac59fcf8d770f60cb9151d16af13de59f13734d1b48311ba63dd2ff83c03aab46377027bc338f5ae605483d93458f011831962592aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec2da082de74f953a4aaae728eb1392a

SHA1
b5eecd28a04bdf683afbd0e580aeec0d9a9c0b6a

SHA256
4b53c30f9a4758048a9d533b08f53363e3e74d2c651395befbe691bf387cb31e

SHA512
4dce8b9366b5f3792f8724ff5eb96b8cc85eabd7ccf928d40061bd28a6add8453340e00733ad02cb346d642bcfbb227be2e2379538a48ac23ff2f187316bfda7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db07fe355ac3c19e43f710fa92f24306

SHA1
572a607d2a46e85c45e665faf285d0e2cc0e5ddc

SHA256
077f5a391b45b34b605ac95947988ae38e77ae3aa4e908f4888e51a4ee5c6808

SHA512
c49c4290c6011b236ef7c8593bd007674b36b7bbac39eca29954671752df6d592848b36c36317190e9d3d022672085f1ba39b3534641a3c5ee4b014ddf033dd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5dc049f76aaa765eddb1da12f991961c

SHA1
d46550285746a3fe9501b63881e93625b1d73ba7

SHA256
5e9e939bbc54cb60f5fd9de2ec2caf0da1c87df5d0b1322f2f8527f078465681

SHA512
b3e03fd4613fa1c3a0e96935a2c30b4dee1bf9128812181e16acf361e856ffa1263e49dd190a7f092541bf2da310b1ba6327d99d18174357444761fe9d76f9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat

Filesize
236B

MD5
f7ae1ba772b7501c8beb25b41ce4fb00

SHA1
ce3efcb8f21de4a2941426a4047ca9f5270c48bc

SHA256
dadd82c647e4d5ed70e6bc41f1058365f4756b89e191e449e75b67269729b17f

SHA512
fc035c11faf60d65a62c7676b4b3b0d489329967e29cba73483480d711df6e000203a56c041d344317013973a78a421f140c1fcd6cf4cd113c7b6921657293b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat

Filesize
236B

MD5
87fc90ee74292479e62bbdbd2980037e

SHA1
cc3e4b4bd0592f9ab60aa189a2e9577701116e57

SHA256
2784ce4d4ddc5997a0cccc80f9701ae04fc285e40ce6ac584901ee027081ebae

SHA512
a8bc0cd65ff2ae9b57740071600a99ebf77eb4fd5603e45a7d1b15b88608f1e3b115fc5637d6a0e4008029677f917bfdb7da75859796542d4cc86c22c04cd3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab33BF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NpgWdIWSbT.bat

Filesize
236B

MD5
e6b3ad22db6d95f571fe90f138e6e953

SHA1
73dbaac50469aef4e277ed64ae380f477127746e

SHA256
9080217af26d317c59255494c882edca06a5b3457855e5f7ffd27a92f81b4ce9

SHA512
b6a13819b2f39e6683c31d04ce2dc754ead2dfdc60e4a972094f5ef4fca9e64ed2105fc6edb478de85de9cd4e481322773b262ccfea916a3f4cd806df5b67421

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar33C2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat

Filesize
236B

MD5
e3b4ce04216b21a8844220353270561f

SHA1
48339e0c2c7948300d86f6e239e79e24ba9bf250

SHA256
7d70b87b59e27e72caac63e0d3da6abc221fe97555fa748dbb4d995e9ccb169d

SHA512
61f38d21c8882a4893e9a7c07b0cdd77d0c3881c37c5e2dede37ae3e8d35415b77a1352ec39e26c5adf1d2daf1281871a0d361a2f11ce32eccfd32e9bd3e2165

Download Submit
C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat

Filesize
236B

MD5
31d5037b44f53b96b431ea3b70ed9ce7

SHA1
31d2e84489a274ac2ed668020a53c84abc054774

SHA256
0558aeffa6567ba0eea615a50fc0fa614930f068af8464747115b0d1c602c945

SHA512
cf94cba64ab92b18a6055dd56e4329c30c397fc72834fd042bdd5bd20f08fceab02a55904010fdd8d1ef9565a5b22212d560049e75a7eb9e0ca5156c6139c159

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat

Filesize
236B

MD5
13774f6cf017c0330d85240dc10240cb

SHA1
3edaa52c4c3e8d3f0b8f0b0332ac9ce91b841f57

SHA256
a27a4bbc21d6b81c2284c59dfe8234d893ec6d47123bfd4c9ebb9d866386a3ac

SHA512
0c1f62a6a1bbe19cd01ee11e698fe96b25144b18d10ca70a308c1edcd04916395e190ff3fcb95141c7cfc68a9fd48db45dce204e328ad216dfc0cebd1d891ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat

Filesize
236B

MD5
340e756ed7717731b9dfc965e126c7b6

SHA1
0a59f9d0e181c26d5c3595a3314231150293f55a

SHA256
ee7b31534b9d0ebe79bde695aa55a20cd6491b57c7401e30b2000ebf56364976

SHA512
aa98851b01511c6cc00a777b6c517a5f41ff730d3867a82ccd176599bcfeb5251e79709a4065f03c4f507f59d6ee113ea3d8e048dc36d25a0cedc55538cc8def

Download Submit
C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat

Filesize
236B

MD5
c7f43921da0afcec252c24a31bbdc394

SHA1
9754cde0a3bc2acf573ed10c756885a72a628160

SHA256
6d05ac67ccf5159cbc849221bcf16e8438a8eceed7d2262c6016b7cdd83bb105

SHA512
f172fd3c8c0dd6cf39a89557db8a54d55218d7ba0c808e47374770a950298c085bdb39003fe2cda0ce8d8964d3e13534701673d4e5efa987e51e6b39c7fd9b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat

Filesize
236B

MD5
45744d2489d15ac130f32ba3e1c4d7ee

SHA1
a88692db256ec938b2b15e0928c94b6413085aba

SHA256
6ddd92ca254fcbd87f49d9352846c24ce55da38c37de9cd43716bfd345d278cf

SHA512
95f51ef0aa26f1f9b6c9a69adb6a37f69bd2051c0dd4734081ed82a732480ffcb34cf1ecffbafdf71d4aa708d9a64226954ac441474828e2de99034aeb816355

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat

Filesize
236B

MD5
53a7592c6d20f75571e79b15dbf31197

SHA1
582629a396c8db493e4f255994d36709b74355a8

SHA256
e7b883363807dd0e3893f39614699a92e4f6f2af5cd6ffd8279037c12d72f56c

SHA512
8d7343fda4b57a0013f704ea3a3e604f9d8120f1c80f5e4ae35911d35617b995df87e441a7bf5508caa971bf1a0fdd6e7a389de0e792f646615e15c7d0e5f0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat

Filesize
236B

MD5
1598c8f4187823c095e65ecb257c86a4

SHA1
c5fee35014400ffdfe01a828510a0a041ed8fc44

SHA256
257b0677d36d148429382f64177b0f46752f810a76f65b63a852697904ee709e

SHA512
64a44f36ed436a075d4d4784e2a574df8502b1d18f68c153d87e381009f8c5e0aaa767d9b87ab8ff66f6ca09f7a505fc168a38f395f363809cbc93f03d9db5e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
54c54c1dba07f2c69745ae06397345a8

SHA1
dc76590d395637678f7f95dd5b97425e6e74cd66

SHA256
3ebbe592cc16013d385268397df1f6f60541055c6631beac91f8039b8df87553

SHA512
3bdf9361a549f27e94e924a52605dbd1581e677dff94dafc6c0e7c72dc18620e9297f14f72aa53497b001c3c844c4a268b037d465810f56e36a2098e07cd82b0

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/2044-810-0x0000000000CF0000-0x0000000000E00000-memory.dmp

Filesize
1.1MB

Download
memory/2420-216-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/2596-689-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/2700-157-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2700-60-0x0000000001090000-0x00000000011A0000-memory.dmp

Filesize
1.1MB

Download
memory/2792-749-0x0000000000B90000-0x0000000000CA0000-memory.dmp

Filesize
1.1MB

Download
memory/2792-750-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2844-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2844-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2844-15-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2844-13-0x0000000001340000-0x0000000001450000-memory.dmp

Filesize
1.1MB

Download
memory/2844-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2956-66-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2956-71-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download