dcrat | da1cf3b02ad5e60660106679f20d8b2c3f4990c1857ba1c67e12e1fd4c0a2119

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_da1cf3b02ad5e60660106679f20d8b2c3f4990c1857ba1c67e12e1fd4c0a2119.exe
Size

1.3MB
MD5

bb4bc5c9a32cedb32b440c4ad16fa16b
SHA1

a740ab79795b36e10c8c37de6282ea705478b889
SHA256

da1cf3b02ad5e60660106679f20d8b2c3f4990c1857ba1c67e12e1fd4c0a2119
SHA512

58c9df1065418168904cb0f77b5fb291eac0316560c2fc5f8c8e0908ea5280d006166fc8b71b33a6640509f93616ae8079d4b738ac5e839239a438ab44f21d97
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2404	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2404	schtasks.exe	34

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000019570-9.dat	dcrat
behavioral1/memory/2812-13-0x0000000000B90000-0x0000000000CA0000-memory.dmp	dcrat
behavioral1/memory/1872-162-0x0000000000C60000-0x0000000000D70000-memory.dmp	dcrat
behavioral1/memory/2372-222-0x0000000000F80000-0x0000000001090000-memory.dmp	dcrat
behavioral1/memory/2360-400-0x00000000011F0000-0x0000000001300000-memory.dmp	dcrat
behavioral1/memory/2688-519-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2948	powershell.exe
2060	powershell.exe
348	powershell.exe
1456	powershell.exe
2648	powershell.exe
1464	powershell.exe
2408	powershell.exe
1956	powershell.exe
1976	powershell.exe
2372	powershell.exe
2396	powershell.exe
2480	powershell.exe
1488	powershell.exe
408	powershell.exe
2548	powershell.exe
2960	powershell.exe
2568	powershell.exe
1276	powershell.exe
2380	powershell.exe
3024	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2812	DllCommonsvc.exe
1872	conhost.exe
2372	conhost.exe
2804	conhost.exe
1540	conhost.exe
2360	conhost.exe
784	conhost.exe
2688	conhost.exe
2648	conhost.exe
2400	conhost.exe
1956	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2360	cmd.exe
2360	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
13	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
33	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Update\Download\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Update\Download\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Google\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Google\audiodg.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Help\Help\services.exe	DllCommonsvc.exe
File created	C:\Windows\Help\Help\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_da1cf3b02ad5e60660106679f20d8b2c3f4990c1857ba1c67e12e1fd4c0a2119.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2268	schtasks.exe
2228	schtasks.exe
1380	schtasks.exe
592	schtasks.exe
2148	schtasks.exe
2636	schtasks.exe
576	schtasks.exe
908	schtasks.exe
2980	schtasks.exe
2776	schtasks.exe
1756	schtasks.exe
2872	schtasks.exe
2316	schtasks.exe
1308	schtasks.exe
2728	schtasks.exe
2288	schtasks.exe
2460	schtasks.exe
2084	schtasks.exe
1500	schtasks.exe
2332	schtasks.exe
1088	schtasks.exe
1916	schtasks.exe
2272	schtasks.exe
2032	schtasks.exe
1376	schtasks.exe
2508	schtasks.exe
1880	schtasks.exe
1224	schtasks.exe
2724	schtasks.exe
3024	schtasks.exe
1920	schtasks.exe
2524	schtasks.exe
1672	schtasks.exe
2468	schtasks.exe
1896	schtasks.exe
2604	schtasks.exe
2864	schtasks.exe
1436	schtasks.exe
1444	schtasks.exe
2600	schtasks.exe
1576	schtasks.exe
1292	schtasks.exe
2888	schtasks.exe
2496	schtasks.exe
2700	schtasks.exe
1800	schtasks.exe
1788	schtasks.exe
296	schtasks.exe
1216	schtasks.exe
1944	schtasks.exe
2448	schtasks.exe
1556	schtasks.exe
2780	schtasks.exe
2952	schtasks.exe
1708	schtasks.exe
1928	schtasks.exe
2424	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2812	DllCommonsvc.exe
2812	DllCommonsvc.exe
2812	DllCommonsvc.exe
2812	DllCommonsvc.exe
2812	DllCommonsvc.exe
2812	DllCommonsvc.exe
2812	DllCommonsvc.exe
2812	DllCommonsvc.exe
2812	DllCommonsvc.exe
2648	powershell.exe
2948	powershell.exe
3024	powershell.exe
2372	powershell.exe
408	powershell.exe
2380	powershell.exe
2408	powershell.exe
1456	powershell.exe
1488	powershell.exe
1976	powershell.exe
2060	powershell.exe
1464	powershell.exe
348	powershell.exe
2396	powershell.exe
1956	powershell.exe
1276	powershell.exe
2960	powershell.exe
2568	powershell.exe
2548	powershell.exe
2480	powershell.exe
1872	conhost.exe
2372	conhost.exe
2804	conhost.exe
1540	conhost.exe
2360	conhost.exe
784	conhost.exe
2688	conhost.exe
2648	conhost.exe
2400	conhost.exe
1956	conhost.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	DllCommonsvc.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	1872	conhost.exe
Token: SeDebugPrivilege	2372	conhost.exe
Token: SeDebugPrivilege	2804	conhost.exe
Token: SeDebugPrivilege	1540	conhost.exe
Token: SeDebugPrivilege	2360	conhost.exe
Token: SeDebugPrivilege	784	conhost.exe
Token: SeDebugPrivilege	2688	conhost.exe
Token: SeDebugPrivilege	2648	conhost.exe
Token: SeDebugPrivilege	2400	conhost.exe
Token: SeDebugPrivilege	1956	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2944	2184	JaffaCakes118_da1cf3b02ad5e60660106679f20d8b2c3f4990c1857ba1c67e12e1fd4c0a2119.exe	30
PID 2184 wrote to memory of 2944	2184	JaffaCakes118_da1cf3b02ad5e60660106679f20d8b2c3f4990c1857ba1c67e12e1fd4c0a2119.exe	30
PID 2184 wrote to memory of 2944	2184	JaffaCakes118_da1cf3b02ad5e60660106679f20d8b2c3f4990c1857ba1c67e12e1fd4c0a2119.exe	30
PID 2184 wrote to memory of 2944	2184	JaffaCakes118_da1cf3b02ad5e60660106679f20d8b2c3f4990c1857ba1c67e12e1fd4c0a2119.exe	30
PID 2944 wrote to memory of 2360	2944	WScript.exe	31
PID 2944 wrote to memory of 2360	2944	WScript.exe	31
PID 2944 wrote to memory of 2360	2944	WScript.exe	31
PID 2944 wrote to memory of 2360	2944	WScript.exe	31
PID 2360 wrote to memory of 2812	2360	cmd.exe	33
PID 2360 wrote to memory of 2812	2360	cmd.exe	33
PID 2360 wrote to memory of 2812	2360	cmd.exe	33
PID 2360 wrote to memory of 2812	2360	cmd.exe	33
PID 2812 wrote to memory of 2648	2812	DllCommonsvc.exe	92
PID 2812 wrote to memory of 2648	2812	DllCommonsvc.exe	92
PID 2812 wrote to memory of 2648	2812	DllCommonsvc.exe	92
PID 2812 wrote to memory of 2568	2812	DllCommonsvc.exe	93
PID 2812 wrote to memory of 2568	2812	DllCommonsvc.exe	93
PID 2812 wrote to memory of 2568	2812	DllCommonsvc.exe	93
PID 2812 wrote to memory of 1464	2812	DllCommonsvc.exe	94
PID 2812 wrote to memory of 1464	2812	DllCommonsvc.exe	94
PID 2812 wrote to memory of 1464	2812	DllCommonsvc.exe	94
PID 2812 wrote to memory of 2948	2812	DllCommonsvc.exe	95
PID 2812 wrote to memory of 2948	2812	DllCommonsvc.exe	95
PID 2812 wrote to memory of 2948	2812	DllCommonsvc.exe	95
PID 2812 wrote to memory of 2960	2812	DllCommonsvc.exe	96
PID 2812 wrote to memory of 2960	2812	DllCommonsvc.exe	96
PID 2812 wrote to memory of 2960	2812	DllCommonsvc.exe	96
PID 2812 wrote to memory of 2548	2812	DllCommonsvc.exe	97
PID 2812 wrote to memory of 2548	2812	DllCommonsvc.exe	97
PID 2812 wrote to memory of 2548	2812	DllCommonsvc.exe	97
PID 2812 wrote to memory of 2396	2812	DllCommonsvc.exe	99
PID 2812 wrote to memory of 2396	2812	DllCommonsvc.exe	99
PID 2812 wrote to memory of 2396	2812	DllCommonsvc.exe	99
PID 2812 wrote to memory of 2372	2812	DllCommonsvc.exe	101
PID 2812 wrote to memory of 2372	2812	DllCommonsvc.exe	101
PID 2812 wrote to memory of 2372	2812	DllCommonsvc.exe	101
PID 2812 wrote to memory of 408	2812	DllCommonsvc.exe	102
PID 2812 wrote to memory of 408	2812	DllCommonsvc.exe	102
PID 2812 wrote to memory of 408	2812	DllCommonsvc.exe	102
PID 2812 wrote to memory of 2408	2812	DllCommonsvc.exe	104
PID 2812 wrote to memory of 2408	2812	DllCommonsvc.exe	104
PID 2812 wrote to memory of 2408	2812	DllCommonsvc.exe	104
PID 2812 wrote to memory of 2480	2812	DllCommonsvc.exe	105
PID 2812 wrote to memory of 2480	2812	DllCommonsvc.exe	105
PID 2812 wrote to memory of 2480	2812	DllCommonsvc.exe	105
PID 2812 wrote to memory of 1488	2812	DllCommonsvc.exe	107
PID 2812 wrote to memory of 1488	2812	DllCommonsvc.exe	107
PID 2812 wrote to memory of 1488	2812	DllCommonsvc.exe	107
PID 2812 wrote to memory of 3024	2812	DllCommonsvc.exe	108
PID 2812 wrote to memory of 3024	2812	DllCommonsvc.exe	108
PID 2812 wrote to memory of 3024	2812	DllCommonsvc.exe	108
PID 2812 wrote to memory of 1456	2812	DllCommonsvc.exe	109
PID 2812 wrote to memory of 1456	2812	DllCommonsvc.exe	109
PID 2812 wrote to memory of 1456	2812	DllCommonsvc.exe	109
PID 2812 wrote to memory of 1976	2812	DllCommonsvc.exe	111
PID 2812 wrote to memory of 1976	2812	DllCommonsvc.exe	111
PID 2812 wrote to memory of 1976	2812	DllCommonsvc.exe	111
PID 2812 wrote to memory of 348	2812	DllCommonsvc.exe	113
PID 2812 wrote to memory of 348	2812	DllCommonsvc.exe	113
PID 2812 wrote to memory of 348	2812	DllCommonsvc.exe	113
PID 2812 wrote to memory of 1956	2812	DllCommonsvc.exe	114
PID 2812 wrote to memory of 1956	2812	DllCommonsvc.exe	114
PID 2812 wrote to memory of 1956	2812	DllCommonsvc.exe	114
PID 2812 wrote to memory of 2060	2812	DllCommonsvc.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_da1cf3b02ad5e60660106679f20d8b2c3f4990c1857ba1c67e12e1fd4c0a2119.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_da1cf3b02ad5e60660106679f20d8b2c3f4990c1857ba1c67e12e1fd4c0a2119.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\Help\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Download\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMHf8rDwjU.bat"
        5⤵
        
        PID:1304
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:696
      - C:\Program Files (x86)\Google\Update\Download\conhost.exe
        
        "C:\Program Files (x86)\Google\Update\Download\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WOs9W2tFAs.bat"
        7⤵
        
        PID:580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:448
        
        C:\Program Files (x86)\Google\Update\Download\conhost.exe
        
        "C:\Program Files (x86)\Google\Update\Download\conhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat"
        9⤵
        
        PID:3064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1172
        
        C:\Program Files (x86)\Google\Update\Download\conhost.exe
        
        "C:\Program Files (x86)\Google\Update\Download\conhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9IAAZSZGIv.bat"
        11⤵
        
        PID:2692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2600
        
        C:\Program Files (x86)\Google\Update\Download\conhost.exe
        
        "C:\Program Files (x86)\Google\Update\Download\conhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\esvfELjyVS.bat"
        13⤵
        
        PID:2648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2260
        
        C:\Program Files (x86)\Google\Update\Download\conhost.exe
        
        "C:\Program Files (x86)\Google\Update\Download\conhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat"
        15⤵
        
        PID:2476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2568
        
        C:\Program Files (x86)\Google\Update\Download\conhost.exe
        
        "C:\Program Files (x86)\Google\Update\Download\conhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat"
        17⤵
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2524
        
        C:\Program Files (x86)\Google\Update\Download\conhost.exe
        
        "C:\Program Files (x86)\Google\Update\Download\conhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat"
        19⤵
        
        PID:2620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1540
        
        C:\Program Files (x86)\Google\Update\Download\conhost.exe
        
        "C:\Program Files (x86)\Google\Update\Download\conhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat"
        21⤵
        
        PID:2084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2884
        
        C:\Program Files (x86)\Google\Update\Download\conhost.exe
        
        "C:\Program Files (x86)\Google\Update\Download\conhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat"
        23⤵
        
        PID:1576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1904
        
        C:\Program Files (x86)\Google\Update\Download\conhost.exe
        
        "C:\Program Files (x86)\Google\Update\Download\conhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat"
        25⤵
        
        PID:1892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Help\Help\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Help\Help\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\Help\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\Download\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Download\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\Download\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Start Menu\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Start Menu\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Google\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8f17c3f2af54191e2b86de4efa3208f

SHA1
75053e2e0b5d5ccf04d498d596e91a74db31a7a4

SHA256
18c8da7dd5d2978ac8d64aa55ce649fb140999cba8c7551f2a588a95374f593d

SHA512
cf7b5934df6552b62e07032dee5fb65b04d1d3607bb169edf5d51820c7124eb372cf9832441b4125373047c69002aa0931a1771c73db2550f31cc0a3e4b2388b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8654f189146a3761b168d5991d117e07

SHA1
8572ce57c231c3baae110a0fbfd9055bd18b4847

SHA256
0ee44087d31aee76f7ed5fda157ee88e21ad47495ea4f7349bbe67001918e0d7

SHA512
2187083d0b824886fa3f0df3380c1707c85bcd43fe3d8ccde5ca9b03efb9437e4f8f4c099857a319297ee73b13af9ee5b5263320754afb6e79e9e11dd419906c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d41850508fdff63c76ae1620654c0fd

SHA1
6e5c506847cb6591c1cd048625c728aae78c0887

SHA256
95ca27a9acc85954a98b5430606e4537a7b2148255797fdbc005b65822c722c1

SHA512
1dcc823a82f3d6605f2411fe82501f9d0d35212846b00bc5e052264fe9c36927435d24f233269945fb5b3d474609ba037e3d29463b0770fba7d9291c711b3385

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0df6f1374e5ab8b23f79e898530a2a3

SHA1
91324fc887e8f220fe2511c9e8fd11a2dec93642

SHA256
586c1c5e87219999c14b5ed7b5e34a4bbc225c878d721408f7e79054aa803b92

SHA512
59effe4c3d899d01c1e0bef22923a2d164427cd20a56b4d63aab98e828ac821f3125088983671de54117a7b0800a53388070efb11924daffa2698a6d396893ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e46558bb7efc3de9469f3776938d2799

SHA1
8833eeb105525c1f3f84f26765613846f55a97f8

SHA256
bbc79f2580694fc56e688c84e73c107789ab4b13a42d908fe7911e53ef7b6bcd

SHA512
2107c1f2641af6ffbaa324d89d170ec752dc77cf3ee2bf6f2e2686ed29e9a0bd58e0bdd8f240893cf1f2bc3f6a02c93409bd5fd418345287f7c549d8812f2409

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e77ef2d7604f8a70cde0504921729948

SHA1
3b301510485ae4b7d3ae36d4871c195cfa80b5a3

SHA256
ebdabf059747b18511922e2f2abe70484430fdea34bdcf277154ae70f1153857

SHA512
6898b7a7edde857a40971a1c1bad5545ab3609b3c4d1b854eb160222dff25b6fe20a8d515801eba1edf173e1012e57ca06a78f94bd1301370480a82e1ff5f7bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29e8b182ddb8ad87bbd0598077451593

SHA1
c7de09b0045f49f1b669c3e515b5c98974441283

SHA256
5038ad1bcbc3273053faf03686d8ff560d85065930606bb9589bd9a1d111ac85

SHA512
2ec2658d0498ab5482f56c3dd0084d03cff41c01a97c4395aae22df7d8622fd406640fc6f571d2747b5a8d52fda1207d584b5362ce4d0404970d1c1ca5776faa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0a0bf9e5bc7b1eec962b0ebad3b75b2

SHA1
dbb87d5d1414ed517dd46a95415c568ed7722193

SHA256
7d351be5a628629e524740948e221dce33c7664859e2a56c3c2788be78854d81

SHA512
edd4d1156a45100a1b7e87ed4d52560260216a88666cd867b9cd81980254486b2a0fbfa34cd3ab97aad82d540edaf8081895805d967b62c9094bdcf1f70c795d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52dd9eef7d7eb275b987ab273ebd425e

SHA1
22c9d5f5453949371d7886883e47bd2744605865

SHA256
8a2cbe53145319dfcd13190262cb7080cafae63bdf7276d405e7ad6280fd4259

SHA512
e3e29473d12f95fc9f819d5ec9e02eca815bec9e1b9cc6f26461e0356ae7ef4f4b27d3e41543325fdcb9766e1390a6ddcedcf96a66cc7a27440fd5af7807738f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat

Filesize
222B

MD5
cd7c3168ae316123d6b88381b377a517

SHA1
44b37398a1cdb35c9d8bb333c4bf0d7258889c79

SHA256
534c329093e32a9abfaa7f0dbb97fa19c6f550121582511a0b13afa4807fb584

SHA512
44fee9af2033981779ed4b97cf74fd2ae586f838ac4bb357586ab0f19f30cdb0713eb827d22288568e3b6c6ff697f12e9a158bd23386cd8a6b112b5ea2cc4dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\9IAAZSZGIv.bat

Filesize
222B

MD5
607cd58914e08fab25b873076933e259

SHA1
55720560158728b75d78936a35fb01f6f2aed2d2

SHA256
581d150f1f158f46d53168085930d7600f505497ded40afa1995fbb6818efbac

SHA512
2b280cd6b0756a099a42882c33f49aad3911012dc5260885f254814718317fc49d49dbc0a75a91859a4c760320dc2b846855b563797d295d086596052b919c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8374.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8387.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMHf8rDwjU.bat

Filesize
222B

MD5
1fa0305edd3b1e04b01fd12a478f0e48

SHA1
65fd3a58323816555eb90cc106b5b7e0474d4159

SHA256
8c1f76039abc746e2c1c2a432d6dbdb049b21e4b7e608bce27f7fd2327942405

SHA512
3a40625a1626d7fb3f11d53dd7485804027ff8720602df6e4a89da2f17a8a15b46ca11585a671f085b7d39b8b34f44f9a9465e6c0a7902d41181ed451e6f251b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOs9W2tFAs.bat

Filesize
222B

MD5
b5b42400a12de8fb88b835f049e8f37b

SHA1
6ee85d2d33f88b8961662eba8866f7f4bd5cff3e

SHA256
14154828af294b6e93c9cf6d3665ab4ba6573963c57bacc3bee4633c5b4435f9

SHA512
4ec8701676cbb92dca0df2d193b63df21bcb83ba1652f909540a0e22156f2e12d488bf533099c13f6216ceb2e487eecdc40fbd068c94ddbd102bd0bffbbeb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat

Filesize
222B

MD5
f459a9768d6a72721950375968001e39

SHA1
4b8e8b80002a6f17c002f88af3f7aa5cddf2a21d

SHA256
99d6bab012a2acc066b4983e9bdad58e98fa92dba38661dd0ff1ab31e1e50cbe

SHA512
20cfd2e9459f1c5f49a3ef1dd34445edfc8f989e17e9edecb201bfe830a6ee5abc65d0e3d4584fd2d80f2201742eb33eb15ee241c08ba3e02b5ba109940a1a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\esvfELjyVS.bat

Filesize
222B

MD5
8a4bb9d8202f9464274a39604dbc0dcc

SHA1
2c8f5283fc887d7f24fcd4d6a9cb16eebfe43966

SHA256
b0900d717571f2839781da9bdf615c97c94cd391f85675c4d6c20c57c675a6f1

SHA512
358e92fffd9ee0a0eb04d398cee50eeb2fab0c2c4da0f9c8144dfaf94f19f58a5fd568c79c45bd3771229d7aa73f917040849591efbaf1593ab7f0ecd6496d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat

Filesize
222B

MD5
e2dfd4db0b4b6dd8f2699ad42dc4c8f7

SHA1
54ada8df75c3f45a7c04898993171391ce2c115b

SHA256
ac6b1cbcc0c5525259a9a2dbdcc1dc2475af1b85900de1540ec07f41f495a8db

SHA512
7d511b3c0a805f0a819c150629f39ccddbf23302b06f0f596a091987cfa81017a29e523411b72ab9b191eeaf39641cac4c8f84ff5bb4ffc9c5befb1450e8b571

Download Submit
C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat

Filesize
222B

MD5
7b48358ebc19edd196278e94629af95e

SHA1
5c2adea0831057b13bac8bb8506b1099354e083c

SHA256
48c17ac9cd6f9af5c7527be3342f3d633138b23819462b358afa2580a61f5d7f

SHA512
3307a6e29b1e30ba6003ab5eb604d0e80e2917a58b03654df30a3031e11b466e25280d90b1b3673f48361325f53ff3948817561991542faed04ce73f4aed107a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat

Filesize
222B

MD5
b30f5452a0e9ead4601afb6c4b359a21

SHA1
726a27b17ed8fdcc14fb879e109ed4cd93a43d4d

SHA256
88ee5de92a44ccbd3541d6571f88802e92d30434c6e5bd316b5ed15ae481d547

SHA512
f9993ffadfc684750c004f86c459648f0f4db1808358397b658f766d218457468e5a352926f9bc117275afe2007604c1ba2182c148a2862b6f6d50e45322ee50

Download Submit
C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat

Filesize
222B

MD5
cb4730c4ef06eabed5b915c3a2397c31

SHA1
ea4b899ad2f39b5c5e75aa1eac953d4cf7d05f66

SHA256
98642f8b4a2ab84c8d2b6e32c24a278240640e2071ebe022fb7775ea020f2196

SHA512
faa086a91a03c4089941f8d36d38d4d7f4c64f54ad01ac5edbd5d42026284bca35a1539417e35619efb9d3716cab4e10dedbc21ff241cc133cffbdb251f2de4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat

Filesize
222B

MD5
83a9a44ff631988eeb91b2c93168708e

SHA1
25d1ab3b18c981499cc354afc61190350645026c

SHA256
a68b748b5e878ee44218e859e9d85f25ff88a17cdde7fe90acb529e71c72490b

SHA512
6759e475f897580b9882f170f1da60d780ee40131a31bc28a8cf4f8228398a3ff95ba700197d119fc3a87b506552b8489766798464e8d306a9d9cb8de2fd9aff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d6506cc6991846f27211e9947f817454

SHA1
3c89bfce4e1dedab1704e373ca823e658ae5324a

SHA256
1b2c03d56182c975a277887a76956cb2e967b5f66fb8de16b35a597259efa1b0

SHA512
bd15d73ac1b3775399ee04c4e96fbe99cc9012f0177b524c8ba82b24ccf22c0a0df560390cdd6827692fb8c44cb758c7d4e1f07430275c904516a04afc20b0b4

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1872-163-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/1872-162-0x0000000000C60000-0x0000000000D70000-memory.dmp

Filesize
1.1MB

Download
memory/2360-400-0x00000000011F0000-0x0000000001300000-memory.dmp

Filesize
1.1MB

Download
memory/2372-222-0x0000000000F80000-0x0000000001090000-memory.dmp

Filesize
1.1MB

Download
memory/2400-639-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2648-75-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download
memory/2688-520-0x0000000000380000-0x0000000000392000-memory.dmp

Filesize
72KB

Download
memory/2688-519-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download
memory/2812-17-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2812-16-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2812-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2812-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2812-13-0x0000000000B90000-0x0000000000CA0000-memory.dmp

Filesize
1.1MB

Download
memory/2948-74-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download