dcrat | 91e16205646264a302d3f717c2765a2cab44e9ca10b09d50e5430d184c4f2de1

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_91e16205646264a302d3f717c2765a2cab44e9ca10b09d50e5430d184c4f2de1.exe
Size

1.3MB
MD5

4e4056a4773db485eb6ad1545f4575ac
SHA1

c34b37b29204dcd175e3241f37f4d30ef0e2dd9e
SHA256

91e16205646264a302d3f717c2765a2cab44e9ca10b09d50e5430d184c4f2de1
SHA512

3bc8ab8a97a987ad77e58996e5eb0fb930e876f26115eaeb0f29f124f41383031287b5cc8fdd86c85b97c3559c10400cb5f690d78d135cd0311cffa04a57647c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	356	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	488	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2492	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2492	schtasks.exe	33

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000018b62-12.dat	dcrat
behavioral1/memory/2688-13-0x0000000000110000-0x0000000000220000-memory.dmp	dcrat
behavioral1/memory/1688-149-0x0000000001000000-0x0000000001110000-memory.dmp	dcrat
behavioral1/memory/2056-445-0x00000000013A0000-0x00000000014B0000-memory.dmp	dcrat
behavioral1/memory/1656-624-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/3028-684-0x0000000000E30000-0x0000000000F40000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2520	powershell.exe
624	powershell.exe
2300	powershell.exe
2064	powershell.exe
2568	powershell.exe
2488	powershell.exe
1892	powershell.exe
2496	powershell.exe
2476	powershell.exe
1124	powershell.exe
1272	powershell.exe
2672	powershell.exe
864	powershell.exe
2644	powershell.exe
2272	powershell.exe
2056	powershell.exe
2616	powershell.exe
2024	powershell.exe
1036	powershell.exe
2408	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2688	DllCommonsvc.exe
1688	dwm.exe
2056	dwm.exe
2812	dwm.exe
2212	dwm.exe
2904	dwm.exe
2056	dwm.exe
1096	dwm.exe
756	dwm.exe
1656	dwm.exe
3028	dwm.exe
2872	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
2592	cmd.exe
2592	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
12	raw.githubusercontent.com
18	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\dwm.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Icons\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\f3b6ecef712a24	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Media\Landscape\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\Media\Landscape\56085415360792	DllCommonsvc.exe
File created	C:\Windows\PLA\Rules\ja-JP\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\PLA\Rules\ja-JP\56085415360792	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_91e16205646264a302d3f717c2765a2cab44e9ca10b09d50e5430d184c4f2de1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2040	schtasks.exe
2816	schtasks.exe
1212	schtasks.exe
1016	schtasks.exe
2264	schtasks.exe
2228	schtasks.exe
2004	schtasks.exe
920	schtasks.exe
2224	schtasks.exe
2608	schtasks.exe
1228	schtasks.exe
1972	schtasks.exe
2216	schtasks.exe
2396	schtasks.exe
2848	schtasks.exe
2184	schtasks.exe
1676	schtasks.exe
824	schtasks.exe
1684	schtasks.exe
1424	schtasks.exe
2132	schtasks.exe
2380	schtasks.exe
1932	schtasks.exe
1604	schtasks.exe
1292	schtasks.exe
1896	schtasks.exe
1916	schtasks.exe
1136	schtasks.exe
356	schtasks.exe
1820	schtasks.exe
1884	schtasks.exe
2428	schtasks.exe
2632	schtasks.exe
1548	schtasks.exe
2460	schtasks.exe
2116	schtasks.exe
2356	schtasks.exe
1660	schtasks.exe
3024	schtasks.exe
1356	schtasks.exe
2308	schtasks.exe
2556	schtasks.exe
1764	schtasks.exe
2256	schtasks.exe
2084	schtasks.exe
1524	schtasks.exe
2624	schtasks.exe
2604	schtasks.exe
2512	schtasks.exe
1100	schtasks.exe
1680	schtasks.exe
2828	schtasks.exe
488	schtasks.exe
2104	schtasks.exe
2932	schtasks.exe
1232	schtasks.exe
776	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2688	DllCommonsvc.exe
2688	DllCommonsvc.exe
2688	DllCommonsvc.exe
2300	powershell.exe
2496	powershell.exe
2056	powershell.exe
2272	powershell.exe
2644	powershell.exe
624	powershell.exe
1036	powershell.exe
2520	powershell.exe
2064	powershell.exe
864	powershell.exe
1124	powershell.exe
2616	powershell.exe
2672	powershell.exe
2476	powershell.exe
2488	powershell.exe
1892	powershell.exe
1272	powershell.exe
2568	powershell.exe
2024	powershell.exe
2408	powershell.exe
1688	dwm.exe
2056	dwm.exe
2812	dwm.exe
2212	dwm.exe
2904	dwm.exe
2056	dwm.exe
1096	dwm.exe
756	dwm.exe
1656	dwm.exe
3028	dwm.exe
2872	dwm.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	DllCommonsvc.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	624	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	1688	dwm.exe
Token: SeDebugPrivilege	2056	dwm.exe
Token: SeDebugPrivilege	2812	dwm.exe
Token: SeDebugPrivilege	2212	dwm.exe
Token: SeDebugPrivilege	2904	dwm.exe
Token: SeDebugPrivilege	2056	dwm.exe
Token: SeDebugPrivilege	1096	dwm.exe
Token: SeDebugPrivilege	756	dwm.exe
Token: SeDebugPrivilege	1656	dwm.exe
Token: SeDebugPrivilege	3028	dwm.exe
Token: SeDebugPrivilege	2872	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 3008	1056	JaffaCakes118_91e16205646264a302d3f717c2765a2cab44e9ca10b09d50e5430d184c4f2de1.exe	29
PID 1056 wrote to memory of 3008	1056	JaffaCakes118_91e16205646264a302d3f717c2765a2cab44e9ca10b09d50e5430d184c4f2de1.exe	29
PID 1056 wrote to memory of 3008	1056	JaffaCakes118_91e16205646264a302d3f717c2765a2cab44e9ca10b09d50e5430d184c4f2de1.exe	29
PID 1056 wrote to memory of 3008	1056	JaffaCakes118_91e16205646264a302d3f717c2765a2cab44e9ca10b09d50e5430d184c4f2de1.exe	29
PID 3008 wrote to memory of 2592	3008	WScript.exe	30
PID 3008 wrote to memory of 2592	3008	WScript.exe	30
PID 3008 wrote to memory of 2592	3008	WScript.exe	30
PID 3008 wrote to memory of 2592	3008	WScript.exe	30
PID 2592 wrote to memory of 2688	2592	cmd.exe	32
PID 2592 wrote to memory of 2688	2592	cmd.exe	32
PID 2592 wrote to memory of 2688	2592	cmd.exe	32
PID 2592 wrote to memory of 2688	2592	cmd.exe	32
PID 2688 wrote to memory of 2672	2688	DllCommonsvc.exe	91
PID 2688 wrote to memory of 2672	2688	DllCommonsvc.exe	91
PID 2688 wrote to memory of 2672	2688	DllCommonsvc.exe	91
PID 2688 wrote to memory of 2616	2688	DllCommonsvc.exe	92
PID 2688 wrote to memory of 2616	2688	DllCommonsvc.exe	92
PID 2688 wrote to memory of 2616	2688	DllCommonsvc.exe	92
PID 2688 wrote to memory of 2476	2688	DllCommonsvc.exe	93
PID 2688 wrote to memory of 2476	2688	DllCommonsvc.exe	93
PID 2688 wrote to memory of 2476	2688	DllCommonsvc.exe	93
PID 2688 wrote to memory of 2520	2688	DllCommonsvc.exe	94
PID 2688 wrote to memory of 2520	2688	DllCommonsvc.exe	94
PID 2688 wrote to memory of 2520	2688	DllCommonsvc.exe	94
PID 2688 wrote to memory of 2496	2688	DllCommonsvc.exe	95
PID 2688 wrote to memory of 2496	2688	DllCommonsvc.exe	95
PID 2688 wrote to memory of 2496	2688	DllCommonsvc.exe	95
PID 2688 wrote to memory of 864	2688	DllCommonsvc.exe	96
PID 2688 wrote to memory of 864	2688	DllCommonsvc.exe	96
PID 2688 wrote to memory of 864	2688	DllCommonsvc.exe	96
PID 2688 wrote to memory of 2488	2688	DllCommonsvc.exe	97
PID 2688 wrote to memory of 2488	2688	DllCommonsvc.exe	97
PID 2688 wrote to memory of 2488	2688	DllCommonsvc.exe	97
PID 2688 wrote to memory of 1892	2688	DllCommonsvc.exe	98
PID 2688 wrote to memory of 1892	2688	DllCommonsvc.exe	98
PID 2688 wrote to memory of 1892	2688	DllCommonsvc.exe	98
PID 2688 wrote to memory of 2024	2688	DllCommonsvc.exe	99
PID 2688 wrote to memory of 2024	2688	DllCommonsvc.exe	99
PID 2688 wrote to memory of 2024	2688	DllCommonsvc.exe	99
PID 2688 wrote to memory of 1036	2688	DllCommonsvc.exe	100
PID 2688 wrote to memory of 1036	2688	DllCommonsvc.exe	100
PID 2688 wrote to memory of 1036	2688	DllCommonsvc.exe	100
PID 2688 wrote to memory of 2644	2688	DllCommonsvc.exe	101
PID 2688 wrote to memory of 2644	2688	DllCommonsvc.exe	101
PID 2688 wrote to memory of 2644	2688	DllCommonsvc.exe	101
PID 2688 wrote to memory of 2408	2688	DllCommonsvc.exe	102
PID 2688 wrote to memory of 2408	2688	DllCommonsvc.exe	102
PID 2688 wrote to memory of 2408	2688	DllCommonsvc.exe	102
PID 2688 wrote to memory of 2064	2688	DllCommonsvc.exe	103
PID 2688 wrote to memory of 2064	2688	DllCommonsvc.exe	103
PID 2688 wrote to memory of 2064	2688	DllCommonsvc.exe	103
PID 2688 wrote to memory of 624	2688	DllCommonsvc.exe	104
PID 2688 wrote to memory of 624	2688	DllCommonsvc.exe	104
PID 2688 wrote to memory of 624	2688	DllCommonsvc.exe	104
PID 2688 wrote to memory of 2272	2688	DllCommonsvc.exe	105
PID 2688 wrote to memory of 2272	2688	DllCommonsvc.exe	105
PID 2688 wrote to memory of 2272	2688	DllCommonsvc.exe	105
PID 2688 wrote to memory of 2568	2688	DllCommonsvc.exe	106
PID 2688 wrote to memory of 2568	2688	DllCommonsvc.exe	106
PID 2688 wrote to memory of 2568	2688	DllCommonsvc.exe	106
PID 2688 wrote to memory of 2056	2688	DllCommonsvc.exe	107
PID 2688 wrote to memory of 2056	2688	DllCommonsvc.exe	107
PID 2688 wrote to memory of 2056	2688	DllCommonsvc.exe	107
PID 2688 wrote to memory of 2300	2688	DllCommonsvc.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91e16205646264a302d3f717c2765a2cab44e9ca10b09d50e5430d184c4f2de1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91e16205646264a302d3f717c2765a2cab44e9ca10b09d50e5430d184c4f2de1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\de-DE\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Landscape\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Rules\ja-JP\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HHLYPpESGR.bat"
        5⤵
        
        PID:1908
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1944
      - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5pDZQI1oOH.bat"
        7⤵
        
        PID:2556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2656
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat"
        9⤵
        
        PID:872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2284
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat"
        11⤵
        
        PID:1748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2216
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DhSpfyjZaR.bat"
        13⤵
        
        PID:1052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2176
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat"
        15⤵
        
        PID:2096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1740
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat"
        17⤵
        
        PID:1532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1892
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7etkz3INVn.bat"
        19⤵
        
        PID:2224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1424
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat"
        21⤵
        
        PID:1648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1200
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat"
        23⤵
        
        PID:3004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2164
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat"
        25⤵
        
        PID:296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1680
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Media\Landscape\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Media\Landscape\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Landscape\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Favorites\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Favorites\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\PLA\Rules\ja-JP\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\Rules\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Templates\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Templates\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f77e525f2d199adf3fabd1bf56e6e51

SHA1
e1731226cf29ec5037aef95d66fe8cbea980cf90

SHA256
9837d18e473392738068ffb1b43d7fec4c8b2fb345a0dd668bf84ec01c9ad628

SHA512
de0ea07482f9e724397b13ef4274d2bb241930d1abd5a9544384c21b5d8555622503b9ab34c4cefd4985a24b028b1a2152ff1b74b940d8d77842d6d074546ced

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66cc8a25e2660df32d5e11517e02d8b6

SHA1
a530e4e1fc3588e9a7c8eecf96ef605d3bc87e6b

SHA256
cb1118dd048120b827b942eb2a46e776abc2cf726fccca96233d5054dda37bca

SHA512
a9a3b731b22bea644816886ea98cd9e22cd6296667e71eaf7879d06261322c3ecd170d92b467d2cb12a854d9149eede8c028197eac54bc7551796caee88ed136

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
337e066a33feb154305d485c2452a0d7

SHA1
fd62ce958b8cbd05eb8c969dd048521d85e2e956

SHA256
05c741d2232b4448b814007c8bdfa8599e46f8f19ba514f5bcadb2b1b4dd67c3

SHA512
29c5484584094d3d920ab8c52cacea8511b504028347cd4992c50aeb174db68128c40c770b58337d3a4f1e9a55af25bedd8d2fb08e327483e129608bc8953b8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0eb03e33606840f7ab03028545d8747

SHA1
7070388b4cd7a2d9702635df8f72ea777bbcd1c8

SHA256
c8288cd55f0be6987ba59592cbdd98b4ce71702d465b52c1d039620661b6a658

SHA512
4ff186df0206b736189e1616923bdb1aab234f63d9a3a0615e39b0bd1023e68e98c423763f0933f0647da0cb58e75d3955aeb394623344b53b258ae8a0bf2708

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4494a76f4f96caca2a2842b849f37292

SHA1
9e8cd7e11b48183667fe5ef218e5ab8f4d3ad260

SHA256
ac286cff67fee7afae9bd0640811103c3d3bd2f52edf907c5b84492ab8c36869

SHA512
343f4d682d89635d0c353511970528964b5b37ca420f46ae4b01531eecec412939c68815253d7a67d54c603af76f404acaf2366815826a381845618990b3f08c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
969697085c01eb77662c1a4f6c875b5c

SHA1
c2c68d793cf0747fb8747fdc6bc22a85c0aac47d

SHA256
1607c12489569f1d4bddb36b73b315be9d68a278f9e6c3036d5a261bc9e78bc7

SHA512
480fd36e0a434b4558f9e5f06c6b08e9453927170ece1733eaef4702757dc81efa6e45b9c33afc9110d31f0875168321a41dab43a70c1a044f3411302595a111

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35d4a450b885db6734ae2b0c9da63a99

SHA1
924a7b6b61f9b5f37251c8391fee733ef7b724f3

SHA256
7f55e5c98d5b0a0f0ef6af7707643350a3f175154d3c7a6cae6e8e7bb1377605

SHA512
e55602661e278f9a31104c16f7e4ba5e70524247c3e6dee5765cca5fd1e05c8d987a3a3ff69a7cb7bde0614244464efde812cfe44e7cb93ab15c93fcf874fb34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
faf4127b3ea3657638910ba59ba9cf88

SHA1
da934253976cc884d332a1b9608adb547ece1dce

SHA256
da2ba38ddf8d219d2d6b115d80bbc29b7515d378ad7be35216244029a6dad76b

SHA512
898e563f8d02cdd05ac1b6a9bf84fc24d2a7fc785d529824f528f09b67631a009e90c0a8d7ab4bc3d8dbdb4adf8ced5a245600a545214e238a2c39df07eaf107

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ec8cb2fd5e8b609b4195506913dd039

SHA1
8931e89e1d518e91aba253afc6c5e48fa80d119e

SHA256
33b44ecac2ffad0ea796b9462a5ce3c52e5bc5fe2caa583bbf9c772e76e05a36

SHA512
83dc84b1f7a5799815c781fa4bda5e7a47523ec69d50ecd132fc1b732e7f99fe2daeaf0221cd717c41d3003c767382c6db6dc687b4693fcba274f100e1ced158

Download Submit
C:\Users\Admin\AppData\Local\Temp\5pDZQI1oOH.bat

Filesize
221B

MD5
0097f057d4c06df547b1f9bfafa8de06

SHA1
222f71e49f637dc185bfe529d19fc3d8df8f1a23

SHA256
4ae9f6e24e46c4933fadb0b00a3eb37e39b55b52efdd2fabe0e152f3b73a21c1

SHA512
8b21d751c0c9f7bc5c6fb63779b17512c65908fdd177c2fbd1e77242b450c18431d6564a7eed9e02f05d3a70e5aa6a6428c376af6ba067db916e77678c1cad33

Download Submit
C:\Users\Admin\AppData\Local\Temp\7etkz3INVn.bat

Filesize
221B

MD5
17a88a3f68a2d4acbd42b8380729be2d

SHA1
f3bf73da3d93a10453a4d4ce9ca50803f055c3c4

SHA256
113a874f5086434fef1ca49a66ec91a69c66320238e66a9f89fcdda3316ce4fe

SHA512
6569af8c20704c4d70b3e16ff52a8b24837e3c5392b8c57a01a34fe4c765d21262c08dea50d7d754808fd9d9f440569ad32d164fc090d79c90095f86c83f44a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat

Filesize
221B

MD5
1a3b851fe66b0344f35c2638321144fd

SHA1
eb8bef5373817eebb9e5d831fa5924e1f6a618de

SHA256
4c0ad4ce82efe8c01c62bbb2659d5f60e2d7ceae0164dd02452e57790600a392

SHA512
c367f4dd1fdc9c9f67f8ea6c9c126c998d5741415f630297a13a2304a2b524b0a3ab13670933bccd367f344144cb88400cd0706acb39224083f4b4aba05319e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC535.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat

Filesize
221B

MD5
f4331c2cce7dcfd3f5600dd64d467d55

SHA1
65c7a6eae40a9456f1de85e1d4a2b9c240cbdbc1

SHA256
c6be113e5840687fc61546ff42b824d9dcf2aeed8002d1e3bf27c53c52de2dad

SHA512
ee6afd87515d5810ecd1a791f3f92dd48a7389ac926c2fe18fb073134a7559bad8e8a915076548430be50e18020c0d465756b1d2ed13ec41188de5612106c669

Download Submit
C:\Users\Admin\AppData\Local\Temp\DhSpfyjZaR.bat

Filesize
221B

MD5
525d0ce1c6ac85a01ec78b1e38907a72

SHA1
81be1411976caac9e2bdf9acb22ab9fef4dad175

SHA256
ea2605f67f384384e822c17c7756498daf9d72c9323334734e328c4065cec311

SHA512
dd7fa2dd703cf2ec3d10b7522002bc537fcb75dbd7ef02264a1e4e5c87070a772eeec997ad6fc31c5c8c8ca5a3b8e7020409545d7ff40a3aa46a457f30cb4100

Download Submit
C:\Users\Admin\AppData\Local\Temp\HHLYPpESGR.bat

Filesize
221B

MD5
6af37243c068a4f82c3381f1cf1c6ae3

SHA1
af99495c7339cb39587a384f60b81da3cbb08cd6

SHA256
51260f992cbfd6b88750e0b93b4c262e46213b205be7366f409ab7621303b681

SHA512
cf53db7c02696acf424e60f6754eea8e3b000b790fa609e89d489b341c61773f127b8d3e5549f7ff46dbebe3ad206efcae504e0cceac9da1830095e931b82724

Download Submit
C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat

Filesize
221B

MD5
9e3cc2f5eeb4fbef486974395f53e749

SHA1
196ea859f89c6f7300d6f102fd4bdceeee44473f

SHA256
f3332d6575ea0fb9d15a0233bf390bee3601566ee36ab08dd078a98ed686de68

SHA512
898358fcf71469f60da31a5d4b937ba62803d8b83953fffb01b52681d560ca1c79cc5b89ea692b2d9e47edfa49831fddea97ad610a551f9a0e0ce3a729f8c6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat

Filesize
221B

MD5
0736adcdd5f87e6d4a6dc266e1ed8acd

SHA1
aee86e4d7a32d9beee3ed19a475740521381329b

SHA256
31cc327002deda83a17f9c098b6d4a7dcc374f03249016fac3cd30a7c2a24412

SHA512
eb9f9aa934f3018c3265d3e70d4692845b029a071acb3ae9e41cf1352331b4bad83f8110ee2398859e932e9ced4ec3568d92d1c598bc89a81e919e4600775fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC547.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat

Filesize
221B

MD5
d9597fd94c4e095c9cd57f156c0e7830

SHA1
8907f0604a4993dd190666f912d92652a4ee210c

SHA256
8be3efd3f022414a1edc9cac2511030e01134b5199c3c1cdb896edea46db5200

SHA512
b6848a3dc109a3729970f678f8def5088a110a5a524fa20f3135cc3222a956a664851c6f72f66e1e506d7385896e62db9be72618f5917abf472cd054b211c86b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat

Filesize
221B

MD5
c0dfc0a9a020ba1df6402025e47073f8

SHA1
ee80d26f2e0008e377bf96ace4aac614d2328f1d

SHA256
101ad9301d3b453f0c671284056f7fd06403dbca7895d38d637a358722c71d2f

SHA512
9e6c3cfed6c0e11d7b6080834a6fa474b760265e461ba18d10b2ea20f22d6e9070b740862ec62bade9afa19583ff433cf6094dcabe88457b6dbbc5452f98fd1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat

Filesize
221B

MD5
af4eea027681b72b38f1f34e76f8b821

SHA1
716166509363783cd9fabf43d63ea94f6d247f16

SHA256
d767a69662d6390ea66229369c9bfba12164035675907a4a222d667ecd3fac49

SHA512
804f27f495c3cab5c5cf2e85711cb71d5f79e19b99c36fbc0b6586195b47ef25bac7f4ffd761753c89003988a86ac0cfad24525666ffc4aae83242ac6b4ec064

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
67e96fb2962c8bb4c153ce9fbbf99384

SHA1
587a9a1fe01a1f6dc0864281d4155e070c1a81a0

SHA256
9ee047a03de91567dbbe7df65f0b64fc56740541b6ee724b07d4164b088282a2

SHA512
25d9f19f8b10a22833e8d0fa3b1e8d9af3c498bff9fbd89bf309ace2afb2d88301553959b029fc6fb944cdded23f16d0fd2ac24299ed1edc1e36856b39da14a9

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1096-505-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/1656-624-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/1688-149-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/2056-208-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2056-445-0x00000000013A0000-0x00000000014B0000-memory.dmp

Filesize
1.1MB

Download
memory/2300-68-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2300-71-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/2688-17-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/2688-14-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/2688-13-0x0000000000110000-0x0000000000220000-memory.dmp

Filesize
1.1MB

Download
memory/2688-15-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/2688-16-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/3028-684-0x0000000000E30000-0x0000000000F40000-memory.dmp

Filesize
1.1MB

Download