dcrat | 9a54956cf92d5048e6623cc5519a146fdd5bf27f99b467d87216139bcfb4fd7e

Analysis

max time kernel
140s
max time network
136s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9a54956cf92d5048e6623cc5519a146fdd5bf27f99b467d87216139bcfb4fd7e.exe
Size

1.3MB
MD5

fa4a857146420cebde2c9e33618585ce
SHA1

0409259991dbd699a00cd15d5aa21b44d6b00892
SHA256

9a54956cf92d5048e6623cc5519a146fdd5bf27f99b467d87216139bcfb4fd7e
SHA512

f7b703f216b6307e9d399a4482e27351277be8194d0570ab09466dad0169c951084bb535105e66364a165e8bcff868c1dbff02d4eda7c773644551c2e70e6a85
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2348	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2348	schtasks.exe	35

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016031-9.dat	dcrat
behavioral1/memory/2340-13-0x0000000000C90000-0x0000000000DA0000-memory.dmp	dcrat
behavioral1/memory/2960-62-0x00000000002C0000-0x00000000003D0000-memory.dmp	dcrat
behavioral1/memory/3952-222-0x0000000000860000-0x0000000000970000-memory.dmp	dcrat
behavioral1/memory/3168-283-0x0000000000EF0000-0x0000000001000000-memory.dmp	dcrat
behavioral1/memory/2040-343-0x0000000001120000-0x0000000001230000-memory.dmp	dcrat
behavioral1/memory/2044-758-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2644	powershell.exe
2752	powershell.exe
628	powershell.exe
544	powershell.exe
2596	powershell.exe
1484	powershell.exe
2344	powershell.exe
2928	powershell.exe
1892	powershell.exe
2624	powershell.exe
2020	powershell.exe
1316	powershell.exe
2828	powershell.exe
2612	powershell.exe
2676	powershell.exe
2216	powershell.exe
2064	powershell.exe
1860	powershell.exe
1184	powershell.exe
2868	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2340	DllCommonsvc.exe
2960	spoolsv.exe
3952	spoolsv.exe
3168	spoolsv.exe
2040	spoolsv.exe
1448	spoolsv.exe
2020	spoolsv.exe
2576	spoolsv.exe
3100	spoolsv.exe
1640	spoolsv.exe
1472	spoolsv.exe
2044	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2320	cmd.exe
2320	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
37	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
27	raw.githubusercontent.com
20	raw.githubusercontent.com
24	raw.githubusercontent.com
31	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\defaults\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\defaults\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Temp\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Temp\6cb0b6c459d5d3	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ShellNew\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\ShellNew\101b941d020240	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9a54956cf92d5048e6623cc5519a146fdd5bf27f99b467d87216139bcfb4fd7e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1732	schtasks.exe
2736	schtasks.exe
2808	schtasks.exe
836	schtasks.exe
1576	schtasks.exe
1704	schtasks.exe
1660	schtasks.exe
876	schtasks.exe
2180	schtasks.exe
1752	schtasks.exe
2024	schtasks.exe
2172	schtasks.exe
1620	schtasks.exe
2600	schtasks.exe
2044	schtasks.exe
636	schtasks.exe
1696	schtasks.exe
2568	schtasks.exe
1612	schtasks.exe
2308	schtasks.exe
704	schtasks.exe
2668	schtasks.exe
1992	schtasks.exe
1048	schtasks.exe
2660	schtasks.exe
2364	schtasks.exe
2928	schtasks.exe
2296	schtasks.exe
1768	schtasks.exe
1388	schtasks.exe
1928	schtasks.exe
2200	schtasks.exe
3016	schtasks.exe
2292	schtasks.exe
2000	schtasks.exe
2188	schtasks.exe
2644	schtasks.exe
2628	schtasks.exe
1092	schtasks.exe
2168	schtasks.exe
2720	schtasks.exe
1776	schtasks.exe
1112	schtasks.exe
1376	schtasks.exe
2388	schtasks.exe
2688	schtasks.exe
1680	schtasks.exe
1580	schtasks.exe
1804	schtasks.exe
2072	schtasks.exe
1700	schtasks.exe
2860	schtasks.exe
2620	schtasks.exe
2940	schtasks.exe
752	schtasks.exe
1852	schtasks.exe
2436	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2340	DllCommonsvc.exe
2340	DllCommonsvc.exe
2340	DllCommonsvc.exe
2340	DllCommonsvc.exe
2340	DllCommonsvc.exe
2340	DllCommonsvc.exe
2340	DllCommonsvc.exe
2340	DllCommonsvc.exe
2340	DllCommonsvc.exe
2340	DllCommonsvc.exe
2340	DllCommonsvc.exe
2676	powershell.exe
2596	powershell.exe
2644	powershell.exe
2624	powershell.exe
544	powershell.exe
2064	powershell.exe
2928	powershell.exe
1484	powershell.exe
1892	powershell.exe
1184	powershell.exe
2752	powershell.exe
2868	powershell.exe
1316	powershell.exe
2344	powershell.exe
628	powershell.exe
2020	powershell.exe
2216	powershell.exe
1860	powershell.exe
2828	powershell.exe
2960	spoolsv.exe
2612	powershell.exe
3952	spoolsv.exe
3168	spoolsv.exe
2040	spoolsv.exe
1448	spoolsv.exe
2020	spoolsv.exe
2576	spoolsv.exe
3100	spoolsv.exe
1640	spoolsv.exe
1472	spoolsv.exe
2044	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	DllCommonsvc.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2960	spoolsv.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	3952	spoolsv.exe
Token: SeDebugPrivilege	3168	spoolsv.exe
Token: SeDebugPrivilege	2040	spoolsv.exe
Token: SeDebugPrivilege	1448	spoolsv.exe
Token: SeDebugPrivilege	2020	spoolsv.exe
Token: SeDebugPrivilege	2576	spoolsv.exe
Token: SeDebugPrivilege	3100	spoolsv.exe
Token: SeDebugPrivilege	1640	spoolsv.exe
Token: SeDebugPrivilege	1472	spoolsv.exe
Token: SeDebugPrivilege	2044	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2532	1152	JaffaCakes118_9a54956cf92d5048e6623cc5519a146fdd5bf27f99b467d87216139bcfb4fd7e.exe	30
PID 1152 wrote to memory of 2532	1152	JaffaCakes118_9a54956cf92d5048e6623cc5519a146fdd5bf27f99b467d87216139bcfb4fd7e.exe	30
PID 1152 wrote to memory of 2532	1152	JaffaCakes118_9a54956cf92d5048e6623cc5519a146fdd5bf27f99b467d87216139bcfb4fd7e.exe	30
PID 1152 wrote to memory of 2532	1152	JaffaCakes118_9a54956cf92d5048e6623cc5519a146fdd5bf27f99b467d87216139bcfb4fd7e.exe	30
PID 2532 wrote to memory of 2320	2532	WScript.exe	31
PID 2532 wrote to memory of 2320	2532	WScript.exe	31
PID 2532 wrote to memory of 2320	2532	WScript.exe	31
PID 2532 wrote to memory of 2320	2532	WScript.exe	31
PID 2320 wrote to memory of 2340	2320	cmd.exe	33
PID 2320 wrote to memory of 2340	2320	cmd.exe	33
PID 2320 wrote to memory of 2340	2320	cmd.exe	33
PID 2320 wrote to memory of 2340	2320	cmd.exe	33
PID 2340 wrote to memory of 2828	2340	DllCommonsvc.exe	93
PID 2340 wrote to memory of 2828	2340	DllCommonsvc.exe	93
PID 2340 wrote to memory of 2828	2340	DllCommonsvc.exe	93
PID 2340 wrote to memory of 2612	2340	DllCommonsvc.exe	94
PID 2340 wrote to memory of 2612	2340	DllCommonsvc.exe	94
PID 2340 wrote to memory of 2612	2340	DllCommonsvc.exe	94
PID 2340 wrote to memory of 2676	2340	DllCommonsvc.exe	95
PID 2340 wrote to memory of 2676	2340	DllCommonsvc.exe	95
PID 2340 wrote to memory of 2676	2340	DllCommonsvc.exe	95
PID 2340 wrote to memory of 2752	2340	DllCommonsvc.exe	96
PID 2340 wrote to memory of 2752	2340	DllCommonsvc.exe	96
PID 2340 wrote to memory of 2752	2340	DllCommonsvc.exe	96
PID 2340 wrote to memory of 1860	2340	DllCommonsvc.exe	97
PID 2340 wrote to memory of 1860	2340	DllCommonsvc.exe	97
PID 2340 wrote to memory of 1860	2340	DllCommonsvc.exe	97
PID 2340 wrote to memory of 2216	2340	DllCommonsvc.exe	98
PID 2340 wrote to memory of 2216	2340	DllCommonsvc.exe	98
PID 2340 wrote to memory of 2216	2340	DllCommonsvc.exe	98
PID 2340 wrote to memory of 1484	2340	DllCommonsvc.exe	99
PID 2340 wrote to memory of 1484	2340	DllCommonsvc.exe	99
PID 2340 wrote to memory of 1484	2340	DllCommonsvc.exe	99
PID 2340 wrote to memory of 2344	2340	DllCommonsvc.exe	100
PID 2340 wrote to memory of 2344	2340	DllCommonsvc.exe	100
PID 2340 wrote to memory of 2344	2340	DllCommonsvc.exe	100
PID 2340 wrote to memory of 2928	2340	DllCommonsvc.exe	101
PID 2340 wrote to memory of 2928	2340	DllCommonsvc.exe	101
PID 2340 wrote to memory of 2928	2340	DllCommonsvc.exe	101
PID 2340 wrote to memory of 628	2340	DllCommonsvc.exe	102
PID 2340 wrote to memory of 628	2340	DllCommonsvc.exe	102
PID 2340 wrote to memory of 628	2340	DllCommonsvc.exe	102
PID 2340 wrote to memory of 544	2340	DllCommonsvc.exe	103
PID 2340 wrote to memory of 544	2340	DllCommonsvc.exe	103
PID 2340 wrote to memory of 544	2340	DllCommonsvc.exe	103
PID 2340 wrote to memory of 1892	2340	DllCommonsvc.exe	104
PID 2340 wrote to memory of 1892	2340	DllCommonsvc.exe	104
PID 2340 wrote to memory of 1892	2340	DllCommonsvc.exe	104
PID 2340 wrote to memory of 2624	2340	DllCommonsvc.exe	105
PID 2340 wrote to memory of 2624	2340	DllCommonsvc.exe	105
PID 2340 wrote to memory of 2624	2340	DllCommonsvc.exe	105
PID 2340 wrote to memory of 2020	2340	DllCommonsvc.exe	106
PID 2340 wrote to memory of 2020	2340	DllCommonsvc.exe	106
PID 2340 wrote to memory of 2020	2340	DllCommonsvc.exe	106
PID 2340 wrote to memory of 1184	2340	DllCommonsvc.exe	107
PID 2340 wrote to memory of 1184	2340	DllCommonsvc.exe	107
PID 2340 wrote to memory of 1184	2340	DllCommonsvc.exe	107
PID 2340 wrote to memory of 1316	2340	DllCommonsvc.exe	108
PID 2340 wrote to memory of 1316	2340	DllCommonsvc.exe	108
PID 2340 wrote to memory of 1316	2340	DllCommonsvc.exe	108
PID 2340 wrote to memory of 2596	2340	DllCommonsvc.exe	109
PID 2340 wrote to memory of 2596	2340	DllCommonsvc.exe	109
PID 2340 wrote to memory of 2596	2340	DllCommonsvc.exe	109
PID 2340 wrote to memory of 2644	2340	DllCommonsvc.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a54956cf92d5048e6623cc5519a146fdd5bf27f99b467d87216139bcfb4fd7e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a54956cf92d5048e6623cc5519a146fdd5bf27f99b467d87216139bcfb4fd7e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\it-IT\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
    - - C:\Program Files (x86)\Windows Mail\spoolsv.exe
        
        "C:\Program Files (x86)\Windows Mail\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3j9hYFnRH7.bat"
        6⤵
        
        PID:3880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3924
        
        C:\Program Files (x86)\Windows Mail\spoolsv.exe
        
        "C:\Program Files (x86)\Windows Mail\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bGwFtC02oQ.bat"
        8⤵
        
        PID:564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3108
        
        C:\Program Files (x86)\Windows Mail\spoolsv.exe
        
        "C:\Program Files (x86)\Windows Mail\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H34YhpUhHp.bat"
        10⤵
        
        PID:2924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3348
        
        C:\Program Files (x86)\Windows Mail\spoolsv.exe
        
        "C:\Program Files (x86)\Windows Mail\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"
        12⤵
        
        PID:956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3364
        
        C:\Program Files (x86)\Windows Mail\spoolsv.exe
        
        "C:\Program Files (x86)\Windows Mail\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat"
        14⤵
        
        PID:3572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3604
        
        C:\Program Files (x86)\Windows Mail\spoolsv.exe
        
        "C:\Program Files (x86)\Windows Mail\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat"
        16⤵
        
        PID:3812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3840
        
        C:\Program Files (x86)\Windows Mail\spoolsv.exe
        
        "C:\Program Files (x86)\Windows Mail\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat"
        18⤵
        
        PID:1092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:884
        
        C:\Program Files (x86)\Windows Mail\spoolsv.exe
        
        "C:\Program Files (x86)\Windows Mail\spoolsv.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat"
        20⤵
        
        PID:3428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3344
        
        C:\Program Files (x86)\Windows Mail\spoolsv.exe
        
        "C:\Program Files (x86)\Windows Mail\spoolsv.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H34YhpUhHp.bat"
        22⤵
        
        PID:3448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3452
        
        C:\Program Files (x86)\Windows Mail\spoolsv.exe
        
        "C:\Program Files (x86)\Windows Mail\spoolsv.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mTJ33xL03H.bat"
        24⤵
        
        PID:3308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1148
        
        C:\Program Files (x86)\Windows Mail\spoolsv.exe
        
        "C:\Program Files (x86)\Windows Mail\spoolsv.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Temp\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\defaults\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\defaults\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Start Menu\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Start Menu\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Public\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\ShellNew\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\ShellNew\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellNew\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea8994284668793770647151139fff9f

SHA1
75f91ef54e134a28d6a3d99d06de68edc4fe7496

SHA256
38e669f1bf4ea3a06c079980498a6917087f147bec26d54a024a93ea77c06199

SHA512
4041581002a3871c9dc7d4a8c5298931578bb8a07fd5c51233e5bdd2d1d9b57cf8cfba1f4620ed41a38e4703fe13b327033796d274de898ffa3a7013cf627646

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0809e870fc1e0c208bf0a1aeb7827c91

SHA1
cc45bfdccd45fc87d07b64866a8922684bb76695

SHA256
4d9d0bc5ffec9d38f361a6dc5036fe6fd4ed32781a6f3a16f4cf459efa83de7d

SHA512
5971ee813702b28a8ea6cb6d8ae0bb7a2a657cf4467a78ffb4e1fc974ce2ae2f67f9d8750b6905e113602d9b275bc6d4988ef8c31e2d2ff66b887e56640148af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbb8eb280c2bae2ccefb02df9da1ea46

SHA1
f3427a55896c3ba9178f8b69934062df33581e86

SHA256
71f2197605614291c36e6c163bf4f2f4f405f0b7b01b8d44493f20bb63630fe1

SHA512
448f2fcf91a564fb67425c9514d4c8541ed3fc873a0fdbdb9ebcf9a2f5d3c007041af293bc94555c5db4b673a1d672a4e47a048becd11a039fcf5a1f0547a1c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5496cc3ad7a03aa88b38bd03dcc56951

SHA1
3921a44b26f3c95e9461d6fc60f7bf0714be0e7d

SHA256
a77f30edaf0e03dacebee72f0121c5ff83d8747574effb9de205481d3fc96165

SHA512
5947ebb06be581a09fac8fd61f718be3fd18b92e1f79873872d92229b559d1a6c70c9640d3603bbd52e483b414d4a15a438b7003ce55c5440bc1f98248e8aa74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07c4a3704c343fad464f70dbbe6f68a5

SHA1
dc1170021585c77a8fc37c285172866d56e98d4a

SHA256
a5c7fdf4904308be98c1633c8518874e18062c48d469153070f4b2889ff8a2f3

SHA512
037bc8252e7da5a6794252b4fd4174ccd20c47d36a0426bf902f541ec108d6dbc3187eb39eaff6a2533edaa2ae1439a49e43ffcf68a85a0b3c0bd767aa3a5b4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66a8913a819fb30679cb884986b1096d

SHA1
e05c33b15ebd3aff0042e2897a123ed269d229f7

SHA256
1e22129d2ec6a3bd6232ada20267e3b61fff7749893afdb39163d1af1304a87f

SHA512
bb05b9e9b1c322abeee2138ba96b196d88af685f5a8236f86e1337470b639924fa357966edbe2c6c208bfcccebd9e4e0564e55e19f49524410237c93bd6fa6ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
549fc5fa5935993ab68884a39fbb4886

SHA1
b11fabb5af48a43a5dd91e0fdc8a4a039ac7412e

SHA256
de49f96f1e1ea7dab2459cbb0cdeb9e7a4ba72cc4b65451c7a6b236076069363

SHA512
4288fef5bd63d883fb39e1d47fc0f27cb3669e2e4a7f046eacfd704a2e5eb956f2450edd6bae3ca81df248466e2392cb88588e90963f2c92e4e5874efbd6d10b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad7565a2e41ad5bbefd1c5881a41b9d2

SHA1
1adb60fb71512fe5dd12aef30d817ee8d3d5c672

SHA256
ffe755827e831917c7424d57f9b4344fa9ef096bd77709598ea51a7cdb1a5a4a

SHA512
8d43b7bbf0d2334e98327cfb0b7c41734369e348948b3d0e2844cbbe09d8a9ac98dc9768852b0505570a9118809ebe3eab9ddc327e94ff4e6420453c4b843194

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41330ed8a0eb68c3c50154aafa9f86a8

SHA1
c1bca28bd0a3bb6d95feaadc9b945500ba6e348f

SHA256
2909973f136fc1b4ad3e481919dffa0f5e33d0775253c71094ba86b36aeec366

SHA512
af9e83e0867b9ad69bb99b1ed2e6321cff3c716594b2e8ed2fd49519fa555e1eb4973de04f839a9326db57a04b3dbb2be03b8ec5f49774b4e0d8b1701d593ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat

Filesize
212B

MD5
3172e63cf421eb227a146773f46cb330

SHA1
727c669306db6f48b64d41e49748401fcf85c997

SHA256
5945644c2bf0e20c142fe05177ad07bd7280ea8e961934055eb69ef879048dc6

SHA512
429fdb4d18571e36bb682762e6fb9211ec6e29c35833efba6761597a313619fa8ec891a0eac9f8cb5e0341a95d8dedfb4eb73767994aef765dde70b9e813e7e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3j9hYFnRH7.bat

Filesize
212B

MD5
700d6fff32a2fc87010127f021130c38

SHA1
f0cd006e1db8e275ab9c58de753e176247384019

SHA256
941d590ea15c036e14438eb38c9b5ff3e7fc0028bece63a26b3da9ab3392a2cc

SHA512
c1eeb9f0b6e247dcda052cdfdf4682e3bfaea8a5316e6b093ed392447e84ee97436d4fbde66765ee23491f36f3502ceb163e12261001e66cc0478bd321c9b084

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEABE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\H34YhpUhHp.bat

Filesize
212B

MD5
249554e0a2bd669ad420a1817e79b744

SHA1
d7b354fe1ce4b2e12ccffd91dedd314756b03bfa

SHA256
66fa3c6cda79e9a5229d16f0c3147d49d46f28c5e7a9cc687dd18be6303712ea

SHA512
6594d21429934feff4c95d6fa1bf893726bc25848f450e05b956130884e1034267da2a33b0245e248c4383b529de9d1e426218f0971f3fff941a797f9748fd37

Download Submit
C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat

Filesize
212B

MD5
74e7836a734c2ad4ec4e54b08583f847

SHA1
26355fc60d892ad073f8f69675b23acca84dbeeb

SHA256
1817cc4935451d62ae870a87ad899c9a306bb7a11acb5bb5566e2c28ea787bbc

SHA512
f64d51dfe70521183d62fe8849b3e6a439bc052f66005566a9504e21029a9e37ade090725984705572427c2b80287feeff00271117f5b450c796e66c38325bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEAD1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat

Filesize
212B

MD5
ca252cdba838223f2e83d46b253438c7

SHA1
fdcb197638a175163c5836af98a0368df07005d8

SHA256
7f4a8756632cf8168b17c901dc26de7f298e658af9ccf2afe0f90b7294356a1d

SHA512
50db685b18e16f0a8d7ba93aeb9e3ff83717e4bf2116c212495389d83f2b2245ed97d127f83611d8de676ff795f7bc45fbdf82042ffe3cba8482960849d386c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bGwFtC02oQ.bat

Filesize
212B

MD5
5680292d49db6172aee1f46d4ca7c677

SHA1
b1efc1c543f0a06ba069745e3bc25ab9344f0fba

SHA256
7da844a4c90e17972b1f059c37501a7f8a501bc2f98eeaaa10aba9e2fb08c592

SHA512
c997e15b5a2bb869e08bc304c6eff4adae10e3527730d5bd7d4d884131a630f9146395172ac4f94a432933e49fce62b3b18ca72f01f5cba560c631faef9e1127

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat

Filesize
212B

MD5
1c5f7870e34c5f957c66a036989b628d

SHA1
016f72970ab0cb87d59a74d455e30429d8bd1a49

SHA256
4bd1c403856f73f4dc8e4ca881a5f23ba7a9cc9cc4d81ba7aae0a0431e383881

SHA512
44504e65191e6bf274b731752c6754716f11a6eb5556478d271aaa0c01ef762f52d0368ce9145122854da21bdfd73377a4c0c781882bf95a21207795ff571fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat

Filesize
212B

MD5
254bc69b3fc2e98b5b03197b65b19bfb

SHA1
029d9a7b31570216f548a99f0de455875cfe4382

SHA256
b2978d2e769e2335492a211268c9812b2218381f0bbfe6a36d824e2f3113932f

SHA512
064c5494a46eadcc64c50524d8058e82662ab829d1250f326596d44786728eb198d9bc1553591540b4d0645a67ac98d7f242ec19e194e764978d5bc7f37ac129

Download Submit
C:\Users\Admin\AppData\Local\Temp\mTJ33xL03H.bat

Filesize
212B

MD5
fc9a5c67eb4508f2d022b21844e6c673

SHA1
a069f403ea80019d2f8570843530d2bcbee3a8ff

SHA256
bc64a33fb77925099dc13a2584fc0d3e5b6ec48464a721915e89afbcee9071b6

SHA512
50a865fbd7420a69edf2ec929560fbd9e5a2acf948f8235650b730a03879d00c7f29d7ac1990f08a0da58da2c1ded03823ad71ab1a1fd5ee0d7521f2a0bde79f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0f7ec4afaf8cba1832e882a1b355287e

SHA1
19c580f0836a70b058d8fed6ddc9ce368931bd47

SHA256
7768987dc71f8bddd07d8e7c1507981c8a19afc052b8037cf4ac7f4b19a2c1cf

SHA512
8f47cbc2d76883cc02c34d33116554529283b988cb7fa01341f5dab6293efc71945bee21a2d625ddc85102ab5595cdaa8bb1f0021b3690da296fab645d8b1cf1

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/2040-343-0x0000000001120000-0x0000000001230000-memory.dmp

Filesize
1.1MB

Download
memory/2044-758-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/2340-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2340-16-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/2340-15-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2340-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2340-13-0x0000000000C90000-0x0000000000DA0000-memory.dmp

Filesize
1.1MB

Download
memory/2644-73-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2676-93-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2960-62-0x00000000002C0000-0x00000000003D0000-memory.dmp

Filesize
1.1MB

Download
memory/3100-580-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/3168-283-0x0000000000EF0000-0x0000000001000000-memory.dmp

Filesize
1.1MB

Download
memory/3952-223-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/3952-222-0x0000000000860000-0x0000000000970000-memory.dmp

Filesize
1.1MB

Download