dcrat | a397e931b293d6c8b17d3de47a1ea657dfbf426834a94e98d8f08fe3389ca4af

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a397e931b293d6c8b17d3de47a1ea657dfbf426834a94e98d8f08fe3389ca4af.exe
Size

1.3MB
MD5

3c652c77f8e5bba7c0f55afce8a4d3f9
SHA1

96c019058b471ef6934d92d2b153d735e7034afa
SHA256

a397e931b293d6c8b17d3de47a1ea657dfbf426834a94e98d8f08fe3389ca4af
SHA512

35ce34a4981a532fb7d69a0d9e55510aaf85d76c0dd445afd056d9f6126738047ca2761626e9891508d5e7ea38174931896ec1f76d1ecff4d51f99986fca26ab
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2636	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2636	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016cd7-12.dat	dcrat
behavioral1/memory/3068-13-0x00000000011A0000-0x00000000012B0000-memory.dmp	dcrat
behavioral1/memory/2380-164-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/2304-223-0x0000000001260000-0x0000000001370000-memory.dmp	dcrat
behavioral1/memory/536-283-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/596-344-0x0000000001240000-0x0000000001350000-memory.dmp	dcrat
behavioral1/memory/1000-700-0x0000000000110000-0x0000000000220000-memory.dmp	dcrat
behavioral1/memory/1152-760-0x0000000000010000-0x0000000000120000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2532	powershell.exe
1968	powershell.exe
2000	powershell.exe
1048	powershell.exe
2292	powershell.exe
1324	powershell.exe
2988	powershell.exe
1872	powershell.exe
2288	powershell.exe
3020	powershell.exe
1796	powershell.exe
1332	powershell.exe
2208	powershell.exe
2100	powershell.exe
2812	powershell.exe
1904	powershell.exe
2200	powershell.exe
2476	powershell.exe
2984	powershell.exe
2704	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
3068	DllCommonsvc.exe
2380	Idle.exe
2304	Idle.exe
536	Idle.exe
596	Idle.exe
1508	Idle.exe
2304	Idle.exe
2716	Idle.exe
2488	Idle.exe
1292	Idle.exe
1000	Idle.exe
1152	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2760	cmd.exe
2760	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
39	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
18	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\ja-JP\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\Templates\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\ja-JP\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\Templates\69ddcba757bf72	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\fr-FR\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\fr-FR\24dbde2999530e	DllCommonsvc.exe
File created	C:\Windows\IME\smss.exe	DllCommonsvc.exe
File created	C:\Windows\IME\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\Boot\PCAT\tr-TR\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\fr-FR\WmiPrvSE.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a397e931b293d6c8b17d3de47a1ea657dfbf426834a94e98d8f08fe3389ca4af.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1836	schtasks.exe
1788	schtasks.exe
2176	schtasks.exe
2996	schtasks.exe
2524	schtasks.exe
1692	schtasks.exe
2412	schtasks.exe
2004	schtasks.exe
540	schtasks.exe
1496	schtasks.exe
2780	schtasks.exe
1848	schtasks.exe
872	schtasks.exe
2236	schtasks.exe
1544	schtasks.exe
1536	schtasks.exe
1760	schtasks.exe
1860	schtasks.exe
2012	schtasks.exe
708	schtasks.exe
3032	schtasks.exe
1768	schtasks.exe
2880	schtasks.exe
780	schtasks.exe
2080	schtasks.exe
2256	schtasks.exe
1192	schtasks.exe
2932	schtasks.exe
1772	schtasks.exe
2748	schtasks.exe
2744	schtasks.exe
2824	schtasks.exe
2928	schtasks.exe
1880	schtasks.exe
2716	schtasks.exe
888	schtasks.exe
1244	schtasks.exe
568	schtasks.exe
2056	schtasks.exe
2240	schtasks.exe
1592	schtasks.exe
2044	schtasks.exe
2120	schtasks.exe
484	schtasks.exe
2128	schtasks.exe
2472	schtasks.exe
2280	schtasks.exe
2740	schtasks.exe
2368	schtasks.exe
2676	schtasks.exe
1852	schtasks.exe
920	schtasks.exe
2756	schtasks.exe
3004	schtasks.exe
844	schtasks.exe
2364	schtasks.exe
2116	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3068	DllCommonsvc.exe
1968	powershell.exe
1332	powershell.exe
2812	powershell.exe
2988	powershell.exe
1904	powershell.exe
2000	powershell.exe
2200	powershell.exe
2288	powershell.exe
2984	powershell.exe
1796	powershell.exe
1872	powershell.exe
2476	powershell.exe
2532	powershell.exe
1048	powershell.exe
3020	powershell.exe
1324	powershell.exe
2208	powershell.exe
2704	powershell.exe
2100	powershell.exe
2292	powershell.exe
2380	Idle.exe
2304	Idle.exe
536	Idle.exe
596	Idle.exe
1508	Idle.exe
2304	Idle.exe
2716	Idle.exe
2488	Idle.exe
1292	Idle.exe
1000	Idle.exe
1152	Idle.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	DllCommonsvc.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2380	Idle.exe
Token: SeDebugPrivilege	2304	Idle.exe
Token: SeDebugPrivilege	536	Idle.exe
Token: SeDebugPrivilege	596	Idle.exe
Token: SeDebugPrivilege	1508	Idle.exe
Token: SeDebugPrivilege	2304	Idle.exe
Token: SeDebugPrivilege	2716	Idle.exe
Token: SeDebugPrivilege	2488	Idle.exe
Token: SeDebugPrivilege	1292	Idle.exe
Token: SeDebugPrivilege	1000	Idle.exe
Token: SeDebugPrivilege	1152	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 308 wrote to memory of 2764	308	JaffaCakes118_a397e931b293d6c8b17d3de47a1ea657dfbf426834a94e98d8f08fe3389ca4af.exe	30
PID 308 wrote to memory of 2764	308	JaffaCakes118_a397e931b293d6c8b17d3de47a1ea657dfbf426834a94e98d8f08fe3389ca4af.exe	30
PID 308 wrote to memory of 2764	308	JaffaCakes118_a397e931b293d6c8b17d3de47a1ea657dfbf426834a94e98d8f08fe3389ca4af.exe	30
PID 308 wrote to memory of 2764	308	JaffaCakes118_a397e931b293d6c8b17d3de47a1ea657dfbf426834a94e98d8f08fe3389ca4af.exe	30
PID 2764 wrote to memory of 2760	2764	WScript.exe	31
PID 2764 wrote to memory of 2760	2764	WScript.exe	31
PID 2764 wrote to memory of 2760	2764	WScript.exe	31
PID 2764 wrote to memory of 2760	2764	WScript.exe	31
PID 2760 wrote to memory of 3068	2760	cmd.exe	33
PID 2760 wrote to memory of 3068	2760	cmd.exe	33
PID 2760 wrote to memory of 3068	2760	cmd.exe	33
PID 2760 wrote to memory of 3068	2760	cmd.exe	33
PID 3068 wrote to memory of 1048	3068	DllCommonsvc.exe	92
PID 3068 wrote to memory of 1048	3068	DllCommonsvc.exe	92
PID 3068 wrote to memory of 1048	3068	DllCommonsvc.exe	92
PID 3068 wrote to memory of 2532	3068	DllCommonsvc.exe	93
PID 3068 wrote to memory of 2532	3068	DllCommonsvc.exe	93
PID 3068 wrote to memory of 2532	3068	DllCommonsvc.exe	93
PID 3068 wrote to memory of 1968	3068	DllCommonsvc.exe	94
PID 3068 wrote to memory of 1968	3068	DllCommonsvc.exe	94
PID 3068 wrote to memory of 1968	3068	DllCommonsvc.exe	94
PID 3068 wrote to memory of 1904	3068	DllCommonsvc.exe	95
PID 3068 wrote to memory of 1904	3068	DllCommonsvc.exe	95
PID 3068 wrote to memory of 1904	3068	DllCommonsvc.exe	95
PID 3068 wrote to memory of 3020	3068	DllCommonsvc.exe	96
PID 3068 wrote to memory of 3020	3068	DllCommonsvc.exe	96
PID 3068 wrote to memory of 3020	3068	DllCommonsvc.exe	96
PID 3068 wrote to memory of 2292	3068	DllCommonsvc.exe	97
PID 3068 wrote to memory of 2292	3068	DllCommonsvc.exe	97
PID 3068 wrote to memory of 2292	3068	DllCommonsvc.exe	97
PID 3068 wrote to memory of 2200	3068	DllCommonsvc.exe	99
PID 3068 wrote to memory of 2200	3068	DllCommonsvc.exe	99
PID 3068 wrote to memory of 2200	3068	DllCommonsvc.exe	99
PID 3068 wrote to memory of 1796	3068	DllCommonsvc.exe	100
PID 3068 wrote to memory of 1796	3068	DllCommonsvc.exe	100
PID 3068 wrote to memory of 1796	3068	DllCommonsvc.exe	100
PID 3068 wrote to memory of 1332	3068	DllCommonsvc.exe	101
PID 3068 wrote to memory of 1332	3068	DllCommonsvc.exe	101
PID 3068 wrote to memory of 1332	3068	DllCommonsvc.exe	101
PID 3068 wrote to memory of 1324	3068	DllCommonsvc.exe	102
PID 3068 wrote to memory of 1324	3068	DllCommonsvc.exe	102
PID 3068 wrote to memory of 1324	3068	DllCommonsvc.exe	102
PID 3068 wrote to memory of 2208	3068	DllCommonsvc.exe	103
PID 3068 wrote to memory of 2208	3068	DllCommonsvc.exe	103
PID 3068 wrote to memory of 2208	3068	DllCommonsvc.exe	103
PID 3068 wrote to memory of 2988	3068	DllCommonsvc.exe	104
PID 3068 wrote to memory of 2988	3068	DllCommonsvc.exe	104
PID 3068 wrote to memory of 2988	3068	DllCommonsvc.exe	104
PID 3068 wrote to memory of 2812	3068	DllCommonsvc.exe	105
PID 3068 wrote to memory of 2812	3068	DllCommonsvc.exe	105
PID 3068 wrote to memory of 2812	3068	DllCommonsvc.exe	105
PID 3068 wrote to memory of 2288	3068	DllCommonsvc.exe	108
PID 3068 wrote to memory of 2288	3068	DllCommonsvc.exe	108
PID 3068 wrote to memory of 2288	3068	DllCommonsvc.exe	108
PID 3068 wrote to memory of 2704	3068	DllCommonsvc.exe	109
PID 3068 wrote to memory of 2704	3068	DllCommonsvc.exe	109
PID 3068 wrote to memory of 2704	3068	DllCommonsvc.exe	109
PID 3068 wrote to memory of 2984	3068	DllCommonsvc.exe	111
PID 3068 wrote to memory of 2984	3068	DllCommonsvc.exe	111
PID 3068 wrote to memory of 2984	3068	DllCommonsvc.exe	111
PID 3068 wrote to memory of 2000	3068	DllCommonsvc.exe	112
PID 3068 wrote to memory of 2000	3068	DllCommonsvc.exe	112
PID 3068 wrote to memory of 2000	3068	DllCommonsvc.exe	112
PID 3068 wrote to memory of 2100	3068	DllCommonsvc.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a397e931b293d6c8b17d3de47a1ea657dfbf426834a94e98d8f08fe3389ca4af.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a397e931b293d6c8b17d3de47a1ea657dfbf426834a94e98d8f08fe3389ca4af.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:308
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\http\dialogs\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Roaming\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\ja-JP\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\Templates\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BVno4GbaeJ.bat"
        5⤵
        
        PID:320
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1280
      - C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat"
        7⤵
        
        PID:332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2204
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat"
        9⤵
        
        PID:1620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2680
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat"
        11⤵
        
        PID:1488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:580
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K00M4WFsUw.bat"
        13⤵
        
        PID:2280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1008
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K00M4WFsUw.bat"
        15⤵
        
        PID:2120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1096
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\61cJPf1Vjg.bat"
        17⤵
        
        PID:1976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1640
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat"
        19⤵
        
        PID:1768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3060
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat"
        21⤵
        
        PID:3020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2316
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nb2ryfxXmZ.bat"
        23⤵
        
        PID:2892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2996
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat"
        25⤵
        
        PID:2564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2968
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat"
        27⤵
        
        PID:2492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\IME\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\IME\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\http\dialogs\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\http\dialogs\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\lua\http\dialogs\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Local Settings\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Local Settings\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default\AppData\Roaming\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default\AppData\Roaming\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Default\My Documents\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\My Documents\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Default\My Documents\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\Templates\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\Templates\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22562ed46bebadd1cb5583040e9b8eb6

SHA1
2c9fa949becdcd509c6e94e4fd22564946cd26b0

SHA256
8a35bfa3872b31ab2684f1ddcddc557ee85fb105d7c344e11b7a092c4516dcba

SHA512
fd13d3e7c831ca4da3b310ab1e08b9280aac0a5baf9847142fee493b868191dae502bb61eec300506edb0e81a46760897b2e623ba7183d77d9445ed0c22247b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed620633c07035e1a093cdee9a148e59

SHA1
e3dc88afbd0f352429739e679915b3782d3e659b

SHA256
b3695345549d11dfd44dfc244bcb1529574199be1ec6c80d87e8bc140796b29f

SHA512
113a772c98806ab17ae6d373db66bee232d0253fc389d200e011b385713ac075a6a78b9ecee267d0ee9cfef43c8d7f1882e7e111783fac680df2a54dea4b0942

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d77466678bc4756846840df72c4e2d62

SHA1
43cf2d82ae5e4c4541e62c8bebea70769df467ea

SHA256
2dc988dd9a22c27292eaf5be72ab0e843fbd7bd4af4e51228a6feaa0fdb66730

SHA512
6db518ab29ddd7e44989006d650e27bc309a243a7e0d8a044b91fac375089e75e30ffe1d65a12114bff38cd288e09ed938a42ba1184ff5994cecccb88b9a13a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b33fcab77dd9275f89c4eee2eaa3ee7

SHA1
da9a37263bc2bbd7355382dacc4d094d365266fe

SHA256
bd31409811067839198802baae1ffa6c90f709dd291085a337d4684fd3a5f54a

SHA512
318bc2b899a2b8e78b48b685a65745ad8b7dcb05d8a3e577c0d07aeff5da98044037be3422830d2baa0377124c470cb4b98d6f9de683977250f0227e276ff2f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e1927d000c6c9929335eba51a5ab839

SHA1
92321019db1e7f066c262e5e274f85f1b8573586

SHA256
a09bb39457638be8ebfd6a9fc9a86c7265e6beb8ccf9ef3a5c30263f4e411cb0

SHA512
8fbc57dc24966723caf007a54896d964e633da20db05139721017f9c3d2173987ea63eba11db937bec4b970cd5003fa60d83aca2c93e5b32978b31c6aac34b8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84c4dbcfef5ade6eff5946c138de6de6

SHA1
396951432b894c3296d1a926ca3cc11d07d8af40

SHA256
0933e8182933367cfd027ac7e50fbfaef3e0d2e7b76f7ee6adda3566550b3810

SHA512
a0758ada0e6c6338287b28695d8530ecbb3f8f2bbf28850ab53b553b4dc2189e64dedf95dd718f2c72e36b67c3b1fbd166e2072c2e426c59ca6abd6f3e579c69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d46040739afd7521afdea9779ff83f2

SHA1
e972bafe4f0e0dcffd7f08e9a77a5d2a2bd96520

SHA256
334d4b9b9caf9dc9731a489b2a58bcb15a80877796bc3c371a32a6af883f9104

SHA512
810aceed534fc752ccb80efe2e80c0ae9f146691e7c95d1dd94998967499d73addb9a3ce4a0b361e15a6343d28b90f1a5831410cba95123597788b137a802fb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71d1b8b96822cfb44d8d7756db0295fb

SHA1
53e898acad6972eed9bfba6845b3a041db6efa13

SHA256
977495a68cc05a207eeca7ee72aa02e31572d29fd1f5512594b21c3eb54192a8

SHA512
be1d9228269080f6ecba994dd4433b979ccd7ca7613452145e6a9a7c708456edf011f9a6ed3ad0f103123156a7e1c2c54dabe3398daa427c490a73916132ee28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93b116055a5c6365a6792930c4968f65

SHA1
f7a10149d4e163071a49d13a85c1df583a9c4c2a

SHA256
ea4c60afbe856420fbff3b1194a471a55c674eaa49fc4eae94014c6c21f4e5e9

SHA512
e4f83be21ebed65e2b1206b08e58c6a1be320f99a1100fe6a0188d1073bd6a4f81961cba43399c098e8cc768af5b4984f6e698575ee4625bc71ba88b51fe78f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d685cbbcfdb5fb0f2b01d7fddc41b539

SHA1
a4362c076772608cac8e726428da24b5bc808d22

SHA256
4e7bfbddd69d92edb76ad281ee1121b082b965770f66cc25a8b6844c2d2f604a

SHA512
ac74bf3b0d2f5e203ecfbef1003cba51460e2d8b986856fffc081eabb043e479d9b8c9b9e27b0059736c8932aa1b3f24377e42ae8147006d4a7581da9758f51a

Download Submit
C:\Users\Admin\AppData\Local\Temp\61cJPf1Vjg.bat

Filesize
191B

MD5
610e265e20603a1bfe10cf6c59dd1878

SHA1
09e1e0d4dc149e1b8bf58fb06df79acd7591d2bf

SHA256
54ea4905becd7dde0c8901cdd840f6a776c423089d477b056d70214ab66c6167

SHA512
0d255a57f16727b7a629240e13cc0c1692e717d525b08f4fd0a2620c34ecff9bddcf73549984c3b11af6619464008b8d7aafc790ed5b7a649944d46b1f5b2504

Download Submit
C:\Users\Admin\AppData\Local\Temp\BVno4GbaeJ.bat

Filesize
191B

MD5
515cdced24ca956502add1f0709d1ce4

SHA1
e77e311e77b02afc5090083202f098398eb01a37

SHA256
832729501e8377112c08dc0e09c61e54bf99f6e65ed97558e1da228154b567d2

SHA512
17c8c373a8041871744d59a431e7dfa3db8893dd8f8b112fa470b07570a2cdbf5aec7ec0792178b6bc9526a4646189334ea698d33a7851946a449007ade512f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD367.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat

Filesize
191B

MD5
14562055639d2bae393d2269cc9f0af5

SHA1
65ee9be107160d508261a2fdbe38f2333d8f6e5d

SHA256
119d7b90254775f4afa1ee00e4528d43a4c866bba9c3fd8c8a8c89144aedfd2c

SHA512
7e068d1b597b9737cc7091a26be5cdbe49cff949338b78de0b9895ec7d505aca408a027a2b25356a0dadfb91f4f66963a17a88ad61ed172141f0b18efe1f4dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\K00M4WFsUw.bat

Filesize
191B

MD5
d3a9cae31015054658a12f70a279468a

SHA1
35232c56bf0367fc65906413d124124a3be39f53

SHA256
fca367a97ab7a692df0409f548891ef80e14208d85819d795869efd7d15081a3

SHA512
66f5703f311abbc2d9bb1ad05ae996d2b39ddde0291e2dc1273058415919cec49b5c1ed99f0fa7310daa5f53c87067204b6276cf5d0daf336a8ea5e6ebb0e52c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat

Filesize
191B

MD5
d02c5a6092199c7fff163ac66f5ce4bc

SHA1
878af8e51b5a796f108bf6c2c196d7a7a8c5b469

SHA256
532a049cd33f12786967e5a46c4b16ef42aabe65a315732106cc9c8163af0e6f

SHA512
bddfd4a03f3563267b2e7d3d584ed834f77f889ee042945c3c99596daec3da0e9d6854e1e761cfb848013cfcc5792eb9a51e531fa661bea92ae581060dc4fe9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat

Filesize
191B

MD5
e299cf3c70dae28fbf33e85b617d7d75

SHA1
6b2aba17500adea5ebaa44522847f1d7f90dfb9b

SHA256
206e32d4bc52cf2e6b0c1c0969c516398cbecc17fe3d943913c63d34f0dbd8b8

SHA512
5469ba518788cf60d58c08d4e681c4af33683d51a7eac834b75d9c708e4dc5802148d39284538f675ec6fa916398be1fd0d59fa8c19814c58042ddcf49c55406

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD37A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat

Filesize
191B

MD5
f3e759b5acdc35eff8fb7ad1f4ce3084

SHA1
4eaddd36a09bd64c1be5bfb0610fb08bf15a4cbb

SHA256
e6c9cc6eb5fdf6e5acd361d6575721cf3f08f6ffdda79fb37fde2e1dfaa2381a

SHA512
f785e613f95900edcd3780f33cd11a0fae46d933768589ee68533f2a6e498157349ada58bd223b45f43aa3932cb7cccaf02b58f42a1c6b490bd6beb05a4e2753

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat

Filesize
191B

MD5
87433d51b2039ef0c7773a3550cae55b

SHA1
019758c77f31b69b87c65eb4ccaf96ecf1c37d28

SHA256
6b2957fa1aa131a297ce63256a9750834323bc50e0dc43106d15ab67ee3b2ab1

SHA512
58b2ca647da4cc04a026f8749955db77be1d5ab4e911a9cd8694ba7d7098e2bbee69c96272bd32f1b07b7521658390b0f898cbd7023d46e1bdd56bd646e1e70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nb2ryfxXmZ.bat

Filesize
191B

MD5
a8537dad02b1314f67a3b467979cd07c

SHA1
a4113a6b71ac9374a6f031d393be485018227b5b

SHA256
d398ec870970ffdbc1efd7d3bf6da02c8aef3a964e3507d2c41c08afe84f2c54

SHA512
dfa72ce785a19ba32cee36b4d9faba1ccf2b1a01422fc247c5873d3e294664233ce79ecd6af306e58d71a4f277b89cb9335789a6095a66df23ffab306141c07b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat

Filesize
191B

MD5
e63f489035453bef0514eb70d8b7bcae

SHA1
944b72f0b0809d5fa8d9b21b47b3102e69af975e

SHA256
2ee2c165eb647c7e5beffb3c4a962d6af17b1632bf406ff3c0131c5068cb405d

SHA512
5f733165fe5938988212a3f5268ad7a2171d30293970044750fdd7164622a436bd82e139757591ee805c27699812bbfb9695d554a71119421e1cd221b1419b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat

Filesize
191B

MD5
650ca3e41d37340ef3fca26f10e1e2b1

SHA1
65a1b09d3ff6b68efd2ded1d0d18e2cbba616649

SHA256
04998e072dbf79fabf3a54f2a0e4c483f24655c06973c78d2096cb4831b1fdd4

SHA512
61f62d7973d5f7bd51cef8ff64e25f56f8902a9bb3aba387e561b6108db2c0a78d7ffa0ffb74e7f20286eafb7f247b07bac8977899a4880c2c04b56bfdb8e635

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e9875555ad2a0382bc16a0a008fae4d0

SHA1
a10042f5584469788b89aeac43a6bbd0119795fc

SHA256
ee664f24fdda4456afb52a3465eb616ba22ed8df7eafc6fcc6256bf08fe37f59

SHA512
96f0c76b01874aeb8e23d145db282a94f06433cc5086d885673a0889a0d2f0a58f99351d1e5328c7432f390a9ba6b05af3a507746495e69f11c1c21efd7e55d5

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/536-284-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/536-283-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/596-344-0x0000000001240000-0x0000000001350000-memory.dmp

Filesize
1.1MB

Download
memory/1000-700-0x0000000000110000-0x0000000000220000-memory.dmp

Filesize
1.1MB

Download
memory/1152-760-0x0000000000010000-0x0000000000120000-memory.dmp

Filesize
1.1MB

Download
memory/1508-404-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1968-68-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/1968-69-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/2304-223-0x0000000001260000-0x0000000001370000-memory.dmp

Filesize
1.1MB

Download
memory/2380-164-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/3068-17-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/3068-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/3068-15-0x0000000000150000-0x000000000015C000-memory.dmp

Filesize
48KB

Download
memory/3068-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/3068-13-0x00000000011A0000-0x00000000012B0000-memory.dmp

Filesize
1.1MB

Download