dcrat | 7a594b76d19e616c1d840b67a90a64a1003397af1219144411188b10346cd4b9

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7a594b76d19e616c1d840b67a90a64a1003397af1219144411188b10346cd4b9.exe
Size

1.3MB
MD5

53d9de6b025e5efac450770a192b9606
SHA1

e03ca209056c1fabb2c616f2c10f75bde7694f72
SHA256

7a594b76d19e616c1d840b67a90a64a1003397af1219144411188b10346cd4b9
SHA512

79e0f36b8861ed5f2cf2aa701d15dfa8ff123351e207279c5af2068e43dcadd7962c6fc512e85602748224ca9ebeeb7816d8d1eef57132bd892b065172ae5d73
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2924	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2924	schtasks.exe	35

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001949d-12.dat	dcrat
behavioral1/memory/2752-13-0x00000000008E0000-0x00000000009F0000-memory.dmp	dcrat
behavioral1/memory/1784-60-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat
behavioral1/memory/1580-214-0x0000000000190000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/2652-274-0x0000000000B40000-0x0000000000C50000-memory.dmp	dcrat
behavioral1/memory/2068-334-0x0000000000BD0000-0x0000000000CE0000-memory.dmp	dcrat
behavioral1/memory/1556-394-0x0000000001300000-0x0000000001410000-memory.dmp	dcrat
behavioral1/memory/1700-455-0x00000000013D0000-0x00000000014E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2500	powershell.exe
3008	powershell.exe
2784	powershell.exe
2848	powershell.exe
2944	powershell.exe
2160	powershell.exe
2772	powershell.exe
2776	powershell.exe
2760	powershell.exe
3000	powershell.exe
2652	powershell.exe
1708	powershell.exe
2768	powershell.exe
2604	powershell.exe
2400	powershell.exe
2880	powershell.exe
1952	powershell.exe
2764	powershell.exe
2532	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2752	DllCommonsvc.exe
1784	explorer.exe
1580	explorer.exe
2652	explorer.exe
2068	explorer.exe
1556	explorer.exe
1700	explorer.exe
2744	explorer.exe
1708	explorer.exe
1028	explorer.exe
3052	explorer.exe
2944	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
1796	cmd.exe
1796	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
16	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
39	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\smss.exe	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\AppPatch\ja-JP\explorer.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\AppPatch\ja-JP\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\AppPatch\ja-JP\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\Vss\Writers\Application\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Vss\Writers\Application\a76d7bf15d8370	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7a594b76d19e616c1d840b67a90a64a1003397af1219144411188b10346cd4b9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1576	schtasks.exe
1752	schtasks.exe
2900	schtasks.exe
2040	schtasks.exe
1620	schtasks.exe
2812	schtasks.exe
2152	schtasks.exe
2392	schtasks.exe
2028	schtasks.exe
2228	schtasks.exe
2516	schtasks.exe
2988	schtasks.exe
3028	schtasks.exe
1684	schtasks.exe
2272	schtasks.exe
2008	schtasks.exe
2460	schtasks.exe
1716	schtasks.exe
1444	schtasks.exe
1816	schtasks.exe
3044	schtasks.exe
2364	schtasks.exe
884	schtasks.exe
1380	schtasks.exe
2296	schtasks.exe
2132	schtasks.exe
1668	schtasks.exe
1248	schtasks.exe
3016	schtasks.exe
1344	schtasks.exe
1988	schtasks.exe
2148	schtasks.exe
928	schtasks.exe
1496	schtasks.exe
1744	schtasks.exe
2224	schtasks.exe
1664	schtasks.exe
2564	schtasks.exe
1820	schtasks.exe
2436	schtasks.exe
2212	schtasks.exe
2904	schtasks.exe
2780	schtasks.exe
2348	schtasks.exe
1776	schtasks.exe
2328	schtasks.exe
1748	schtasks.exe
2668	schtasks.exe
2972	schtasks.exe
2636	schtasks.exe
2624	schtasks.exe
2404	schtasks.exe
2172	schtasks.exe
808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
3000	powershell.exe
2776	powershell.exe
2772	powershell.exe
2768	powershell.exe
2784	powershell.exe
2160	powershell.exe
2604	powershell.exe
2500	powershell.exe
2848	powershell.exe
2760	powershell.exe
2532	powershell.exe
1952	powershell.exe
2880	powershell.exe
2944	powershell.exe
2400	powershell.exe
2764	powershell.exe
3008	powershell.exe
2652	powershell.exe
1708	powershell.exe
1784	explorer.exe
1580	explorer.exe
2652	explorer.exe
2068	explorer.exe
1556	explorer.exe
1700	explorer.exe
2744	explorer.exe
1708	explorer.exe
1028	explorer.exe
3052	explorer.exe
2944	explorer.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	DllCommonsvc.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	1784	explorer.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1580	explorer.exe
Token: SeDebugPrivilege	2652	explorer.exe
Token: SeDebugPrivilege	2068	explorer.exe
Token: SeDebugPrivilege	1556	explorer.exe
Token: SeDebugPrivilege	1700	explorer.exe
Token: SeDebugPrivilege	2744	explorer.exe
Token: SeDebugPrivilege	1708	explorer.exe
Token: SeDebugPrivilege	1028	explorer.exe
Token: SeDebugPrivilege	3052	explorer.exe
Token: SeDebugPrivilege	2944	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2300	2292	JaffaCakes118_7a594b76d19e616c1d840b67a90a64a1003397af1219144411188b10346cd4b9.exe	31
PID 2292 wrote to memory of 2300	2292	JaffaCakes118_7a594b76d19e616c1d840b67a90a64a1003397af1219144411188b10346cd4b9.exe	31
PID 2292 wrote to memory of 2300	2292	JaffaCakes118_7a594b76d19e616c1d840b67a90a64a1003397af1219144411188b10346cd4b9.exe	31
PID 2292 wrote to memory of 2300	2292	JaffaCakes118_7a594b76d19e616c1d840b67a90a64a1003397af1219144411188b10346cd4b9.exe	31
PID 2300 wrote to memory of 1796	2300	WScript.exe	32
PID 2300 wrote to memory of 1796	2300	WScript.exe	32
PID 2300 wrote to memory of 1796	2300	WScript.exe	32
PID 2300 wrote to memory of 1796	2300	WScript.exe	32
PID 1796 wrote to memory of 2752	1796	cmd.exe	34
PID 1796 wrote to memory of 2752	1796	cmd.exe	34
PID 1796 wrote to memory of 2752	1796	cmd.exe	34
PID 1796 wrote to memory of 2752	1796	cmd.exe	34
PID 2752 wrote to memory of 2160	2752	DllCommonsvc.exe	90
PID 2752 wrote to memory of 2160	2752	DllCommonsvc.exe	90
PID 2752 wrote to memory of 2160	2752	DllCommonsvc.exe	90
PID 2752 wrote to memory of 2784	2752	DllCommonsvc.exe	91
PID 2752 wrote to memory of 2784	2752	DllCommonsvc.exe	91
PID 2752 wrote to memory of 2784	2752	DllCommonsvc.exe	91
PID 2752 wrote to memory of 2772	2752	DllCommonsvc.exe	92
PID 2752 wrote to memory of 2772	2752	DllCommonsvc.exe	92
PID 2752 wrote to memory of 2772	2752	DllCommonsvc.exe	92
PID 2752 wrote to memory of 2848	2752	DllCommonsvc.exe	93
PID 2752 wrote to memory of 2848	2752	DllCommonsvc.exe	93
PID 2752 wrote to memory of 2848	2752	DllCommonsvc.exe	93
PID 2752 wrote to memory of 2768	2752	DllCommonsvc.exe	94
PID 2752 wrote to memory of 2768	2752	DllCommonsvc.exe	94
PID 2752 wrote to memory of 2768	2752	DllCommonsvc.exe	94
PID 2752 wrote to memory of 2776	2752	DllCommonsvc.exe	95
PID 2752 wrote to memory of 2776	2752	DllCommonsvc.exe	95
PID 2752 wrote to memory of 2776	2752	DllCommonsvc.exe	95
PID 2752 wrote to memory of 2604	2752	DllCommonsvc.exe	96
PID 2752 wrote to memory of 2604	2752	DllCommonsvc.exe	96
PID 2752 wrote to memory of 2604	2752	DllCommonsvc.exe	96
PID 2752 wrote to memory of 2760	2752	DllCommonsvc.exe	97
PID 2752 wrote to memory of 2760	2752	DllCommonsvc.exe	97
PID 2752 wrote to memory of 2760	2752	DllCommonsvc.exe	97
PID 2752 wrote to memory of 3000	2752	DllCommonsvc.exe	98
PID 2752 wrote to memory of 3000	2752	DllCommonsvc.exe	98
PID 2752 wrote to memory of 3000	2752	DllCommonsvc.exe	98
PID 2752 wrote to memory of 2400	2752	DllCommonsvc.exe	99
PID 2752 wrote to memory of 2400	2752	DllCommonsvc.exe	99
PID 2752 wrote to memory of 2400	2752	DllCommonsvc.exe	99
PID 2752 wrote to memory of 2880	2752	DllCommonsvc.exe	100
PID 2752 wrote to memory of 2880	2752	DllCommonsvc.exe	100
PID 2752 wrote to memory of 2880	2752	DllCommonsvc.exe	100
PID 2752 wrote to memory of 1952	2752	DllCommonsvc.exe	101
PID 2752 wrote to memory of 1952	2752	DllCommonsvc.exe	101
PID 2752 wrote to memory of 1952	2752	DllCommonsvc.exe	101
PID 2752 wrote to memory of 2652	2752	DllCommonsvc.exe	102
PID 2752 wrote to memory of 2652	2752	DllCommonsvc.exe	102
PID 2752 wrote to memory of 2652	2752	DllCommonsvc.exe	102
PID 2752 wrote to memory of 2764	2752	DllCommonsvc.exe	103
PID 2752 wrote to memory of 2764	2752	DllCommonsvc.exe	103
PID 2752 wrote to memory of 2764	2752	DllCommonsvc.exe	103
PID 2752 wrote to memory of 2532	2752	DllCommonsvc.exe	104
PID 2752 wrote to memory of 2532	2752	DllCommonsvc.exe	104
PID 2752 wrote to memory of 2532	2752	DllCommonsvc.exe	104
PID 2752 wrote to memory of 2500	2752	DllCommonsvc.exe	105
PID 2752 wrote to memory of 2500	2752	DllCommonsvc.exe	105
PID 2752 wrote to memory of 2500	2752	DllCommonsvc.exe	105
PID 2752 wrote to memory of 3008	2752	DllCommonsvc.exe	106
PID 2752 wrote to memory of 3008	2752	DllCommonsvc.exe	106
PID 2752 wrote to memory of 3008	2752	DllCommonsvc.exe	106
PID 2752 wrote to memory of 1708	2752	DllCommonsvc.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a594b76d19e616c1d840b67a90a64a1003397af1219144411188b10346cd4b9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a594b76d19e616c1d840b67a90a64a1003397af1219144411188b10346cd4b9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\ja-JP\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\DESIGNER\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\de-DE\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
    - - C:\Windows\AppPatch\ja-JP\explorer.exe
        
        "C:\Windows\AppPatch\ja-JP\explorer.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat"
        6⤵
        
        PID:3000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1948
        
        C:\Windows\AppPatch\ja-JP\explorer.exe
        
        "C:\Windows\AppPatch\ja-JP\explorer.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"
        8⤵
        
        PID:2284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2648
        
        C:\Windows\AppPatch\ja-JP\explorer.exe
        
        "C:\Windows\AppPatch\ja-JP\explorer.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat"
        10⤵
        
        PID:2788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2332
        
        C:\Windows\AppPatch\ja-JP\explorer.exe
        
        "C:\Windows\AppPatch\ja-JP\explorer.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SXo39smTXJ.bat"
        12⤵
        
        PID:424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1600
        
        C:\Windows\AppPatch\ja-JP\explorer.exe
        
        "C:\Windows\AppPatch\ja-JP\explorer.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat"
        14⤵
        
        PID:1372
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2728
        
        C:\Windows\AppPatch\ja-JP\explorer.exe
        
        "C:\Windows\AppPatch\ja-JP\explorer.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat"
        16⤵
        
        PID:1812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3064
        
        C:\Windows\AppPatch\ja-JP\explorer.exe
        
        "C:\Windows\AppPatch\ja-JP\explorer.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XhdmdigGiX.bat"
        18⤵
        
        PID:424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:928
        
        C:\Windows\AppPatch\ja-JP\explorer.exe
        
        "C:\Windows\AppPatch\ja-JP\explorer.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Fb5uY85DH.bat"
        20⤵
        
        PID:924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1504
        
        C:\Windows\AppPatch\ja-JP\explorer.exe
        
        "C:\Windows\AppPatch\ja-JP\explorer.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat"
        22⤵
        
        PID:2112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1128
        
        C:\Windows\AppPatch\ja-JP\explorer.exe
        
        "C:\Windows\AppPatch\ja-JP\explorer.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMiKQlKjHz.bat"
        24⤵
        
        PID:2580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2396
        
        C:\Windows\AppPatch\ja-JP\explorer.exe
        
        "C:\Windows\AppPatch\ja-JP\explorer.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5pDZQI1oOH.bat"
        26⤵
        
        PID:2232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\AppPatch\ja-JP\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\AppPatch\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\AppPatch\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\7-Zip\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DESIGNER\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\Writers\Application\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\Application\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d98cc4f3332ab5a663d372b089829d31

SHA1
f61338aa22d03db88807d04e05c9fe40b13177b9

SHA256
73f83cf776debab110b2fd840e5e898ec3f084853645c68aecee09e1b0de8421

SHA512
f7f86f014199d68e21c0ec1f5d33d016cecda415a3f3d990960c5e4c4d4aa3f14c2bc065230889dcc8653aaedb1d29aa2bcfa05b58775f3659cab76f723732b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3caafc5511a25d94e73f09e71f6d23f5

SHA1
af6b6b02af51a60c38a35c5869861049e39b7398

SHA256
b976d99b6a5aabf4e87cd33fb9438d862d9d08e4561a8a98b1ed28c8b5c2e509

SHA512
7c04fe10739be819050f23c8a7934d84528a3fcd4cdbadd2c2fd217bab7784d0afc7b112d2c0362d8e4395d1b38af7062db5dd296f2efafdf426ae277364531b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d55066bf355c67bf382f05927fc3a3f

SHA1
fdc106bbea98189cbc65fa412554f70f3cf6eade

SHA256
cf91e0ea1bec01fdf599d5164435298a77d7973bf7b851ff7471903937688ef0

SHA512
5d968d819d64a6410df2f605a22a59b03c63e52f4fd6b4a861e1ee634fa16b293124a85eb1a252a58e6042820ca72f196d5f09057749a440b44ddc725fe20f3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a9f3fa585cfde47d1bca466e89f4c60

SHA1
543a454e9c4089c4895f186d94d75ae8a5acddb9

SHA256
bcb692d50cfca23ca60a12fd8ab3312e61b20d366347e0ce2eea8689fe1445e0

SHA512
7efe96c6f0b8e3fef2ce03579c51b003cf7b4ab3829c9625f30553800c21828edb093cddfa858a206b607ea96c2834f07ba572f04fda262cfe10160895af1082

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1f9600a29ac43c6451aeaa4eece2f2d

SHA1
b2fb873913da56c47c813528943fbdaf2b8e732c

SHA256
323846177d6cee2dffb11bded2f9033d2c0686d442c64d8ba75e1fa1a7f3a0df

SHA512
77979db7f5f0a89c447b2d8ea40ec7e3b5b0d93af60dc3dd259157d9841801cdba75e97bd2a8a188bad658755c836addfaa99c41a6c7f1c267f2f2222a127bcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d43c7587096f3c554e7a032648154030

SHA1
34067906d83f44810d6446dbaaae261f171d066a

SHA256
e42750201315754a1b1d117bc106616e7f86d8eee5b2b949b1bfacea4530612f

SHA512
0476edf060961ef2fc83cdf8486cc48628e4255a993a953ca4f8e8e898db9fa4815c95a9ae9d220df8489f58610c90ae22d07cf0b0efd260ef7fb7c5dcf7e1e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5325d987abff00c0d384c67be38f1441

SHA1
9a122c2bffe961b2f7d7780f1375cbf4bf1f5dfe

SHA256
6be07a563cb97e14edce02199150b42a2dfc973d48a4f40e67c8ea48db5fe0f4

SHA512
085f890e79101499edbfe89ab66db61e3d9ea1f29a6d5f6a7a34711bdf3a9f00280f08135d8af7083a6765dad90bac52d5973281446635c08dd36ad2d09fc12a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1c4e940692dfd725e0b9343ff89dd22

SHA1
43943a40c34a59f57789ff8cb884e353c855c4f9

SHA256
2a480e6bf12b5d75c45f0662d6c8b5c7762aca2a8c208f82787ad510ea604162

SHA512
bc0f4914c12441160ef4c55b31efb62255a634914050cfbfefd91f0c5bd7d9a91f0cab3ca7c2c79cd3f9e497f97cfb53ba968644292f3cd3a3a5e0e73a8a853c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51e0484541d1031ee10561c0e501b293

SHA1
1a3d570589c69791eba32c8d20839e108a2729df

SHA256
d2c33153ebe1ceefca0334b47d06a0e2f75369678c867725f37df63649ec6d2a

SHA512
b7e8b194e63bc054b8f8987e3f97257daa7168b5579a5b6e869f1c5bde1b5b15d0f7cfe2fc209bd3c65c5473f9e15e708c6a5bd152b1fbcfed22192851119486

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69aea801aa57dbf6a91684579fa8205f

SHA1
0684223a9ac94afabec92d0609203a37d3f15625

SHA256
04da78ce63cd1d068403801ddcf7103043dfd09bf080e7eead97f3bdd9d2b278

SHA512
ba3bd55e907f8d950fa698ae9936da745fe8270f16060daab6c48ea191881360742e698c02c61b881f7578a19c3b9fbc8a89ae2712f76727c5bb884970b43108

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Fb5uY85DH.bat

Filesize
203B

MD5
19977cd54281f0ce31d5a78cd74d9e23

SHA1
5617628c60b816b9cf66435eb1a988e79fb9aaff

SHA256
8bd79911d17c0759500128bc809890219c11ca3ae9de55ad1734ae1f3ee82723

SHA512
5450c507b220c05747a1be6cf311731c0ac1d7d8f75751d7bde48254f0327da89dc1b03baa5691daccf8ca0476aa3be07eefcfd52daaf40a3e51b4df5e8cc279

Download Submit
C:\Users\Admin\AppData\Local\Temp\5pDZQI1oOH.bat

Filesize
203B

MD5
99b0bf530361c2290ba4519a34eac5d0

SHA1
9881d9d7d24e8d069d520b231df5baf19997b4e7

SHA256
4a438b29c4d3016ac39691d5e9fbf0532c7cee7d224cc1f32a2853b07569b4f0

SHA512
c9bef8da543d03e34de73b689e85afc5078cd494a9463081f04a6652e437e753acd166fe12563f0ce0240e4f8b7864065c0b843d446f7bf32667eabc5bd56ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat

Filesize
203B

MD5
74f230ae3cdbbfc8ce2d4a1af3d9bfd1

SHA1
e6482812c958b056f86c644d32e51fd3c6b48f91

SHA256
7525a483602e94cc9832198378a330fcd1fa9a64907e157d3ad6a8bfdab75035

SHA512
b46f1f0b09608fd2d0c486d4b9f91c5899954436f9485562493f844409c424200aefd55dbdca9f48f8384a3e08c790fc83002ee1ac885e9dced56ce6f60a31b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1067.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMiKQlKjHz.bat

Filesize
203B

MD5
9772437d1b989f63e3d00bc1ce70786f

SHA1
b9a1e64247d0174c566f6df56e6c35885f283805

SHA256
2b61277714145898ab238fb9967b2254d102cfcc1d3714af1a936ea3e28cd320

SHA512
1f757ff67883dae7d03f7551bc1cda869885bdf67609abc356ddb9d9cbe9d6b8b932313dbe687a6e6f35a6aff969d6dae12e0ed0f29763160abc81284e15d0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SXo39smTXJ.bat

Filesize
203B

MD5
c02892d92a9c1fa7a9e4b2a77d476086

SHA1
cd42b8674a504d04b2d104765d2083d5c5650e51

SHA256
92a01bdd48369526ef848afb30c8db33cb72e52a27b50c417569f632f2696de0

SHA512
216fb60d953c96f75a33c66a3fd4853717581acd59878db72bd480fd4edc7d5e7d544ff75bdf324d38b8b481bebc633fef039b3ff6928df1596896e60ed85ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar10C8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat

Filesize
203B

MD5
f215409ecd0a042980400a554b662c4d

SHA1
e0633334fe06f895723e22cb047393aef2de0850

SHA256
412880c2799a3f6f044fef3f6c67d327cc107630d0b25269378dd0f64da6c2f6

SHA512
1166cac5457a2823cb334d79b4a27d12e0ed3566e3a88b1cef5a2bb96111feef0d6b03f7293ba8b7a92c39f05d92103393a9593f11f4754e5908f06d78fc2abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\XhdmdigGiX.bat

Filesize
203B

MD5
faf643b31179a1dc01da7dfe06cbd93d

SHA1
e1143c5640d1a16ac808d87b6000e13486c99842

SHA256
3a99fe889953cabc2f8ab0fbdfa64592659e2e39ced87d2e36bfee4cc142df7f

SHA512
ef04629d11981f659bec0d5cdb96860f2abe690360ab1a36d282ce7153dc38615eb8e253aec5eea69e24e1b512e68293a5d5368479970ea24f4ab3b156cc4117

Download Submit
C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat

Filesize
203B

MD5
ea17607982eee3b9aec61f2147381816

SHA1
471666e02d0e8e995a8ac345794880814211800a

SHA256
137e20bd7e83b4ea61ce59a16202a2e32bb66adc982ce353dfa7606769c572b6

SHA512
044da13a7d474d77432a09b64f7babba69d2a53fc091593b9fa76a2021e66965fd2632df15d1c73edc870c845d812f31a4f2a231575fdb594745ca9bea895968

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljgkLFIn4v.bat

Filesize
203B

MD5
200cda51c5c342504f707e5d45fc72d6

SHA1
77fd668603725136ba7a14f127da183bce681ae4

SHA256
85e5c1ef6c4bae5a851122176d4c67486b2b66387212b83d2c611a83999a8832

SHA512
8dd882f8a7b2ba20eef4c437a87a09933b6c3753e5d12f2aabe0c571f038c06088ce84286a85e76f301371df81b302cd3af314061808a660186e14895c00ee3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat

Filesize
203B

MD5
f6510266ef83624e721500010e1689d0

SHA1
b8c76a5dc91cbc5fbb88932602325ad037782fcb

SHA256
bd1350063fe75584c7755d01ecfc3d0492a35b6aedce58741fab7d5f50dd766e

SHA512
a89489eadcff6e04f8c594256dac23a85e0a8c36c7f7b200ebbffa11129c76ad6ec1af881f95ec32abc60c40c7889d6b1c15d9230c4277d4cbb2e579724dda36

Download Submit
C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat

Filesize
203B

MD5
1198865906232be00e8e05c76451b2e1

SHA1
c6d9f484d406e66166c0ca88d64bfb0958496c95

SHA256
9fc8c7dd7736486d8da13deb6577eb6949561a2f9fde8ba1dc439ac2da809970

SHA512
942761877ff5f3fe516f30d2eed87426beda26883502be7f10665ce9af8c3032cd16c9c4309917a704b8aff7839dcdf1aae0d0ffdc1bbbc103a04416a8c345ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0d314deb43efcdf8809478081a96891c

SHA1
55f9fd6705f713fb378accc9e4497f3fdd9d3e2f

SHA256
bcad52f01dad6a97f0e501c8f1ef5c48452da78aa53f899f68f5fa31d69d143b

SHA512
0036050e44fe40a1b743436be13e3492893c27f088460652360e709564e86d4bcef261fe17b6ce16e9be9ef3739aa7c4cf788caab434607b9cedb2462ad162bc

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1556-394-0x0000000001300000-0x0000000001410000-memory.dmp

Filesize
1.1MB

Download
memory/1556-395-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1580-214-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download
memory/1700-456-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/1700-455-0x00000000013D0000-0x00000000014E0000-memory.dmp

Filesize
1.1MB

Download
memory/1784-60-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/1784-145-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2068-334-0x0000000000BD0000-0x0000000000CE0000-memory.dmp

Filesize
1.1MB

Download
memory/2652-274-0x0000000000B40000-0x0000000000C50000-memory.dmp

Filesize
1.1MB

Download
memory/2744-516-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2752-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2752-16-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2752-15-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2752-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2752-13-0x00000000008E0000-0x00000000009F0000-memory.dmp

Filesize
1.1MB

Download
memory/2944-753-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/3000-77-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download
memory/3000-76-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download