dcrat | b43fbbb13aebb210905cf6599edcc00e5b9090cc0625f3b0a022c766fe6e3bac

Analysis

max time kernel
148s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b43fbbb13aebb210905cf6599edcc00e5b9090cc0625f3b0a022c766fe6e3bac.exe
Size

1.3MB
MD5

55980d1dbd3657e3f6e6835dd96d8176
SHA1

c56dd550133d0936491bfd29f2808a26d9180cbc
SHA256

b43fbbb13aebb210905cf6599edcc00e5b9090cc0625f3b0a022c766fe6e3bac
SHA512

cdbcd64d926e9c98d589d8f95c7f8939f4c74c58be0791954033de8830ffb8d9128061102c109e491e8fd7b52c3fa71d52d48de8d3ed1ac20b9ed3913e4dc3c6
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	504	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2136	schtasks.exe	34

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d47-12.dat	dcrat
behavioral1/memory/2260-13-0x0000000000BC0000-0x0000000000CD0000-memory.dmp	dcrat
behavioral1/memory/1736-205-0x0000000001170000-0x0000000001280000-memory.dmp	dcrat
behavioral1/memory/584-443-0x0000000000090000-0x00000000001A0000-memory.dmp	dcrat
behavioral1/memory/1484-503-0x0000000000290000-0x00000000003A0000-memory.dmp	dcrat
behavioral1/memory/2472-563-0x0000000001120000-0x0000000001230000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 25 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3020	powershell.exe
1536	powershell.exe
2948	powershell.exe
1652	powershell.exe
2284	powershell.exe
3016	powershell.exe
2976	powershell.exe
2260	powershell.exe
1552	powershell.exe
2952	powershell.exe
952	powershell.exe
984	powershell.exe
1884	powershell.exe
2976	powershell.exe
1612	powershell.exe
488	powershell.exe
1272	powershell.exe
3016	powershell.exe
2060	powershell.exe
1740	powershell.exe
2984	powershell.exe
2328	powershell.exe
1580	powershell.exe
1520	powershell.exe
1036	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2260	DllCommonsvc.exe
1952	DllCommonsvc.exe
1736	dwm.exe
2212	dwm.exe
2064	dwm.exe
1952	dwm.exe
584	dwm.exe
1484	dwm.exe
2472	dwm.exe
2344	dwm.exe
872	dwm.exe
3008	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
2528	cmd.exe
2528	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\en-US\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\browser\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\browser\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\75a57c1bdf437c	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\en-US\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe	DllCommonsvc.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\ehome\de-DE\audiodg.exe	DllCommonsvc.exe
File created	C:\Windows\PCHEALTH\ERRORREP\smss.exe	DllCommonsvc.exe
File created	C:\Windows\CSC\v2.0.6\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Windows\Help\Windows\de-DE\75a57c1bdf437c	DllCommonsvc.exe
File created	C:\Windows\Vss\Writers\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\Vss\Writers\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\Logs\DPX\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\Logs\DPX\24dbde2999530e	DllCommonsvc.exe
File created	C:\Windows\ehome\de-DE\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Windows\PCHEALTH\ERRORREP\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\Help\Windows\de-DE\WMIADAP.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b43fbbb13aebb210905cf6599edcc00e5b9090cc0625f3b0a022c766fe6e3bac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1916	schtasks.exe
2840	schtasks.exe
2152	schtasks.exe
1804	schtasks.exe
2488	schtasks.exe
2956	schtasks.exe
2704	schtasks.exe
976	schtasks.exe
2184	schtasks.exe
1936	schtasks.exe
2456	schtasks.exe
1748	schtasks.exe
2436	schtasks.exe
2932	schtasks.exe
2084	schtasks.exe
776	schtasks.exe
656	schtasks.exe
1540	schtasks.exe
2756	schtasks.exe
1916	schtasks.exe
2064	schtasks.exe
2620	schtasks.exe
948	schtasks.exe
2016	schtasks.exe
620	schtasks.exe
1564	schtasks.exe
1828	schtasks.exe
2564	schtasks.exe
2924	schtasks.exe
2912	schtasks.exe
2656	schtasks.exe
1528	schtasks.exe
308	schtasks.exe
1560	schtasks.exe
2600	schtasks.exe
2488	schtasks.exe
1832	schtasks.exe
2792	schtasks.exe
2600	schtasks.exe
2824	schtasks.exe
1128	schtasks.exe
2076	schtasks.exe
1908	schtasks.exe
2704	schtasks.exe
504	schtasks.exe
1760	schtasks.exe
680	schtasks.exe
2772	schtasks.exe
1924	schtasks.exe
916	schtasks.exe
3040	schtasks.exe
2632	schtasks.exe
3024	schtasks.exe
2244	schtasks.exe
1012	schtasks.exe
2796	schtasks.exe
2972	schtasks.exe
1112	schtasks.exe
1188	schtasks.exe
2688	schtasks.exe
2812	schtasks.exe
1100	schtasks.exe
1628	schtasks.exe
2792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2260	DllCommonsvc.exe
1740	powershell.exe
2284	powershell.exe
2328	powershell.exe
3016	powershell.exe
2976	powershell.exe
2984	powershell.exe
1884	powershell.exe
3020	powershell.exe
1952	DllCommonsvc.exe
1952	DllCommonsvc.exe
1952	DllCommonsvc.exe
2260	powershell.exe
1612	powershell.exe
1272	powershell.exe
3016	powershell.exe
1536	powershell.exe
1580	powershell.exe
2060	powershell.exe
1036	powershell.exe
1520	powershell.exe
2948	powershell.exe
952	powershell.exe
984	powershell.exe
2952	powershell.exe
488	powershell.exe
2976	powershell.exe
1552	powershell.exe
1652	powershell.exe
1736	dwm.exe
2212	dwm.exe
2064	dwm.exe
1952	dwm.exe
584	dwm.exe
1484	dwm.exe
2472	dwm.exe
2344	dwm.exe
872	dwm.exe
3008	dwm.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	DllCommonsvc.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	1952	DllCommonsvc.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	488	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1736	dwm.exe
Token: SeDebugPrivilege	2212	dwm.exe
Token: SeDebugPrivilege	2064	dwm.exe
Token: SeDebugPrivilege	1952	dwm.exe
Token: SeDebugPrivilege	584	dwm.exe
Token: SeDebugPrivilege	1484	dwm.exe
Token: SeDebugPrivilege	2472	dwm.exe
Token: SeDebugPrivilege	2344	dwm.exe
Token: SeDebugPrivilege	872	dwm.exe
Token: SeDebugPrivilege	3008	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 3044	2132	JaffaCakes118_b43fbbb13aebb210905cf6599edcc00e5b9090cc0625f3b0a022c766fe6e3bac.exe	30
PID 2132 wrote to memory of 3044	2132	JaffaCakes118_b43fbbb13aebb210905cf6599edcc00e5b9090cc0625f3b0a022c766fe6e3bac.exe	30
PID 2132 wrote to memory of 3044	2132	JaffaCakes118_b43fbbb13aebb210905cf6599edcc00e5b9090cc0625f3b0a022c766fe6e3bac.exe	30
PID 2132 wrote to memory of 3044	2132	JaffaCakes118_b43fbbb13aebb210905cf6599edcc00e5b9090cc0625f3b0a022c766fe6e3bac.exe	30
PID 3044 wrote to memory of 2528	3044	WScript.exe	31
PID 3044 wrote to memory of 2528	3044	WScript.exe	31
PID 3044 wrote to memory of 2528	3044	WScript.exe	31
PID 3044 wrote to memory of 2528	3044	WScript.exe	31
PID 2528 wrote to memory of 2260	2528	cmd.exe	33
PID 2528 wrote to memory of 2260	2528	cmd.exe	33
PID 2528 wrote to memory of 2260	2528	cmd.exe	33
PID 2528 wrote to memory of 2260	2528	cmd.exe	33
PID 2260 wrote to memory of 1884	2260	DllCommonsvc.exe	56
PID 2260 wrote to memory of 1884	2260	DllCommonsvc.exe	56
PID 2260 wrote to memory of 1884	2260	DllCommonsvc.exe	56
PID 2260 wrote to memory of 1740	2260	DllCommonsvc.exe	57
PID 2260 wrote to memory of 1740	2260	DllCommonsvc.exe	57
PID 2260 wrote to memory of 1740	2260	DllCommonsvc.exe	57
PID 2260 wrote to memory of 2284	2260	DllCommonsvc.exe	58
PID 2260 wrote to memory of 2284	2260	DllCommonsvc.exe	58
PID 2260 wrote to memory of 2284	2260	DllCommonsvc.exe	58
PID 2260 wrote to memory of 3016	2260	DllCommonsvc.exe	59
PID 2260 wrote to memory of 3016	2260	DllCommonsvc.exe	59
PID 2260 wrote to memory of 3016	2260	DllCommonsvc.exe	59
PID 2260 wrote to memory of 3020	2260	DllCommonsvc.exe	60
PID 2260 wrote to memory of 3020	2260	DllCommonsvc.exe	60
PID 2260 wrote to memory of 3020	2260	DllCommonsvc.exe	60
PID 2260 wrote to memory of 2984	2260	DllCommonsvc.exe	61
PID 2260 wrote to memory of 2984	2260	DllCommonsvc.exe	61
PID 2260 wrote to memory of 2984	2260	DllCommonsvc.exe	61
PID 2260 wrote to memory of 2976	2260	DllCommonsvc.exe	62
PID 2260 wrote to memory of 2976	2260	DllCommonsvc.exe	62
PID 2260 wrote to memory of 2976	2260	DllCommonsvc.exe	62
PID 2260 wrote to memory of 2328	2260	DllCommonsvc.exe	63
PID 2260 wrote to memory of 2328	2260	DllCommonsvc.exe	63
PID 2260 wrote to memory of 2328	2260	DllCommonsvc.exe	63
PID 2260 wrote to memory of 912	2260	DllCommonsvc.exe	72
PID 2260 wrote to memory of 912	2260	DllCommonsvc.exe	72
PID 2260 wrote to memory of 912	2260	DllCommonsvc.exe	72
PID 912 wrote to memory of 1792	912	cmd.exe	74
PID 912 wrote to memory of 1792	912	cmd.exe	74
PID 912 wrote to memory of 1792	912	cmd.exe	74
PID 912 wrote to memory of 1952	912	cmd.exe	76
PID 912 wrote to memory of 1952	912	cmd.exe	76
PID 912 wrote to memory of 1952	912	cmd.exe	76
PID 1952 wrote to memory of 2060	1952	DllCommonsvc.exe	125
PID 1952 wrote to memory of 2060	1952	DllCommonsvc.exe	125
PID 1952 wrote to memory of 2060	1952	DllCommonsvc.exe	125
PID 1952 wrote to memory of 984	1952	DllCommonsvc.exe	126
PID 1952 wrote to memory of 984	1952	DllCommonsvc.exe	126
PID 1952 wrote to memory of 984	1952	DllCommonsvc.exe	126
PID 1952 wrote to memory of 1536	1952	DllCommonsvc.exe	128
PID 1952 wrote to memory of 1536	1952	DllCommonsvc.exe	128
PID 1952 wrote to memory of 1536	1952	DllCommonsvc.exe	128
PID 1952 wrote to memory of 952	1952	DllCommonsvc.exe	129
PID 1952 wrote to memory of 952	1952	DllCommonsvc.exe	129
PID 1952 wrote to memory of 952	1952	DllCommonsvc.exe	129
PID 1952 wrote to memory of 2976	1952	DllCommonsvc.exe	130
PID 1952 wrote to memory of 2976	1952	DllCommonsvc.exe	130
PID 1952 wrote to memory of 2976	1952	DllCommonsvc.exe	130
PID 1952 wrote to memory of 1036	1952	DllCommonsvc.exe	131
PID 1952 wrote to memory of 1036	1952	DllCommonsvc.exe	131
PID 1952 wrote to memory of 1036	1952	DllCommonsvc.exe	131
PID 1952 wrote to memory of 1520	1952	DllCommonsvc.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b43fbbb13aebb210905cf6599edcc00e5b9090cc0625f3b0a022c766fe6e3bac.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b43fbbb13aebb210905cf6599edcc00e5b9090cc0625f3b0a022c766fe6e3bac.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\de-DE\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6AAlqGeUwh.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:912
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1792
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\SpeechEngines\Microsoft\audiodg.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\OSPPSVC.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\pref\WMIADAP.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\Windows\de-DE\WMIADAP.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\lsass.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\DPX\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UBmcVRCclE.bat"
        7⤵
        
        PID:3064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2612
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"
        9⤵
        
        PID:2848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2304
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat"
        11⤵
        
        PID:2776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:344
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBiR4PpyYA.bat"
        13⤵
        
        PID:2144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1796
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uZApDsIgYI.bat"
        15⤵
        
        PID:1820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1828
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"
        17⤵
        
        PID:2832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:300
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat"
        19⤵
        
        PID:1676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2116
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhLzHEla3w.bat"
        21⤵
        
        PID:836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1720
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat"
        23⤵
        
        PID:604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:984
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LW19r029AS.bat"
        25⤵
        
        PID:2792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2820
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\ehome\de-DE\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\ehome\de-DE\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\ehome\de-DE\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\PCHEALTH\ERRORREP\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\PCHEALTH\ERRORREP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Templates\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Templates\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Cookies\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Cookies\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\en-US\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\en-US\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\Windows\de-DE\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\Help\Windows\de-DE\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\Windows\de-DE\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\Writers\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\DPX\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Logs\DPX\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\DPX\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\browser\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\browser\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07cd031cb45c0ccbe3127e88bda28fdd

SHA1
226dc554f501f068e1b0a1009e76671440d3ab78

SHA256
1df054e0b9a67295bf5f5c7ff8ceb8e35c5e9f5a865fdd35be3436558f8c59cb

SHA512
3f76e169d8adc27bae61c587bf5595cc9116367ae3b71e46c9eb12df5326f720240ba90024c41f8bfcf1ed7dc73301941a0f4fc55502df1f1d79114fbba8e157

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d7b3c81fc0757dddcb28f194d527099

SHA1
90b9bb31ccd1e420a58cf557b03fbe97ec7ddc36

SHA256
dfaabeb7eb4f699cc1fe3a33bb9d2f279359c0398ab51399af52dd4e89f44711

SHA512
4ef802da8a8f0d90453f26fa084f8b205bf6d74691b9a4d19c1d1d295c466a2f7f26a6e252aca6ce749e4233bc0c8f08b4b118aa8399dd102de98afc083ac4a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
338df580bd9cabec228b4484ab46a528

SHA1
9819476caee75d0bc371c6020f94e82d61261e17

SHA256
fa52523e89dc8c19717d26bc302693aa8aa3f93599e7cc0d4f964012485791ea

SHA512
bd184a5f6f0d20e3732ceca78649b9e292e690ca1f2dc6895bff216d8c48f8ba53bc88e8be5de4eb5122bbdad3bb104a337fe8f562ac7d7ffa02c04e7fd20ff0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4290e8bf89274ab987290bcd1a1bbf62

SHA1
7b32a742fd2a72fba26c360486292206bce09ae1

SHA256
8dd5a35ea2a06ec5d3b1af7499341d2aaf0a290682ed0e80917c0a92b1fb3f61

SHA512
5022d5cd9cd7b68cf5b5226ac45a3b0d16dbf545a53160df33b8eea717973e3eda083ad181cc0418af4c3b162cb055402d08e11afa32407817de0c86be6edd55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
851f0cb1dd33b04dc5c2a7d2cef1d011

SHA1
b757e7b4d97d7fd711e4611004ac24f7438bd0f3

SHA256
4d8176b985d52bc15b98f1bd99fd9feba03de10b87a5769f88751bd4da8c098b

SHA512
ab83bf6faf5b83c7a7207aed3251072cde13762987c9c9a7383dedfacb1648748051fa775b1a0c6899c9aa64a930468309729fa564bdf4346c0581f78c6ca987

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c184d581dd4217923752f6e4ce05fcab

SHA1
e32699f60066518fbc8fc9e8d4dd323eea70003f

SHA256
d6b65869581cd2ce8b31eaf0d78b99ee556353390b01b414e2835a9dc3e0df44

SHA512
31407e18fe3c69185cb4eab55373ab3040fea5f88836ba8977d6721a9ae3e303898bc0efa304c10b796b01c384ae62b0d9815870e3d56022c4f154353fdc1a83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fef1df046ee967c3444de40449a05fd

SHA1
a8a0739b58192c58de869aa4440a896ffc04de86

SHA256
33ec43678e0779839c50d122ec7e554e85e2388ac4affcff589b5cd041993983

SHA512
9ddcbd1dd71db76eaabc051bc58f64a870f426d7bbdb01b89dd9cbf114cf3ec4d64dc60c227b685e9dd0bf9b4c8099795336d4a406abaef421f63f37c4c816ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2d8014a4d33bdd4ca47faf916db8d80

SHA1
68e41f809b451d3b4cb1b65cb90a35bad77812e6

SHA256
07cf61edb796754ebdf3fceb869b72c4adf4c9ffaa629b1886e619b6fc093e70

SHA512
e15e1b29d4da402db849700d3c9e49c3465f818969dccb0deca81ab7778705d787551895d6f27031edbfe6b6635382ed8dc11bea80306f5acdaee2215d613877

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat

Filesize
235B

MD5
90d8480c6685cb44ec89d40f96c42ac5

SHA1
2ff40375ff81b03230409b4e6fb001ecb779f8a0

SHA256
90e88ffe507c1b843ad25976661ed85f2f7bea8d960d89bc902d3d068aa95102

SHA512
df54914347e82b2c482892218f9762ec780e61d2a5747f68b6744ef9f5c3872447e2e14500eb506e7e17741f953287ff114031d8d6c01cb42bb4cb1c88aacca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AAlqGeUwh.bat

Filesize
199B

MD5
3510e87fac5805f1db548a89a040842e

SHA1
0ecae8068c62a76fe34547c89bb420bafb6b5d69

SHA256
4f63e9b9ac21745c8925d8e336f543a051f9150f9adf498d3a57de62dbada568

SHA512
85e185950606a1a48f8e63a25780b6f0b959fa5ae45cf8cfa879323ea34fc76d966b9d67ed36b9f923240228ffed501280ce19eee79ab4129a98c29001063498

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1595.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBiR4PpyYA.bat

Filesize
235B

MD5
79a999ef73636db702b8b8f41c46cd71

SHA1
f16e59a4139877c9f8ec6ff843c516b866ed803c

SHA256
501b9cc7ca4ee32e918fb3b41cafe1e3c43caeb31903c27e476c45383dcd801e

SHA512
c827ba933c4e1ba47107a7bf40d45dedc6ce0323596f7e5d10d59d5de5a23bb7d565ddd4c5796d3b90169763694476d1c8309e21779b434a88b2b9232562d0ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\JhLzHEla3w.bat

Filesize
235B

MD5
e332a03abde51fa409443df57562a0a2

SHA1
feeeea362ce844b0895b5e5ce2a638391ab8ee5a

SHA256
5bc8fd978fac4f7dab537fcc641c42ee109aeb21429100846958f6456609c750

SHA512
ea12a65f19ee71bc1d889129bcd4038f2151aa47441f55e8222daefd4e7d20e9f7085d2edd28e61137da7a50f3dcade2fffea7169e9c84f3bc7aeeae5fddadb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\LW19r029AS.bat

Filesize
235B

MD5
aee96777cc7e2d31d98544c380111eb0

SHA1
1b0d2e02e8341d6d5cabb968d498b5ff2fe2b083

SHA256
b4f26076fb09cf5c5fa3763bd01205671a91631a18bbfce5bdb0000fec2df050

SHA512
5395f4f3c539f97489314b5f6151a03ffc48850ede749a859c8a6d9908d499d09b7a8f7a04b1f3167cc7cf29ba608eee21603396c63420224311072a1d967918

Download Submit
C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat

Filesize
235B

MD5
c83c33ad05349abbe34e1ad878f1f43b

SHA1
10b7f4f18dfff3d03ff75fb2f0e4ef925fd5a014

SHA256
aaee06eca331a9836a96cbe62eb1a9b9acbc14b7c781a184af88e81a9828002c

SHA512
27a64b710e15d22671c1a93639ca4707ce1598d6412721e943ee5276233e1a1f1dc2a88d908e83b4a159a74d558eff171bf792f059684ac09f3cbedc8587c03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat

Filesize
235B

MD5
21cc28bf91fcaed1c93791a7e8c98e09

SHA1
94f5e7ef5f3e285657fc58d800ddb97115c882e6

SHA256
f2289ead6367d180d24a0ad8d861979d9a35a743439985ebedb05b1a46d6d400

SHA512
ca634080d148dfe2769b7d830f82f031656e793c66485dbba2e98f0771e052909e591d64e177b8bd0a4d292208fc0b5366df59f228a010712210c6584aa71f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar15A8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UBmcVRCclE.bat

Filesize
235B

MD5
67a4b8a48aa432bdd18ec70cdd0c8d25

SHA1
5a3ca8ed60044876448e1074d77b76152d150469

SHA256
eb544a638f5bd35a10eb33cdf09c430fa83d7d71b52a4197fbdde0f848fc5d93

SHA512
7579fd63e50d22fd96c071cb0287287f9cf6b56685832d6d0d5867a325f2e6a650231cc7df2ea52e73cbdb815df342c847986fb9bdcfea634b99e0517d03f4ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat

Filesize
235B

MD5
4bd828bee9522b8f5cd5d264fb73e7c4

SHA1
7cfc7f60eebc47bdc85fc8bd624df5a60a47195c

SHA256
58f06e4f1c438abc302aa6982358524565553a0d1517448b7875aaba48741d47

SHA512
c6ca9343a97a3f3a4705e841c5e2f2797dbb1e2b49340d32253177ee14f7e4b362979036fc8fc9875889bdaf401661568e30aafe2a7bd4b01cda680e345f6432

Download Submit
C:\Users\Admin\AppData\Local\Temp\uZApDsIgYI.bat

Filesize
235B

MD5
d19560dcce7a68e2c5064be04fc17557

SHA1
3ddf8ede16705ecd6e05ce0e7af1ab47472fce02

SHA256
0a7a0ebac11f7cea1b9b9ec44aec7e9246b910c874a2c3f7cf45b6c6f99425e6

SHA512
4624267606625914ed9e67d303f33ec209efb74e77dfa3328041a15d15540513b332df78753cbc8f20cea977fde33cda3e325b39e4d3058e9b5027f383d392d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat

Filesize
235B

MD5
147a99d76a26ac6497a91c56d83c5c82

SHA1
ac58a4df3040b459570b6a028cbbcf8460c74da3

SHA256
e8a13483e829df70eb6031c0255f6c5e600af348d26e8caf0faa63506e405e1a

SHA512
cab880074111926a0133af5267205cf65c1ebaa956712ece805eb92235a9ad8822d14f17249a5a36f8e7dff71482bfc1f368ae4ef4f437000aa85b991a93befe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6ac0a468c045613436f89a5be60860b0

SHA1
6524b8c579b345fe9939a7af79a59c123892a136

SHA256
474463fef11610c2a72cfb3b3fd9f3ca995acfdf23292aaa5c29ec294a4a5580

SHA512
54eeef5d97e2089ec9e5c5ea49ccbbaac9df822eb1bce85c135ae0ec2fb5d7f2619600fe59f2f97dc2d778786f2ce4b706455fcbe19de55459a2a1bf14be1b47

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/584-443-0x0000000000090000-0x00000000001A0000-memory.dmp

Filesize
1.1MB

Download
memory/872-682-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/1484-503-0x0000000000290000-0x00000000003A0000-memory.dmp

Filesize
1.1MB

Download
memory/1736-206-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/1736-205-0x0000000001170000-0x0000000001280000-memory.dmp

Filesize
1.1MB

Download
memory/1740-51-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download
memory/2212-265-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2260-121-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2260-122-0x0000000002A10000-0x0000000002A18000-memory.dmp

Filesize
32KB

Download
memory/2260-17-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/2260-16-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/2260-15-0x0000000000180000-0x000000000018C000-memory.dmp

Filesize
48KB

Download
memory/2260-14-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/2260-13-0x0000000000BC0000-0x0000000000CD0000-memory.dmp

Filesize
1.1MB

Download
memory/2284-50-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2472-563-0x0000000001120000-0x0000000001230000-memory.dmp

Filesize
1.1MB

Download