dcrat | 782ca4ff1846fb733c50728d0412e51d1f0c04889b56aed5c6749814b143dbea

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_782ca4ff1846fb733c50728d0412e51d1f0c04889b56aed5c6749814b143dbea.exe
Size

1.3MB
MD5

25687a768df356781ffccce530b81577
SHA1

b5e7dc60f8f1c3704bb5b930093d7c2519343acd
SHA256

782ca4ff1846fb733c50728d0412e51d1f0c04889b56aed5c6749814b143dbea
SHA512

6aedcf4071d41ad1bc622e6d0fa0ecf29497b64c8d5b063bf60475e7407f729ff931bc651f61d1ba9868dd28c0a9c8ac04b06e3d6cffab460fe66c7d4633da47
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 60 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2996	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	2996	schtasks.exe	35

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016cab-9.dat	dcrat
behavioral1/memory/2880-13-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat
behavioral1/memory/1532-182-0x0000000000E00000-0x0000000000F10000-memory.dmp	dcrat
behavioral1/memory/2052-241-0x0000000001220000-0x0000000001330000-memory.dmp	dcrat
behavioral1/memory/1748-657-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2864	powershell.exe
1724	powershell.exe
896	powershell.exe
1624	powershell.exe
1284	powershell.exe
2400	powershell.exe
1780	powershell.exe
788	powershell.exe
1716	powershell.exe
968	powershell.exe
1772	powershell.exe
2004	powershell.exe
2316	powershell.exe
672	powershell.exe
328	powershell.exe
2420	powershell.exe
1748	powershell.exe
828	powershell.exe
2864	powershell.exe
3048	powershell.exe
2304	powershell.exe
1932	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2880	DllCommonsvc.exe
1232	DllCommonsvc.exe
1532	csrss.exe
2052	csrss.exe
2168	csrss.exe
2976	csrss.exe
2536	csrss.exe
1188	csrss.exe
2168	csrss.exe
2908	csrss.exe
1748	csrss.exe
2944	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2492	cmd.exe
2492	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
18	raw.githubusercontent.com
21	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
25	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\schtasks.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\3a6fe29a7ceee6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\886983d96e3d3e	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\fr-FR\schtasks.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\fr-FR\schtasks.exe	DllCommonsvc.exe
File created	C:\Windows\fr-FR\3a6fe29a7ceee6	DllCommonsvc.exe
File created	C:\Windows\Media\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Media\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_782ca4ff1846fb733c50728d0412e51d1f0c04889b56aed5c6749814b143dbea.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 60 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1648	schtasks.exe
2696	schtasks.exe
2812	schtasks.exe
1932	schtasks.exe
528	schtasks.exe
2992	schtasks.exe
972	schtasks.exe
528	schtasks.exe
3032	schtasks.exe
2052	schtasks.exe
1740	schtasks.exe
1740	schtasks.exe
968	schtasks.exe
2604	schtasks.exe
1980	schtasks.exe
1888	schtasks.exe
2536	schtasks.exe
1192	schtasks.exe
2332	schtasks.exe
1268	schtasks.exe
2120	schtasks.exe
2620	schtasks.exe
276	schtasks.exe
1164	schtasks.exe
1612	schtasks.exe
2692	schtasks.exe
2660	schtasks.exe
3016	schtasks.exe
1904	schtasks.exe
1460	schtasks.exe
2084	schtasks.exe
2816	schtasks.exe
2788	schtasks.exe
880	schtasks.exe
2212	schtasks.exe
2968	schtasks.exe
2836	schtasks.exe
560	schtasks.exe
2808	schtasks.exe
2564	schtasks.exe
1520	schtasks.exe
2072	schtasks.exe
1344	schtasks.exe
2504	schtasks.exe
772	schtasks.exe
1872	schtasks.exe
1908	schtasks.exe
2976	schtasks.exe
1044	schtasks.exe
2088	schtasks.exe
2600	schtasks.exe
2248	schtasks.exe
1744	schtasks.exe
2148	schtasks.exe
2820	schtasks.exe
524	schtasks.exe
2704	schtasks.exe
1980	schtasks.exe
2468	schtasks.exe
1648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2880	DllCommonsvc.exe
2880	DllCommonsvc.exe
2880	DllCommonsvc.exe
2004	powershell.exe
1772	powershell.exe
2400	powershell.exe
1780	powershell.exe
328	powershell.exe
1724	powershell.exe
2864	powershell.exe
896	powershell.exe
2420	powershell.exe
1748	powershell.exe
968	powershell.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	DllCommonsvc.exe
Token: SeDebugPrivilege	1232	DllCommonsvc.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	828	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeDebugPrivilege	1532	csrss.exe
Token: SeDebugPrivilege	2052	csrss.exe
Token: SeDebugPrivilege	2168	csrss.exe
Token: SeDebugPrivilege	2976	csrss.exe
Token: SeDebugPrivilege	2536	csrss.exe
Token: SeDebugPrivilege	1188	csrss.exe
Token: SeDebugPrivilege	2168	csrss.exe
Token: SeDebugPrivilege	2908	csrss.exe
Token: SeDebugPrivilege	1748	csrss.exe
Token: SeDebugPrivilege	2944	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 1516	2280	JaffaCakes118_782ca4ff1846fb733c50728d0412e51d1f0c04889b56aed5c6749814b143dbea.exe	31
PID 2280 wrote to memory of 1516	2280	JaffaCakes118_782ca4ff1846fb733c50728d0412e51d1f0c04889b56aed5c6749814b143dbea.exe	31
PID 2280 wrote to memory of 1516	2280	JaffaCakes118_782ca4ff1846fb733c50728d0412e51d1f0c04889b56aed5c6749814b143dbea.exe	31
PID 2280 wrote to memory of 1516	2280	JaffaCakes118_782ca4ff1846fb733c50728d0412e51d1f0c04889b56aed5c6749814b143dbea.exe	31
PID 1516 wrote to memory of 2492	1516	WScript.exe	32
PID 1516 wrote to memory of 2492	1516	WScript.exe	32
PID 1516 wrote to memory of 2492	1516	WScript.exe	32
PID 1516 wrote to memory of 2492	1516	WScript.exe	32
PID 2492 wrote to memory of 2880	2492	cmd.exe	34
PID 2492 wrote to memory of 2880	2492	cmd.exe	34
PID 2492 wrote to memory of 2880	2492	cmd.exe	34
PID 2492 wrote to memory of 2880	2492	cmd.exe	34
PID 2880 wrote to memory of 968	2880	DllCommonsvc.exe	118
PID 2880 wrote to memory of 968	2880	DllCommonsvc.exe	118
PID 2880 wrote to memory of 968	2880	DllCommonsvc.exe	118
PID 2880 wrote to memory of 2400	2880	DllCommonsvc.exe	67
PID 2880 wrote to memory of 2400	2880	DllCommonsvc.exe	67
PID 2880 wrote to memory of 2400	2880	DllCommonsvc.exe	67
PID 2880 wrote to memory of 328	2880	DllCommonsvc.exe	136
PID 2880 wrote to memory of 328	2880	DllCommonsvc.exe	136
PID 2880 wrote to memory of 328	2880	DllCommonsvc.exe	136
PID 2880 wrote to memory of 2864	2880	DllCommonsvc.exe	130
PID 2880 wrote to memory of 2864	2880	DllCommonsvc.exe	130
PID 2880 wrote to memory of 2864	2880	DllCommonsvc.exe	130
PID 2880 wrote to memory of 1772	2880	DllCommonsvc.exe	70
PID 2880 wrote to memory of 1772	2880	DllCommonsvc.exe	70
PID 2880 wrote to memory of 1772	2880	DllCommonsvc.exe	70
PID 2880 wrote to memory of 2420	2880	DllCommonsvc.exe	71
PID 2880 wrote to memory of 2420	2880	DllCommonsvc.exe	71
PID 2880 wrote to memory of 2420	2880	DllCommonsvc.exe	71
PID 2880 wrote to memory of 1748	2880	DllCommonsvc.exe	72
PID 2880 wrote to memory of 1748	2880	DllCommonsvc.exe	72
PID 2880 wrote to memory of 1748	2880	DllCommonsvc.exe	72
PID 2880 wrote to memory of 2004	2880	DllCommonsvc.exe	73
PID 2880 wrote to memory of 2004	2880	DllCommonsvc.exe	73
PID 2880 wrote to memory of 2004	2880	DllCommonsvc.exe	73
PID 2880 wrote to memory of 1724	2880	DllCommonsvc.exe	137
PID 2880 wrote to memory of 1724	2880	DllCommonsvc.exe	137
PID 2880 wrote to memory of 1724	2880	DllCommonsvc.exe	137
PID 2880 wrote to memory of 1780	2880	DllCommonsvc.exe	75
PID 2880 wrote to memory of 1780	2880	DllCommonsvc.exe	75
PID 2880 wrote to memory of 1780	2880	DllCommonsvc.exe	75
PID 2880 wrote to memory of 896	2880	DllCommonsvc.exe	76
PID 2880 wrote to memory of 896	2880	DllCommonsvc.exe	76
PID 2880 wrote to memory of 896	2880	DllCommonsvc.exe	76
PID 2880 wrote to memory of 1232	2880	DllCommonsvc.exe	88
PID 2880 wrote to memory of 1232	2880	DllCommonsvc.exe	88
PID 2880 wrote to memory of 1232	2880	DllCommonsvc.exe	88
PID 1232 wrote to memory of 1624	1232	DllCommonsvc.exe	119
PID 1232 wrote to memory of 1624	1232	DllCommonsvc.exe	119
PID 1232 wrote to memory of 1624	1232	DllCommonsvc.exe	119
PID 1232 wrote to memory of 1932	1232	DllCommonsvc.exe	120
PID 1232 wrote to memory of 1932	1232	DllCommonsvc.exe	120
PID 1232 wrote to memory of 1932	1232	DllCommonsvc.exe	120
PID 1232 wrote to memory of 672	1232	DllCommonsvc.exe	121
PID 1232 wrote to memory of 672	1232	DllCommonsvc.exe	121
PID 1232 wrote to memory of 672	1232	DllCommonsvc.exe	121
PID 1232 wrote to memory of 1284	1232	DllCommonsvc.exe	122
PID 1232 wrote to memory of 1284	1232	DllCommonsvc.exe	122
PID 1232 wrote to memory of 1284	1232	DllCommonsvc.exe	122
PID 1232 wrote to memory of 2304	1232	DllCommonsvc.exe	123
PID 1232 wrote to memory of 2304	1232	DllCommonsvc.exe	123
PID 1232 wrote to memory of 2304	1232	DllCommonsvc.exe	123
PID 1232 wrote to memory of 788	1232	DllCommonsvc.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_782ca4ff1846fb733c50728d0412e51d1f0c04889b56aed5c6749814b143dbea.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_782ca4ff1846fb733c50728d0412e51d1f0c04889b56aed5c6749814b143dbea.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1232
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\schtasks.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:672
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\schtasks.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\schtasks.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\schtasks.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\smss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\schtasks.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eAmWIstwYx.bat"
        6⤵
        
        PID:1620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:840
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat"
        8⤵
        
        PID:2404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2720
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5fBkFKqKat.bat"
        10⤵
        
        PID:3040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2580
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NiQtqM3qVs.bat"
        12⤵
        
        PID:3028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2932
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9BpIS9nw5f.bat"
        14⤵
        
        PID:1812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:940
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i32OxRBhll.bat"
        16⤵
        
        PID:804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2080
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat"
        18⤵
        
        PID:2204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2948
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat"
        20⤵
        
        PID:1828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1712
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat"
        22⤵
        
        PID:868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2476
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat"
        24⤵
        
        PID:2592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1800
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\PrintHood\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\PrintHood\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Windows\fr-FR\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Media\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Media\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1750713503-12422860677879396521820224966-9283884791150046570-350823998-264280782"
1⤵
PID:328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "830292169-1915209245-15222513191914244785-1381238734494876581-20617165-466283144"
1⤵
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b6e2632351d0a8d3ef33e84c16d576d

SHA1
ea5db0a67c179167e65af58d6c0b4e612aa438e5

SHA256
e70e30398151181d010b9729d03b5b885c863ce015a975015a948ee1b5bd068e

SHA512
7d0b54f7c60aab4c3387b091ae5eb0bd43f3eef93081f7546051585bbd0c5f9b7c36c150658aeaefce30396be797e97586d9528ec16d4f89309b91e280b9818b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed7447bccd8b553b6cd5e4e5168729a6

SHA1
c7eee21aaec27f360feeabf6f5f55dbbdbd09043

SHA256
c85d81ebe1b7a5c68ce31fa3c1a736b2256c4dae830f1f1727df241c9d882587

SHA512
f2ae270fa28bec3f2f7f45b54df2d7ba5cb1851bdcead071a8dcf46c8b9049b96928db0923202163026621cf3d6f801d242f9088a24d18d31f01bad4e4ec094d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b658578e4aade27c668a28008d24488b

SHA1
534c8b0811262efec4efd2a8e864666abe2581ab

SHA256
d8de95f8ea5cfb4fc9c72b384055ac8ed7108a8775b3a7d2320feac89bfb298f

SHA512
2f54d47f253e55c619c1e44923fa235e2e0459130e1ad987c423a52ab6d93ac2a447abc9ef77beefe98d23e8551d68e1fda40d9f0c208122042ac9be223ee1d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6663ed542065a1cca917dc39c54364fa

SHA1
cb1c1d0392ed7b46b56eb9a187bafa6a2eaf1583

SHA256
8ae7b0d5d6ddcb90516fcaa3de6cdc26de272309f25ae6b322c54f0aa087f9bd

SHA512
361429e27403993e2c4c65d52cd7b3c37ca7b8f51da327ca62d46ccf186849fb3fb40de7cdd23ab7ca864b3d2d3a20d67349fa0296b389fd004c2145d1439aa6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05abbede677fd08580a1b43ed358c72b

SHA1
4beeb55c346c13855d7dcdf8db79a8005ebb5ca0

SHA256
9b0e50891e9e97ded86ead362daf6f71908f89238bea883fa5802f5a0254f66c

SHA512
bdacf70204db8268af9f0766e829db895bed3ac8e93038e7b45577be2705213cc938ab57a8eee5e1517096c1e40f0ffad677c9182c94d5e4145081fe39805715

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79432bf1396f2aa73a2bf65e71fd3df5

SHA1
be1328f46969d2608fa07253e682116990316342

SHA256
ed0e7380a7a6e3dfc1ddba1287b89ad87c5e9cc4b8e7922fc2192aa63a8c39c7

SHA512
b206f1ab243f87a68ca3d065686c7571e425f793043c2651ca44bc5b3679a84b3a4417964a82d16bd1487af76673465f59d921c4d35514fc8acb06d2b9d33bbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54916a4066cc6f97ea6c2952f669e6bd

SHA1
c609667e57251e6c336d67a6c13fd7e0372c7a92

SHA256
12154107a24713b63086c049a5dadd5f2734d4ae2111bcfc370c0e4427b5c9e5

SHA512
13116f207c7f7cf382422debd0224472f7817e1c01d4307c1dba2adf8b016553bb80f75626af8e378407f5a03d858974dd4cd9ff22a48059acd3b7e7d9f36063

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e6b6f808e0a3e074795ec8d21e65855

SHA1
4aadd7e592101214580872ab8c3ff35ee2fef914

SHA256
7773d77a8907695c035174b3879f51d27f5a91f14f12986912bddb7d9a1f2a47

SHA512
e392b66056ea54896e535d00a31e0aa0e8c48f048dee4670d4b01ddb3b29924e3da42b4de2cabf30d420b4e4e29d823e74430433d822fa2587e7be1c0e6e2e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\5fBkFKqKat.bat

Filesize
223B

MD5
d537229c84a7cb253d268b0dc83a0df2

SHA1
864cf8c4faf29481b7330b852fe42e78d20274f0

SHA256
3518f7fbe3a3f4c1dad203b45630a3f4d20df8b9d57783d3dc2dd0a586be5b23

SHA512
2d451055a5e9c1aeb3ac1bc513812391cf890badc2ee24cf05bfa693d03bf23b89b57373061c6036eece4fd68d7c0fec7d2fea12a5f3e588d22a9ba77f31f41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat

Filesize
223B

MD5
78244c31596be265a4bc594a04a304c0

SHA1
c28a3dd8d6d010fcfa98770ad7185de685588d35

SHA256
ff102ae8aa8591c19752a9a10296e551d00e2e90e392b3fe65cf82502ae99efd

SHA512
3d3986d8862515d86c465ec1e0c46fb5234a24d9509ec50227656026306aef8d4c1eeb087f6e78952dba949754fe288876ae587efe82f5088e00e198fae03899

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BpIS9nw5f.bat

Filesize
223B

MD5
667f42fad6e18ad6916c0ce3e21d20e7

SHA1
0ce312a2d1888ffe2b46d2c97679307e8731622e

SHA256
c0a2c8fefa08a0f277a47ddf2fc61b000807de0e7939a15dff7202ec04c2d1cb

SHA512
4ec4e030a82302567b2287a049acaaaad20e0b284e80e8bf697830be25820600f10c50efa9d41b518821b6ad3b11f8fcf3973a0ae40dfa02bd0c61bb8c373414

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab537F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat

Filesize
223B

MD5
2443d8fba1b7759f4fcb1b6fa35f0962

SHA1
3b43e55cb99257af51a4514f39de605627d6fcda

SHA256
ae8641d6d406bf4192e63b44e823dd39970e874736821c4ec6fb8fdab9cb5475

SHA512
386b86f1d86e6271033d998e30e639986226e6973be67a353e707ad3424e2c941752d8af16579d9e4898b97a73fedfa6181f4a90f1ada974bb1fa44bb9105129

Download Submit
C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat

Filesize
223B

MD5
0609b1b69c7096c0913fabdda7e04365

SHA1
779398c8002003dca89de28137eae7cf769b6c41

SHA256
ac5d7f643c2ba1819508e427954cb4377ac47bd3da4a5f31d2e6b96197a4ec2a

SHA512
5269c1c4f5a138b3f13c63b6a365cc5c7c37b600b409f3c0f620e27b85c9d2ab0f611747acccbd45b6fcfdbda9d0ffae2ed9e1ea69a99994667574707f11e86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NiQtqM3qVs.bat

Filesize
223B

MD5
4350b721f7681ad014c40600f63cf049

SHA1
1a0f17586e9db4095ebed6836eec7149b78eb90c

SHA256
9f1f340db725294871763ce1ce69980b1b70fd3f81a86d05ef4f8848b4f511f2

SHA512
a8e23970658d1d2c16012323bbbcbcee2d8234dcdf6b66b3107a965a8357590856f6dd760cb13ce2425bf7eb0b40a2ff792eb3fa4b4921c69168869fffcf878d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat

Filesize
223B

MD5
b7a451f8e3ecd88540c25098fe1d97b9

SHA1
9bc2f2499c4787b44c7a80dbc642c81ad46534fa

SHA256
a85b559361a2cac0ee60c83b4ffda09ab6b5c6a5371063ee923db1b1634c1124

SHA512
ced19e28bcb9b4b9e8caad0eabce23c2789f5e5ecb93be4968b42a2127ac1e1c4f27a6f6021328b01878996fe621c87d9d1e55f46923be379b5d276e9c20e0ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar540E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAmWIstwYx.bat

Filesize
223B

MD5
250f884e68fea6a7d2d3b3322a62a5dd

SHA1
4c5ea93b9cbe3949256efa9005d7231127fbf07c

SHA256
52e511b6fa03ed12d0c42db097acad7565e056aa6d56ed3eaec0b45c45ff80fc

SHA512
f0bca0f03bb7d3351ca845c74d54bd8a051b682ad4076ef262b40599b542dd1c9374507dd701249a7e4fdfcd42f20fa1edae7ee3bb82ca2d69e086914f00135a

Download Submit
C:\Users\Admin\AppData\Local\Temp\i32OxRBhll.bat

Filesize
223B

MD5
9e2b0b6ea8ca800d7de0f74c74617fac

SHA1
ae1f834ad739aca9b58fdbf803a529b549ca634d

SHA256
514d26d06c65fe69a80804885f2e78b470217b9591dfffa7af5a8128b658f897

SHA512
d749ca501d27811320e4c74534a4f858003894f0a843c7b1916ee3da83ef0366917bb04cf6ba94e426a68e6fe94c493761d5430fb8d089953b77a4d0b96466e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat

Filesize
223B

MD5
5179d0c1aba54b10f87a69e2daf8af5b

SHA1
a1c6ddbe590ca11e237799ac435b2e3e4d526e3d

SHA256
7880adb053ceb71147498a54dac901aa7c799e2fca837b99c0aaef104f70691d

SHA512
e7fa0614300011edb1d164c94d32736401ca9f4f2018285e1ae440a35907c26028bc630066283b2c7c684cf81568956f24db3a512675e28c5572f9784913c8d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5cdad9f605f177dbb0e55da344f5e484

SHA1
0d75180186d43392efba4aa99d1645b77daae03c

SHA256
a947355d980024fcb136940b1f07ee975e2a2de5cd37743bb7d2d46c4d82fe0c

SHA512
fe15836dc894590953e0cf7dec51819c2614f64a3f084f49397bb9cf8d9ac5d331f658ae7da4c6a6fb1befc6675e7e638e12f8ed5292dbcce38a6cbef9a4ea03

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/968-94-0x000000001B0B0000-0x000000001B392000-memory.dmp

Filesize
2.9MB

Download
memory/1232-93-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/1284-131-0x000000001B210000-0x000000001B4F2000-memory.dmp

Filesize
2.9MB

Download
memory/1284-132-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/1532-182-0x0000000000E00000-0x0000000000F10000-memory.dmp

Filesize
1.1MB

Download
memory/1748-657-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download
memory/1748-658-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1772-95-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2052-241-0x0000000001220000-0x0000000001330000-memory.dmp

Filesize
1.1MB

Download
memory/2168-301-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2880-17-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/2880-16-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2880-15-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/2880-14-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/2880-13-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download
memory/2908-597-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2944-718-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download