dcrat | a1519652a67217ce1a3f1740d900812df90b0030f60fcbc0f016281859a6f58d

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a1519652a67217ce1a3f1740d900812df90b0030f60fcbc0f016281859a6f58d.exe
Size

1.3MB
MD5

366a7ae7c55ba1cd3d612e46e499632a
SHA1

627ffd536380ae01581eb631d5b7066b4d4c2b52
SHA256

a1519652a67217ce1a3f1740d900812df90b0030f60fcbc0f016281859a6f58d
SHA512

84347fd0b4c09b1ce496c41b6f22e6efe68e4df0c8e516be127227c8647d53472ad688b18300166d2fab6ffb4fb724c4416ffec7b1b38a727708185285cd4de4
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	3016	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	3016	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016c66-9.dat	dcrat
behavioral1/memory/2764-13-0x0000000001000000-0x0000000001110000-memory.dmp	dcrat
behavioral1/memory/2252-262-0x00000000011A0000-0x00000000012B0000-memory.dmp	dcrat
behavioral1/memory/1268-568-0x00000000002E0000-0x00000000003F0000-memory.dmp	dcrat
behavioral1/memory/1552-628-0x0000000000EA0000-0x0000000000FB0000-memory.dmp	dcrat
behavioral1/memory/2904-746-0x0000000000210000-0x0000000000320000-memory.dmp	dcrat
behavioral1/memory/2972-803-0x0000000000960000-0x0000000000A70000-memory.dmp	dcrat
behavioral1/memory/2576-860-0x0000000000E30000-0x0000000000F40000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 45 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
348	powershell.exe
2824	powershell.exe
1500	powershell.exe
2548	powershell.exe
2888	powershell.exe
2688	powershell.exe
1304	powershell.exe
2684	powershell.exe
2884	powershell.exe
2172	powershell.exe
2952	powershell.exe
928	powershell.exe
2972	powershell.exe
1924	powershell.exe
1280	powershell.exe
1236	powershell.exe
1656	powershell.exe
2680	powershell.exe
2700	powershell.exe
2744	powershell.exe
2336	powershell.exe
2140	powershell.exe
772	powershell.exe
604	powershell.exe
2892	powershell.exe
2432	powershell.exe
1980	powershell.exe
2212	powershell.exe
304	powershell.exe
2908	powershell.exe
1812	powershell.exe
2732	powershell.exe
800	powershell.exe
2880	powershell.exe
856	powershell.exe
2976	powershell.exe
2684	powershell.exe
2800	powershell.exe
2092	powershell.exe
2888	powershell.exe
2028	powershell.exe
2680	powershell.exe
2960	powershell.exe
1484	powershell.exe
1520	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2764	DllCommonsvc.exe
2276	DllCommonsvc.exe
2088	DllCommonsvc.exe
2252	WmiPrvSE.exe
2668	WmiPrvSE.exe
2680	WmiPrvSE.exe
1076	WmiPrvSE.exe
1268	WmiPrvSE.exe
1552	WmiPrvSE.exe
1648	WmiPrvSE.exe
2904	WmiPrvSE.exe
2972	WmiPrvSE.exe
2576	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
264	cmd.exe
264	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\en-US\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\es-ES\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\schtasks.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\es-ES\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\3a6fe29a7ceee6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\es-ES\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\es-ES\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\en-US\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\powershell.exe	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\fr-FR\conhost.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\fr-FR\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\fr-FR\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\AppPatch\Custom\Custom64\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\AppPatch\Custom\Custom64\088424020bedd6	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a1519652a67217ce1a3f1740d900812df90b0030f60fcbc0f016281859a6f58d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1772	schtasks.exe
2812	schtasks.exe
688	schtasks.exe
1940	schtasks.exe
2700	schtasks.exe
2528	schtasks.exe
2932	schtasks.exe
2724	schtasks.exe
1948	schtasks.exe
2396	schtasks.exe
2780	schtasks.exe
1572	schtasks.exe
2188	schtasks.exe
3052	schtasks.exe
1600	schtasks.exe
1468	schtasks.exe
348	schtasks.exe
1360	schtasks.exe
2856	schtasks.exe
1616	schtasks.exe
2892	schtasks.exe
684	schtasks.exe
2964	schtasks.exe
2228	schtasks.exe
1604	schtasks.exe
680	schtasks.exe
2024	schtasks.exe
680	schtasks.exe
1212	schtasks.exe
1668	schtasks.exe
880	schtasks.exe
2160	schtasks.exe
2760	schtasks.exe
1664	schtasks.exe
2792	schtasks.exe
2196	schtasks.exe
2288	schtasks.exe
2776	schtasks.exe
2140	schtasks.exe
2152	schtasks.exe
2984	schtasks.exe
2304	schtasks.exe
1360	schtasks.exe
2708	schtasks.exe
2364	schtasks.exe
2944	schtasks.exe
1184	schtasks.exe
1184	schtasks.exe
3036	schtasks.exe
2460	schtasks.exe
2724	schtasks.exe
944	schtasks.exe
1716	schtasks.exe
1260	schtasks.exe
2916	schtasks.exe
900	schtasks.exe
1516	schtasks.exe
2364	schtasks.exe
2844	schtasks.exe
744	schtasks.exe
2520	schtasks.exe
2024	schtasks.exe
1260	schtasks.exe
872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2764	DllCommonsvc.exe
2764	DllCommonsvc.exe
2764	DllCommonsvc.exe
2764	DllCommonsvc.exe
2764	DllCommonsvc.exe
2764	DllCommonsvc.exe
2764	DllCommonsvc.exe
2140	powershell.exe
2548	powershell.exe
2892	powershell.exe
2732	powershell.exe
1812	powershell.exe
2688	powershell.exe
2028	powershell.exe
2972	powershell.exe
2432	powershell.exe
2884	powershell.exe
2684	powershell.exe
2976	powershell.exe
2888	powershell.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
1924	powershell.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2336	powershell.exe
2908	powershell.exe
2092	powershell.exe
1980	powershell.exe
2744	powershell.exe
2800	powershell.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
2276	DllCommonsvc.exe
1304	powershell.exe
604	powershell.exe
2172	powershell.exe
2952	powershell.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	DllCommonsvc.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2276	DllCommonsvc.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	604	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2088	DllCommonsvc.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	304	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2252	WmiPrvSE.exe
Token: SeDebugPrivilege	2668	WmiPrvSE.exe
Token: SeDebugPrivilege	2680	WmiPrvSE.exe
Token: SeDebugPrivilege	1076	WmiPrvSE.exe
Token: SeDebugPrivilege	1268	WmiPrvSE.exe
Token: SeDebugPrivilege	1552	WmiPrvSE.exe
Token: SeDebugPrivilege	1648	WmiPrvSE.exe
Token: SeDebugPrivilege	2904	WmiPrvSE.exe
Token: SeDebugPrivilege	2972	WmiPrvSE.exe
Token: SeDebugPrivilege	2576	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2208	2580	JaffaCakes118_a1519652a67217ce1a3f1740d900812df90b0030f60fcbc0f016281859a6f58d.exe	30
PID 2580 wrote to memory of 2208	2580	JaffaCakes118_a1519652a67217ce1a3f1740d900812df90b0030f60fcbc0f016281859a6f58d.exe	30
PID 2580 wrote to memory of 2208	2580	JaffaCakes118_a1519652a67217ce1a3f1740d900812df90b0030f60fcbc0f016281859a6f58d.exe	30
PID 2580 wrote to memory of 2208	2580	JaffaCakes118_a1519652a67217ce1a3f1740d900812df90b0030f60fcbc0f016281859a6f58d.exe	30
PID 2208 wrote to memory of 264	2208	WScript.exe	31
PID 2208 wrote to memory of 264	2208	WScript.exe	31
PID 2208 wrote to memory of 264	2208	WScript.exe	31
PID 2208 wrote to memory of 264	2208	WScript.exe	31
PID 264 wrote to memory of 2764	264	cmd.exe	33
PID 264 wrote to memory of 2764	264	cmd.exe	33
PID 264 wrote to memory of 2764	264	cmd.exe	33
PID 264 wrote to memory of 2764	264	cmd.exe	33
PID 2764 wrote to memory of 2548	2764	DllCommonsvc.exe	93
PID 2764 wrote to memory of 2548	2764	DllCommonsvc.exe	93
PID 2764 wrote to memory of 2548	2764	DllCommonsvc.exe	93
PID 2764 wrote to memory of 2888	2764	DllCommonsvc.exe	173
PID 2764 wrote to memory of 2888	2764	DllCommonsvc.exe	173
PID 2764 wrote to memory of 2888	2764	DllCommonsvc.exe	173
PID 2764 wrote to memory of 2976	2764	DllCommonsvc.exe	95
PID 2764 wrote to memory of 2976	2764	DllCommonsvc.exe	95
PID 2764 wrote to memory of 2976	2764	DllCommonsvc.exe	95
PID 2764 wrote to memory of 2908	2764	DllCommonsvc.exe	96
PID 2764 wrote to memory of 2908	2764	DllCommonsvc.exe	96
PID 2764 wrote to memory of 2908	2764	DllCommonsvc.exe	96
PID 2764 wrote to memory of 2884	2764	DllCommonsvc.exe	97
PID 2764 wrote to memory of 2884	2764	DllCommonsvc.exe	97
PID 2764 wrote to memory of 2884	2764	DllCommonsvc.exe	97
PID 2764 wrote to memory of 2744	2764	DllCommonsvc.exe	99
PID 2764 wrote to memory of 2744	2764	DllCommonsvc.exe	99
PID 2764 wrote to memory of 2744	2764	DllCommonsvc.exe	99
PID 2764 wrote to memory of 2092	2764	DllCommonsvc.exe	101
PID 2764 wrote to memory of 2092	2764	DllCommonsvc.exe	101
PID 2764 wrote to memory of 2092	2764	DllCommonsvc.exe	101
PID 2764 wrote to memory of 2688	2764	DllCommonsvc.exe	102
PID 2764 wrote to memory of 2688	2764	DllCommonsvc.exe	102
PID 2764 wrote to memory of 2688	2764	DllCommonsvc.exe	102
PID 2764 wrote to memory of 2684	2764	DllCommonsvc.exe	183
PID 2764 wrote to memory of 2684	2764	DllCommonsvc.exe	183
PID 2764 wrote to memory of 2684	2764	DllCommonsvc.exe	183
PID 2764 wrote to memory of 2732	2764	DllCommonsvc.exe	104
PID 2764 wrote to memory of 2732	2764	DllCommonsvc.exe	104
PID 2764 wrote to memory of 2732	2764	DllCommonsvc.exe	104
PID 2764 wrote to memory of 2140	2764	DllCommonsvc.exe	105
PID 2764 wrote to memory of 2140	2764	DllCommonsvc.exe	105
PID 2764 wrote to memory of 2140	2764	DllCommonsvc.exe	105
PID 2764 wrote to memory of 1812	2764	DllCommonsvc.exe	106
PID 2764 wrote to memory of 1812	2764	DllCommonsvc.exe	106
PID 2764 wrote to memory of 1812	2764	DllCommonsvc.exe	106
PID 2764 wrote to memory of 2972	2764	DllCommonsvc.exe	107
PID 2764 wrote to memory of 2972	2764	DllCommonsvc.exe	107
PID 2764 wrote to memory of 2972	2764	DllCommonsvc.exe	107
PID 2764 wrote to memory of 2336	2764	DllCommonsvc.exe	108
PID 2764 wrote to memory of 2336	2764	DllCommonsvc.exe	108
PID 2764 wrote to memory of 2336	2764	DllCommonsvc.exe	108
PID 2764 wrote to memory of 2800	2764	DllCommonsvc.exe	110
PID 2764 wrote to memory of 2800	2764	DllCommonsvc.exe	110
PID 2764 wrote to memory of 2800	2764	DllCommonsvc.exe	110
PID 2764 wrote to memory of 2432	2764	DllCommonsvc.exe	112
PID 2764 wrote to memory of 2432	2764	DllCommonsvc.exe	112
PID 2764 wrote to memory of 2432	2764	DllCommonsvc.exe	112
PID 2764 wrote to memory of 2892	2764	DllCommonsvc.exe	115
PID 2764 wrote to memory of 2892	2764	DllCommonsvc.exe	115
PID 2764 wrote to memory of 2892	2764	DllCommonsvc.exe	115
PID 2764 wrote to memory of 2028	2764	DllCommonsvc.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a1519652a67217ce1a3f1740d900812df90b0030f60fcbc0f016281859a6f58d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a1519652a67217ce1a3f1740d900812df90b0030f60fcbc0f016281859a6f58d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:264
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\es-ES\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\hrtfs\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:604
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\Stationery\schtasks.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\Custom\Custom64\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kwbIpjOj78.bat"
        6⤵
        
        PID:2348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1972
        
        C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WMIADAP.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WMIADAP.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\OSPPSVC.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\es-ES\sppsvc.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\OSPPSVC.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\lsm.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\sppsvc.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:304
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat"
        9⤵
        
        PID:2648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1288
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat"
        11⤵
        
        PID:900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2316
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat"
        13⤵
        
        PID:1232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:772
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat"
        15⤵
        
        PID:2376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2368
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat"
        17⤵
        
        PID:1096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1584
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat"
        19⤵
        
        PID:744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2448
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uuaNNDTqg5.bat"
        21⤵
        
        PID:2028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1076
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat"
        23⤵
        
        PID:300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2840
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat"
        25⤵
        
        PID:2588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1372
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Application Data\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\es-ES\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Favorites\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Favorites\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Favorites\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Default User\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\powershell.exe'" /rl HIGHEST /f
1⤵
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\conhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Documents\conhost.exe'" /rl HIGHEST /f
1⤵
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\conhost.exe'" /rl HIGHEST /f
1⤵
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\conhost.exe'" /rl HIGHEST /f
1⤵
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\powershell.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Microsoft Shared\Stationery\schtasks.exe'" /f
1⤵
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\Stationery\schtasks.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Microsoft Shared\Stationery\schtasks.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\powershell.exe'" /f
1⤵
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\AppPatch\Custom\Custom64\conhost.exe'" /f
1⤵
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\AppPatch\Custom\Custom64\conhost.exe'" /rl HIGHEST /f
1⤵
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\Custom\Custom64\conhost.exe'" /rl HIGHEST /f
1⤵
PID:2668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "984288222-16199622461744644706125762328515540946816003862631168185169-326642383"
1⤵
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WMIADAP.exe'" /f
1⤵
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\providercommon\WMIADAP.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
1⤵
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
1⤵
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Application Data\OSPPSVC.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Application Data\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\es-ES\sppsvc.exe'" /f
1⤵
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\OSPPSVC.exe'" /f
1⤵
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\lsm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\sppsvc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f
1⤵
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f
1⤵
PID:2212

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-50853882515466470-291940553-1946681695-3986440741846917671-1110703426261122296"
1⤵
PID:772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-487285753-503658592-474330542-137741563116628381788395548261336667297-1081872657"
1⤵
PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\101b941d020240

Filesize
950B

MD5
67a659d30cb0a832dd79f5c934e496cd

SHA1
7326c830790eeef7bdbcf7214288ee5aad08212d

SHA256
8c25170c5decb26d0f7c5244a8ab8a18a3f196113f6bbcd1b4b0ae38781fc547

SHA512
b7603b5ea911cd06c5b0b0a5b3b9a02078ae6be490c53e7fe621aad594b487e91ffaf99dffe1652c35df2a30b837a7588e9a18d351a674b40a2df00096c985e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef03d455c4ff26b703eaa3a97f655708

SHA1
27ba011bd854de85521db20a5183816cb10101ea

SHA256
c9162bea0c2b5ba36d90d7277499e17f8fc8c8d9870cf466f86a28bb45d5ae46

SHA512
109e26f69ac76737f83907f8ccc2786f81160f90cccfd7725eeed809730f50e6d5a2a13f07b89a228906d1be5918210702a7411c5cf9314a0e7343a1a918af1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7feb2d2dd9cd685616e40cad6f7ed9e2

SHA1
c24ec0c41629edd2cd42d06b111fb212ca1d4d35

SHA256
323ca644af8d1e51f17b38afa6533db7a8d3eb548b83522f5941c7736f67d9eb

SHA512
360cd553bba0bf3702cb71ac095d1537b147e0eb181ce66048b137a292a851e4547045af1a2befc42b96b5f441d1b88c92b4afeda7f390fa78208cfa1fd606d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0568c332e5fc24fd66fe000d4032674e

SHA1
2065fe49bbbd434cb40d1159400a30db0e443812

SHA256
78bdf723bb5270db20178e1a5f88f759fae00b20931908ed27e393da5ca5a5b0

SHA512
00014aa05fbd35bcc799d1dbfa6bbfcbc5d063b3dc8714c0fd6cd5816e7d589e95a55d7ff7e925f52da3d6925d4d0a3904247f3daaf31a319fcf81aad431ad3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9fdcac9a641b2a81b26617aa5e83e16f

SHA1
f1ceda26bde1e9ffa7f533340cf43eaeace29e24

SHA256
735dca79f906e1c0fce969d2af81563068c319e53363a1e3566e8c8b39a3fce0

SHA512
3cdf271e18f4d1e610abbd07691e7e2c5a4973e4c903ab064d35de4edef836587e1d8512eaf3c3cff490212a434d55f641525e4b7f585eb77ad1d774e9a62955

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2edbd97875b4da9f3bff5303627750cd

SHA1
4e657ff2795be5b8449cf08319a5ff07ec8795ea

SHA256
2e36198f1ad8a314f272946b552acec4f46ea19347aea725de1c840ebd63559a

SHA512
30f612b5fd44ab874901a975571c42c096d664ce1a51f863e446d175417adb5e5fbf1ab1e388f2816e1b0511e1369790182154ce13bd723a9cf01b00c1643e5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b729e63a73315a855bf40c4c5e0e97e9

SHA1
34798b01c3817891d28dcc81ab72864b2a3a43b7

SHA256
d11f2589c79c6a2335b0fec271c10d026b948537491dfc7161bc27bd73aeeebe

SHA512
dd23f5c0f9f24a4c098eb3ac8e247d7a789708f96695e456a53275194ecb3d4453b65ea2364e61c364ae4e4756ac8ad4cf65ab3a312658b7643b1d5abd73b8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat

Filesize
240B

MD5
9dd190a1b5edd156c294428b06eeacd2

SHA1
e1c18b7ec231cd8d9921b71b7a08cc3ab30117d1

SHA256
13bb73d3b45ee3e7de773b11ee3755a43ee45605ad9f969e37b002d767111acd

SHA512
09266bdab4bb41753507a1e8d823567c59ba14a24144208625f8d1999c8ba86ea37e2ea6b90aa5656aec8727ab70dd87662fd056fccd4f9a15bb745a143c8e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1058.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat

Filesize
240B

MD5
7230c1a5699f4635c67783742101299d

SHA1
a2dba97d2faeac6d1763d536eea8af28b381e858

SHA256
714fe38be4c060b50935b873866dd1ad0b408310239cda2f509f49f5bd517c8d

SHA512
80eac8a7af89356d6702e495f59e5424cf602d5fc4e293cc276911519225cf4c0811d84bb6a25e2a41fcd6369f6adcd095e35d0b3ada2e35244a2b76afe4f46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat

Filesize
240B

MD5
b624d603ecea0cad183c9203e5c7aac1

SHA1
f688c853926272516bedb0753edf4bb3d208f1b9

SHA256
a125e28139a31bb7127961a6009e09fa777f1adf07ee0bb0d7acb6a16f093b2d

SHA512
b438c31870dd3a777a4dc881ebfd5f9881579915a1cd97d9538ce2387c3cbcd1d02ba93281c072ecb90650df8074c3bbab17e96b56c9d4891b9401a4e2d40621

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar107A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat

Filesize
240B

MD5
083abbccbb99522de991d2bb9d68ebfb

SHA1
0c005ed24a0a1ab8481dd5ccf54ec16948775571

SHA256
5aad3d0933b39aec5d6267f0e2762e0803c54d9559b04ed7afb45f427cc22c59

SHA512
d0d9752137c25288464e5f92992254dafc41320df75815f2813aa160046f6bc4b5e8e5d1fb5f7c24af6bc57dac33bb02e59c19aaa497715b6bc80d882a7d4050

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat

Filesize
240B

MD5
398f05d55622fbdde741c732f89af954

SHA1
f2a63c1519ab2a23d600d10d847b06a4f65fcd09

SHA256
6a05a6a184973e64e6df71d0d3111b153595cbc6dbcd3baf25c6073d33dae3f3

SHA512
990a38945fbd2d9db14619685e4f3558d58c64b003e234a682d1a65ef631ed1af4ef3e8070808a23dcda14bcea9465fa807dde0996b8e4496bbafb40befe4269

Download Submit
C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat

Filesize
240B

MD5
cfa9ccc65cf3db84ee475e0620c64c2a

SHA1
e1246b1f16d5fa862d73901c81448eb742c8b529

SHA256
69b9e5846d30c9b7728a9eeeb76ea27417381ea2a31503c598a666364ed8ed1f

SHA512
eb7a26690cfad3f74883b94adba466c0f2757e075ca56421ed954f47aa5f1cf70552ec7c60effd2edebd43ecf183f0a06c65e102e16c3b30c8c9c42749bd8bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwbIpjOj78.bat

Filesize
199B

MD5
2df9a0fbd28659a70911138445fd0dfa

SHA1
c97058c2b25e7b236175db20b9c0fc49b46a4ad9

SHA256
3e7c3a1523bb2fb7a2584991fbe2b0b3cd196845c5d7f8b9a93d76e4432edb14

SHA512
3c89f185232097b3f4e4aa508669cc7fd746e5f01a5a431971401de31689aeccfd40cd82c9263ca4a886463d3a26c2d47a6dc7fcfe6a6bf81350085df6fb9214

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a5487009eb381cfce8d399b1eb791c3d

SHA1
e1ce124743b8f9e2ff4a555742a0dd31b105cd5f

SHA256
66110b955ec4d0f32c5b9cd2c05034752b65def76ce71c03456928c2e1400e44

SHA512
b9583f70c6b0c1f52a3c752ec51d1031655a1e6b1e5089f00be06c63726df5af5be27aa353a7a11348260fad30b0f133b6f24fc13b022c26376593497b579fcb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7U36I6B9FY3N0TQ2NXX1.temp

Filesize
7KB

MD5
6bdb1acc05c8b26f555172daec7318a7

SHA1
48ac5dc96261fc986c088454cb1fbb842339b4da

SHA256
3d9848d6228f641027f2c5552cfa618996b412e17fb3cbfb40ff3df882310c43

SHA512
9dd6b01a67db6bca558a91f1deb42add02a04451a99653027db7664cb00bce5cda944dd8150a84e5272805f62415e3ac3c33efda4ddc83e08b9dd72f45e3233d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\27d1bcfc3c54e0

Filesize
524B

MD5
40a24140fc536df3a8bef40aecf3c269

SHA1
e5387fedbd7e16f70387f43033c5bb50db9bf78b

SHA256
35473133907725c295312bfbdf12ba319712c65c3c30ed9eb14f115bfcb499c8

SHA512
494976673378f17225ab63d0101079698f4cc3194f7899b4741e880e1e9555a2909fa0e0b41796f9430126f8e5f8087c91388944fb0bc6a8964c59863c547306

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/604-193-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/1268-568-0x00000000002E0000-0x00000000003F0000-memory.dmp

Filesize
1.1MB

Download
memory/1304-172-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/1552-628-0x0000000000EA0000-0x0000000000FB0000-memory.dmp

Filesize
1.1MB

Download
memory/1648-688-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2140-68-0x0000000000680000-0x0000000000688000-memory.dmp

Filesize
32KB

Download
memory/2140-67-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2252-262-0x00000000011A0000-0x00000000012B0000-memory.dmp

Filesize
1.1MB

Download
memory/2576-860-0x0000000000E30000-0x0000000000F40000-memory.dmp

Filesize
1.1MB

Download
memory/2576-861-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2764-14-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2764-13-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/2764-15-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2764-16-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2764-17-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2904-746-0x0000000000210000-0x0000000000320000-memory.dmp

Filesize
1.1MB

Download
memory/2972-803-0x0000000000960000-0x0000000000A70000-memory.dmp

Filesize
1.1MB

Download