dcrat | 882cd7a8175aeed567d981f4e70a3fefcafe706cac10d0a32c2c9d39791fd243

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_882cd7a8175aeed567d981f4e70a3fefcafe706cac10d0a32c2c9d39791fd243.exe
Size

1.3MB
MD5

1fb7424840b9b4b47eb8b86ea93174d0
SHA1

052dd2568ab36a75bcc821d8001ec16b7985d34b
SHA256

882cd7a8175aeed567d981f4e70a3fefcafe706cac10d0a32c2c9d39791fd243
SHA512

b9d9bdd2ba77cee96b3659cf9213d3ed924ec7a2b5a03b63145aa9896a7350106346fb7cc9e25fd53d4f5feeb03ad2b75c54deae85d7998a646899f7defef0ca
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2768	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2768	schtasks.exe	33

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000195ad-10.dat	dcrat
behavioral1/memory/2980-13-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat
behavioral1/memory/812-62-0x0000000001070000-0x0000000001180000-memory.dmp	dcrat
behavioral1/memory/1588-115-0x0000000000920000-0x0000000000A30000-memory.dmp	dcrat
behavioral1/memory/848-259-0x0000000000950000-0x0000000000A60000-memory.dmp	dcrat
behavioral1/memory/236-319-0x0000000000C50000-0x0000000000D60000-memory.dmp	dcrat
behavioral1/memory/2140-379-0x0000000000D70000-0x0000000000E80000-memory.dmp	dcrat
behavioral1/memory/1588-439-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/2164-499-0x0000000000DD0000-0x0000000000EE0000-memory.dmp	dcrat
behavioral1/memory/2984-559-0x0000000001150000-0x0000000001260000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2000	powershell.exe
2612	powershell.exe
2536	powershell.exe
2000	powershell.exe
2424	powershell.exe
2312	powershell.exe
964	powershell.exe
2992	powershell.exe
908	powershell.exe
2304	powershell.exe
1728	powershell.exe
1832	powershell.exe
2152	powershell.exe
1656	powershell.exe
1340	powershell.exe
1328	powershell.exe
2508	powershell.exe
2548	powershell.exe
1880	powershell.exe
1768	powershell.exe
1696	powershell.exe
972	powershell.exe
320	powershell.exe
892	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2980	DllCommonsvc.exe
812	DllCommonsvc.exe
1588	dwm.exe
848	dwm.exe
236	dwm.exe
2140	dwm.exe
1588	dwm.exe
2164	dwm.exe
2984	dwm.exe
1324	dwm.exe
2592	dwm.exe
2972	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
2892	cmd.exe
2892	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
32	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
25	raw.githubusercontent.com
29	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\Accessories\es-ES\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\de-DE\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\de-DE\dllhost.exe	DllCommonsvc.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\ehome\wow\ja-JP\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\TAPI\b75386f1303e64	DllCommonsvc.exe
File created	C:\Windows\Panther\setup.exe\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\Panther\setup.exe\24dbde2999530e	DllCommonsvc.exe
File opened for modification	C:\Windows\ehome\wow\ja-JP\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\ehome\wow\ja-JP\b75386f1303e64	DllCommonsvc.exe
File created	C:\Windows\TAPI\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\Fonts\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\Fonts\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_882cd7a8175aeed567d981f4e70a3fefcafe706cac10d0a32c2c9d39791fd243.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2904	schtasks.exe
2628	schtasks.exe
2396	schtasks.exe
1560	schtasks.exe
2364	schtasks.exe
2456	schtasks.exe
2332	schtasks.exe
2144	schtasks.exe
1140	schtasks.exe
772	schtasks.exe
2168	schtasks.exe
2320	schtasks.exe
2420	schtasks.exe
2920	schtasks.exe
2060	schtasks.exe
2964	schtasks.exe
2072	schtasks.exe
1916	schtasks.exe
712	schtasks.exe
2756	schtasks.exe
564	schtasks.exe
2672	schtasks.exe
1628	schtasks.exe
2880	schtasks.exe
2164	schtasks.exe
2480	schtasks.exe
2940	schtasks.exe
2796	schtasks.exe
1020	schtasks.exe
976	schtasks.exe
2288	schtasks.exe
2944	schtasks.exe
2388	schtasks.exe
956	schtasks.exe
2284	schtasks.exe
2640	schtasks.exe
2096	schtasks.exe
2148	schtasks.exe
2592	schtasks.exe
2524	schtasks.exe
2312	schtasks.exe
2024	schtasks.exe
768	schtasks.exe
2868	schtasks.exe
1540	schtasks.exe
2160	schtasks.exe
1500	schtasks.exe
2132	schtasks.exe
2180	schtasks.exe
1592	schtasks.exe
2888	schtasks.exe
960	schtasks.exe
2852	schtasks.exe
960	schtasks.exe
3040	schtasks.exe
2444	schtasks.exe
2036	schtasks.exe
1468	schtasks.exe
2008	schtasks.exe
1620	schtasks.exe
2608	schtasks.exe
700	schtasks.exe
676	schtasks.exe
2316	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2980	DllCommonsvc.exe
2312	powershell.exe
1728	powershell.exe
892	powershell.exe
2548	powershell.exe
2000	powershell.exe
1832	powershell.exe
812	DllCommonsvc.exe
812	DllCommonsvc.exe
812	DllCommonsvc.exe
812	DllCommonsvc.exe
812	DllCommonsvc.exe
812	DllCommonsvc.exe
812	DllCommonsvc.exe
1656	powershell.exe
2508	powershell.exe
1696	powershell.exe
1880	powershell.exe
1328	powershell.exe
2536	powershell.exe
972	powershell.exe
964	powershell.exe
2992	powershell.exe
908	powershell.exe
2304	powershell.exe
2612	powershell.exe
2152	powershell.exe
320	powershell.exe
1768	powershell.exe
2424	powershell.exe
1340	powershell.exe
2000	powershell.exe
1588	dwm.exe
848	dwm.exe
236	dwm.exe
2140	dwm.exe
1588	dwm.exe
2164	dwm.exe
2984	dwm.exe
1324	dwm.exe
2592	dwm.exe
2972	dwm.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	DllCommonsvc.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	812	DllCommonsvc.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	964	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	1588	dwm.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	848	dwm.exe
Token: SeDebugPrivilege	236	dwm.exe
Token: SeDebugPrivilege	2140	dwm.exe
Token: SeDebugPrivilege	1588	dwm.exe
Token: SeDebugPrivilege	2164	dwm.exe
Token: SeDebugPrivilege	2984	dwm.exe
Token: SeDebugPrivilege	1324	dwm.exe
Token: SeDebugPrivilege	2592	dwm.exe
Token: SeDebugPrivilege	2972	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2244	2348	JaffaCakes118_882cd7a8175aeed567d981f4e70a3fefcafe706cac10d0a32c2c9d39791fd243.exe	29
PID 2348 wrote to memory of 2244	2348	JaffaCakes118_882cd7a8175aeed567d981f4e70a3fefcafe706cac10d0a32c2c9d39791fd243.exe	29
PID 2348 wrote to memory of 2244	2348	JaffaCakes118_882cd7a8175aeed567d981f4e70a3fefcafe706cac10d0a32c2c9d39791fd243.exe	29
PID 2348 wrote to memory of 2244	2348	JaffaCakes118_882cd7a8175aeed567d981f4e70a3fefcafe706cac10d0a32c2c9d39791fd243.exe	29
PID 2244 wrote to memory of 2892	2244	WScript.exe	30
PID 2244 wrote to memory of 2892	2244	WScript.exe	30
PID 2244 wrote to memory of 2892	2244	WScript.exe	30
PID 2244 wrote to memory of 2892	2244	WScript.exe	30
PID 2892 wrote to memory of 2980	2892	cmd.exe	32
PID 2892 wrote to memory of 2980	2892	cmd.exe	32
PID 2892 wrote to memory of 2980	2892	cmd.exe	32
PID 2892 wrote to memory of 2980	2892	cmd.exe	32
PID 2980 wrote to memory of 2548	2980	DllCommonsvc.exe	49
PID 2980 wrote to memory of 2548	2980	DllCommonsvc.exe	49
PID 2980 wrote to memory of 2548	2980	DllCommonsvc.exe	49
PID 2980 wrote to memory of 2312	2980	DllCommonsvc.exe	50
PID 2980 wrote to memory of 2312	2980	DllCommonsvc.exe	50
PID 2980 wrote to memory of 2312	2980	DllCommonsvc.exe	50
PID 2980 wrote to memory of 2000	2980	DllCommonsvc.exe	51
PID 2980 wrote to memory of 2000	2980	DllCommonsvc.exe	51
PID 2980 wrote to memory of 2000	2980	DllCommonsvc.exe	51
PID 2980 wrote to memory of 1728	2980	DllCommonsvc.exe	52
PID 2980 wrote to memory of 1728	2980	DllCommonsvc.exe	52
PID 2980 wrote to memory of 1728	2980	DllCommonsvc.exe	52
PID 2980 wrote to memory of 1832	2980	DllCommonsvc.exe	53
PID 2980 wrote to memory of 1832	2980	DllCommonsvc.exe	53
PID 2980 wrote to memory of 1832	2980	DllCommonsvc.exe	53
PID 2980 wrote to memory of 892	2980	DllCommonsvc.exe	54
PID 2980 wrote to memory of 892	2980	DllCommonsvc.exe	54
PID 2980 wrote to memory of 892	2980	DllCommonsvc.exe	54
PID 2980 wrote to memory of 2368	2980	DllCommonsvc.exe	61
PID 2980 wrote to memory of 2368	2980	DllCommonsvc.exe	61
PID 2980 wrote to memory of 2368	2980	DllCommonsvc.exe	61
PID 2368 wrote to memory of 320	2368	cmd.exe	63
PID 2368 wrote to memory of 320	2368	cmd.exe	63
PID 2368 wrote to memory of 320	2368	cmd.exe	63
PID 2368 wrote to memory of 812	2368	cmd.exe	64
PID 2368 wrote to memory of 812	2368	cmd.exe	64
PID 2368 wrote to memory of 812	2368	cmd.exe	64
PID 812 wrote to memory of 2152	812	DllCommonsvc.exe	116
PID 812 wrote to memory of 2152	812	DllCommonsvc.exe	116
PID 812 wrote to memory of 2152	812	DllCommonsvc.exe	116
PID 812 wrote to memory of 1768	812	DllCommonsvc.exe	117
PID 812 wrote to memory of 1768	812	DllCommonsvc.exe	117
PID 812 wrote to memory of 1768	812	DllCommonsvc.exe	117
PID 812 wrote to memory of 2612	812	DllCommonsvc.exe	118
PID 812 wrote to memory of 2612	812	DllCommonsvc.exe	118
PID 812 wrote to memory of 2612	812	DllCommonsvc.exe	118
PID 812 wrote to memory of 2304	812	DllCommonsvc.exe	119
PID 812 wrote to memory of 2304	812	DllCommonsvc.exe	119
PID 812 wrote to memory of 2304	812	DllCommonsvc.exe	119
PID 812 wrote to memory of 1656	812	DllCommonsvc.exe	120
PID 812 wrote to memory of 1656	812	DllCommonsvc.exe	120
PID 812 wrote to memory of 1656	812	DllCommonsvc.exe	120
PID 812 wrote to memory of 964	812	DllCommonsvc.exe	122
PID 812 wrote to memory of 964	812	DllCommonsvc.exe	122
PID 812 wrote to memory of 964	812	DllCommonsvc.exe	122
PID 812 wrote to memory of 1340	812	DllCommonsvc.exe	123
PID 812 wrote to memory of 1340	812	DllCommonsvc.exe	123
PID 812 wrote to memory of 1340	812	DllCommonsvc.exe	123
PID 812 wrote to memory of 2992	812	DllCommonsvc.exe	124
PID 812 wrote to memory of 2992	812	DllCommonsvc.exe	124
PID 812 wrote to memory of 2992	812	DllCommonsvc.exe	124
PID 812 wrote to memory of 2536	812	DllCommonsvc.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_882cd7a8175aeed567d981f4e70a3fefcafe706cac10d0a32c2c9d39791fd243.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_882cd7a8175aeed567d981f4e70a3fefcafe706cac10d0a32c2c9d39791fd243.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\setup.exe\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6lyLrzP83n.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2368
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:320
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\wow\ja-JP\taskhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\taskhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\es-ES\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\taskhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\lsass.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\taskhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\de-DE\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Asmf6CRzTu.bat"
        8⤵
        
        PID:2828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2484
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat"
        10⤵
        
        PID:948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2536
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat"
        12⤵
        
        PID:2772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1120
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat"
        14⤵
        
        PID:2428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1520
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat"
        16⤵
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1976
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rgoiaSdxpd.bat"
        18⤵
        
        PID:2292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2160
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat"
        20⤵
        
        PID:1672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2820
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cu9aubHCzw.bat"
        22⤵
        
        PID:2172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2900
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i32OxRBhll.bat"
        24⤵
        
        PID:2240
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1088
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\Panther\setup.exe\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\setup.exe\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\ehome\wow\ja-JP\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\ehome\wow\ja-JP\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\ehome\wow\ja-JP\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Recorded TV\Sample Media\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Recorded TV\Sample Media\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\TAPI\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\de-DE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\886983d96e3d3e

Filesize
879B

MD5
a3889226700fa07a88eda1e1bf2fce0a

SHA1
5ed9a6389de3efea9286f8f50a143d6ad198fdff

SHA256
0adb2026965d1b2ee84f24344f748c45433521fb025dfd9aa54b520606681d3c

SHA512
4b8fbb6540eb134af3098eb6d119ab2f1c039ee3cb7d9c3eb84d15ec1a036e9f03d03e6f61a39cef5c514d9011cd82b54735b3111a5850597b45fd28d6250608

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32f271831f417f11c78b839af958fdbd

SHA1
419cc1e66a716be0d2d52fccaeec8f4060e5e8d0

SHA256
bfc6499913116979ebf465d4db6028474ac9d87dfa4474a9191d21275c7245ba

SHA512
bc1c1dde094bb5c84cb9a505dfbb3b61e4dca3b4ed8be160cc34531c713e9e2b35236596e1267599c1880c5ea2fe490be955f28b938e29eb998b22d13e80e20e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d31abd1d8ca9d5716c5b9ce93eeeb54d

SHA1
37d712ef884e4c6aab0d3b8b10b301743f253e07

SHA256
db22cb47e4a11c58f8268797cb15e72e07ec26fe93bf91cb12d1307c159fe426

SHA512
4d44afb9e6de395f53f66f4a2d3853cadda6d9cf598d7b4692943185b9b0c51ba21c9ca4f64fe60cae2edf20b7410644235a0734531523208b16f986dbc9b5dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b5be100ef5f9b10485efde2df2eed37

SHA1
b9f44ead91308ebfd18f73c25911895ce43cd510

SHA256
ac9ffbd9668cea2b5887c1c5d3e01761006f2cde4b7dae89caeb5a9e671ec909

SHA512
0dc227ab676e29f0ae4d6ecd02097f71deeedaf1d5020580bb935b9f0f00a999eb94d90773605177473e1a20618fa68ff516f69700daf9d478a86c562b46dc8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25cb3e179b1204075ba4c5ae6d941f52

SHA1
fa19e437e7045720581cc5840ba8d4b835b2e7f1

SHA256
b1444b246f2ff3d2d5702d1db026a261ee2dbfe6298c82b60f4514de7eb5db5e

SHA512
ef6fee9d9652a97d33512df7291b6f7243dfdbfd28ce471ac2fad2d97c15254909648447050e27b03d6cbb5afdb3b8cc34d8e61e3517df03c36e8feb28ae8065

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18aefcf6ee49a0e283efe5e948869808

SHA1
f3c1282bf895922e20e81c115bc7ca0a0d22c5b0

SHA256
e020c424d1940d19fe1e8d8504a59dc1b37a7be3b33db98d82f034ee001e7656

SHA512
19f2d54fe1a21d9f930ea57e51ae37b05aada6854a73f1906a620abf54802f10dc960608d92e57b25d8548b41cfe344dace08fb038f8a869555147f7b02a85eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64117f8ef959724cca84e048d75ccd54

SHA1
cb5556789e4c1ed43367197beb426cd1f0f02a2b

SHA256
1f3b166595f4d8b2d8ede985444ece670e9015f58411fd4542173cbc6c7eb584

SHA512
94035dfdf99da6e85c0d2da513ea513f36c3ad706c5974601561ee7598b05f20abab9af1c640daefc561006df7cec7ce97b397f42f060aa008cfa10472ec3db5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68ba56df0fcc9e1a3aaaf3bfcb4fec2f

SHA1
1561f5ba97b6c674255f04b3b4a2df836598bb20

SHA256
92b5d7ca643235c2520f4b19dfd73bfd6eb580aeffda96342fe9173adb5f52e6

SHA512
c7a1083e19a71057cb7fa81befa962106d90bb4b8dd52a415a3141aa3a6ec43690a14062fe74a2a9fa101eb75b0fdb4dec383c61573eb5fa4ce1536d5dd0fb56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
40969197d422bd56558bb16d7070f1c7

SHA1
750dec8d35cfd9b58c2fc69e20705b5911d3ca8d

SHA256
b31b6d5e30a9dde950e355db23a50a37ddbf372b3ef106545f72448ddd71434a

SHA512
8c62b4d8a0821988cf6bae74c9dd147491c676a76d8ee96867e7ae755eef1f90ddaf4c7abb8caeb00c4904688b902f7e94a0298f454b367fd1f10b2f22df29f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6lyLrzP83n.bat

Filesize
199B

MD5
7b8b96089c7037a45cd9632878d79bdd

SHA1
0feacfaeff9cfc426ad8313af5be268d3eb9b980

SHA256
dcb61265584662894057f7608674b2f07f544d1d9cd4594e60f9aa165d9f37a6

SHA512
3d6e96e22b2507673553daaf8c2088f1f39489c2bc82b3dc05295f254ea1af23570c074d3363ab76292789c6f04cbe7e7494f68fb136dea4cb4e45a9341a4ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat

Filesize
235B

MD5
dd4e1ca3433e47a330c4c427e3682499

SHA1
c4431723e3d2fd14ec9cbd4def09295f322f52f7

SHA256
0516caf839ad1bf0efc13e4c8822d17adbabb630f5a150e7958057e1c763e382

SHA512
8f4cd0adaaf6c34fc802276d8ea1cac6b36410a657f71a1cb9703f36ebb2c3869409b6ea6aa227c49b26fa2ea42c6ad627b8f3849099cea695b6ef161b308a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Asmf6CRzTu.bat

Filesize
235B

MD5
4716de974f70131220638cf7ce2cd959

SHA1
88ad4a10a43811acb71c9900bfcf3c68e0c49938

SHA256
3f0eb7286b1e3a454813aaffe68df91fc4700fa377e7650921314d5066a92ee1

SHA512
61baa4a53bce690008f11baf11173e7adcd0697a944419c082e3b128daedfbab840ecf36dd99a0c1697497bf3b8b5a93b83d2f0f82dcb90625557b471726ada8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab606A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cu9aubHCzw.bat

Filesize
235B

MD5
4b53650b45abc274913e51e4aa319408

SHA1
f4d553a9e18a62e66b1b1dcd590dc14c776777e9

SHA256
a2ef6e0877f88f7d4a245aa04a791ebcfa3de30db682013e183c63724439b6a6

SHA512
7483edef2ed76db2d7c25491f147a6baf5a8fcacd12ece05875174f62410a790358b99744b0e4061e6feabdb692f11a9849651d0146be8c05e2d90822155c81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat

Filesize
235B

MD5
c719680e7736245d29984e24c5a40672

SHA1
77e49f198a3a67a09d66c764a2ca164817118791

SHA256
2cb97af21f9ba1d45342da13f1b283b2e396c721c4bb17abc5c0d4e98678e532

SHA512
887dab3ef093524337ac6a42bcf3878b38b8ddeac46c801e7a4dc305f20f09ca2f3bc452a8750cfbab27348eb4688ff9317d848f34fd17d2a6e681c5cfa4c0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar60CB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat

Filesize
235B

MD5
1b9c6bdff50774ddcfb740ec60c3fcd9

SHA1
2fce42db062bcf66ff8cefee09c54c87bcf88104

SHA256
bafac1b0d82a81b53bd9698584005a80d429ff353ea348e4d012509acc5a8ee9

SHA512
e81c0863b347cf4a3174ecea81e00e117e6a9fb653f1216766479e7f5c0e969325198698fc32f52774d63d57d39ce559ab0f938a69960ba2c52523b86a50a378

Download Submit
C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat

Filesize
235B

MD5
e2fc661a223ea59679a99b14a63f9b76

SHA1
bbee3f39a16a4281f21108816240339446153b7a

SHA256
7a8acb0b4bb050b849cf06925c6a7c36d093d68b9a3926deb1309c144d4ad754

SHA512
588e43a6eeeb64eed846c596bd35b0a70ae0f4384a2e8d9135d8c3532afecee041e2346ce67a55ec51729671c38d178c67e01b0373bdca65f1e7a151e09fc870

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat

Filesize
235B

MD5
1aba94597adb53281789a2e413339fcf

SHA1
d79880568b7c7d34b30f71d0b07f1492f4ae6e44

SHA256
f10adf05400bdb898d75864ba0ddd978fb9ab35df27ad56717807da60fd2d64e

SHA512
fc68b57771a951dafcd7e98af825a4d68bffc3c3e16afe90017478f49931b3fd5a6226ef63681f884d708686913c3b408d4758d0d731581d8237eb4767b271dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\i32OxRBhll.bat

Filesize
235B

MD5
2a4375ce919170c05b0d269a995ad144

SHA1
0f4ecb279bd2306ee32130c2d18ab012091a43dc

SHA256
d7897ea6b49b6eb654154b0a2b1aa114ac00623f063812bae94397b282cdbdc8

SHA512
62eb3a1b38e380f94e25da6d2701272b9f3d87655d2fc424776c4284c95f9cde06f65aa7617eff65cc0cf1cc41a205db4bee4682d8bc6ea20a02c8e199b43182

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgoiaSdxpd.bat

Filesize
235B

MD5
7bee390bc6abbaae85ef93b2738150f2

SHA1
fee9285cf0b7f25f67701344a3b225f55d6855d2

SHA256
76786c3bc235c5be493bc767fda79c1fe7dcd043b4d307637f22761892fde788

SHA512
400cb5b53f3c678a79d8b51c3a99ee1074bb704db6b4055ba5002b69cade2080e3a1637e90afa074e266527a694ccf6c29ab05768f61859f453a43f2402fdaed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ca7ad84469e84d622b60bf364285bdf9

SHA1
f1d2d9dc3da156041cea31ac9fac972ed0c83dee

SHA256
04610ad83aaa793fab1b71d21d8b38c5df2ba82efd9b44d6242f29dec7c382c3

SHA512
ec35e37a20726b186459e04876833426f0ddc063fff56c7df30435c01276090ab963d1e0b9594dfeb174547bda49afeae19cfe1ef7266a371254d071772ebe63

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\24dbde2999530e

Filesize
705B

MD5
ba54ac44b62ec41bdf0cccf8c49134df

SHA1
3766df410235c25e02f4e82d64906715cb9cbd52

SHA256
95683ab03cbc746628c259bd37d1d383f79f1fefc8c9cb30c3ddbf78567bd848

SHA512
ddcd8ed64b3b1b75e7f66afc38aa7adfc78f22d73e13310ba901ea3664e0e86ae0d2fee12940855b9824e784a7182683342edcb83d3eb6ab99c7d97a2aae7f12

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/236-319-0x0000000000C50000-0x0000000000D60000-memory.dmp

Filesize
1.1MB

Download
memory/812-63-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/812-62-0x0000000001070000-0x0000000001180000-memory.dmp

Filesize
1.1MB

Download
memory/848-259-0x0000000000950000-0x0000000000A60000-memory.dmp

Filesize
1.1MB

Download
memory/1588-439-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/1588-115-0x0000000000920000-0x0000000000A30000-memory.dmp

Filesize
1.1MB

Download
memory/1656-121-0x0000000002500000-0x0000000002508000-memory.dmp

Filesize
32KB

Download
memory/2140-379-0x0000000000D70000-0x0000000000E80000-memory.dmp

Filesize
1.1MB

Download
memory/2164-499-0x0000000000DD0000-0x0000000000EE0000-memory.dmp

Filesize
1.1MB

Download
memory/2312-37-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

Filesize
2.9MB

Download
memory/2312-38-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download
memory/2508-113-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

Filesize
2.9MB

Download
memory/2980-17-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/2980-16-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2980-15-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2980-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2980-13-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download
memory/2984-559-0x0000000001150000-0x0000000001260000-memory.dmp

Filesize
1.1MB

Download