dcrat | ec3b4d2c197afefd82acf83041d9c05e0bd01f8b2adba5bf00fd54a97873855b

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ec3b4d2c197afefd82acf83041d9c05e0bd01f8b2adba5bf00fd54a97873855b.exe
Size

1.3MB
MD5

bcf83c88f69f6b3d0426785b2032a635
SHA1

33f3900ef9b4ff73fc39338a04d3a5ee658f8930
SHA256

ec3b4d2c197afefd82acf83041d9c05e0bd01f8b2adba5bf00fd54a97873855b
SHA512

003563cdc1d85e26bb3e7b3de79f4093182d65855453edcc009576745927a6b125710df112420d2a3a1ee3109a94ca7ca50f13bab8b122a81d4365b70e4ab5c9
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2572	schtasks.exe	35

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016de4-12.dat	dcrat
behavioral1/memory/2684-13-0x0000000000220000-0x0000000000330000-memory.dmp	dcrat
behavioral1/memory/1544-79-0x0000000000820000-0x0000000000930000-memory.dmp	dcrat
behavioral1/memory/2280-223-0x0000000000D70000-0x0000000000E80000-memory.dmp	dcrat
behavioral1/memory/3016-282-0x0000000000E60000-0x0000000000F70000-memory.dmp	dcrat
behavioral1/memory/1628-342-0x00000000010F0000-0x0000000001200000-memory.dmp	dcrat
behavioral1/memory/2488-402-0x0000000000020000-0x0000000000130000-memory.dmp	dcrat
behavioral1/memory/3008-462-0x0000000000EC0000-0x0000000000FD0000-memory.dmp	dcrat
behavioral1/memory/2240-582-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/760-642-0x0000000000FD0000-0x00000000010E0000-memory.dmp	dcrat
behavioral1/memory/2740-759-0x0000000000240000-0x0000000000350000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 27 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3004	powershell.exe
2188	powershell.exe
2352	powershell.exe
2876	powershell.exe
320	powershell.exe
2820	powershell.exe
2880	powershell.exe
1080	powershell.exe
3060	powershell.exe
2520	powershell.exe
2684	powershell.exe
2064	powershell.exe
2832	powershell.exe
2972	powershell.exe
2124	powershell.exe
2272	powershell.exe
2116	powershell.exe
2888	powershell.exe
1952	powershell.exe
2120	powershell.exe
2120	powershell.exe
2320	powershell.exe
1716	powershell.exe
2484	powershell.exe
2748	powershell.exe
2980	powershell.exe
2180	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2684	DllCommonsvc.exe
1544	DllCommonsvc.exe
2280	WmiPrvSE.exe
3016	WmiPrvSE.exe
1628	WmiPrvSE.exe
2488	WmiPrvSE.exe
3008	WmiPrvSE.exe
1592	WmiPrvSE.exe
2240	WmiPrvSE.exe
760	WmiPrvSE.exe
2736	WmiPrvSE.exe
2740	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2112	cmd.exe
2112	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
29	raw.githubusercontent.com
33	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\en-US\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\en-US\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\f3b6ecef712a24	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\en-US\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\spoolsv.exe	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Resources\Themes\Aero\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\Resources\Themes\Aero\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\LiveKernelReports\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Windows\LiveKernelReports\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Windows\Tasks\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ec3b4d2c197afefd82acf83041d9c05e0bd01f8b2adba5bf00fd54a97873855b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1448	schtasks.exe
2864	schtasks.exe
2584	schtasks.exe
1324	schtasks.exe
1812	schtasks.exe
2196	schtasks.exe
1776	schtasks.exe
396	schtasks.exe
1488	schtasks.exe
1512	schtasks.exe
2080	schtasks.exe
2156	schtasks.exe
896	schtasks.exe
1000	schtasks.exe
3012	schtasks.exe
1580	schtasks.exe
1360	schtasks.exe
2604	schtasks.exe
316	schtasks.exe
2728	schtasks.exe
2592	schtasks.exe
1112	schtasks.exe
1612	schtasks.exe
1380	schtasks.exe
1936	schtasks.exe
1620	schtasks.exe
856	schtasks.exe
2460	schtasks.exe
1048	schtasks.exe
1588	schtasks.exe
1272	schtasks.exe
2892	schtasks.exe
2608	schtasks.exe
2524	schtasks.exe
1280	schtasks.exe
1980	schtasks.exe
2704	schtasks.exe
2540	schtasks.exe
2872	schtasks.exe
2268	schtasks.exe
1272	schtasks.exe
2568	schtasks.exe
1560	schtasks.exe
2968	schtasks.exe
1956	schtasks.exe
924	schtasks.exe
2700	schtasks.exe
1676	schtasks.exe
2724	schtasks.exe
2652	schtasks.exe
2624	schtasks.exe
3020	schtasks.exe
2656	schtasks.exe
2720	schtasks.exe
1676	schtasks.exe
2948	schtasks.exe
3052	schtasks.exe
1688	schtasks.exe
2988	schtasks.exe
944	schtasks.exe
1608	schtasks.exe
2716	schtasks.exe
2620	schtasks.exe
3068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2684	DllCommonsvc.exe
2188	powershell.exe
2272	powershell.exe
3004	powershell.exe
2980	powershell.exe
2972	powershell.exe
2120	powershell.exe
2180	powershell.exe
2124	powershell.exe
1544	DllCommonsvc.exe
2320	powershell.exe
2888	powershell.exe
1952	powershell.exe
2876	powershell.exe
2484	powershell.exe
2064	powershell.exe
2880	powershell.exe
2832	powershell.exe
3060	powershell.exe
2116	powershell.exe
2820	powershell.exe
2748	powershell.exe
2120	powershell.exe
2520	powershell.exe
2684	powershell.exe
1716	powershell.exe
1080	powershell.exe
320	powershell.exe
2352	powershell.exe
2280	WmiPrvSE.exe
3016	WmiPrvSE.exe
1628	WmiPrvSE.exe
2488	WmiPrvSE.exe
3008	WmiPrvSE.exe
1592	WmiPrvSE.exe
2240	WmiPrvSE.exe
760	WmiPrvSE.exe
2736	WmiPrvSE.exe
2740	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	DllCommonsvc.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	1544	DllCommonsvc.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2280	WmiPrvSE.exe
Token: SeDebugPrivilege	3016	WmiPrvSE.exe
Token: SeDebugPrivilege	1628	WmiPrvSE.exe
Token: SeDebugPrivilege	2488	WmiPrvSE.exe
Token: SeDebugPrivilege	3008	WmiPrvSE.exe
Token: SeDebugPrivilege	1592	WmiPrvSE.exe
Token: SeDebugPrivilege	2240	WmiPrvSE.exe
Token: SeDebugPrivilege	760	WmiPrvSE.exe
Token: SeDebugPrivilege	2736	WmiPrvSE.exe
Token: SeDebugPrivilege	2740	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 320	2488	JaffaCakes118_ec3b4d2c197afefd82acf83041d9c05e0bd01f8b2adba5bf00fd54a97873855b.exe	31
PID 2488 wrote to memory of 320	2488	JaffaCakes118_ec3b4d2c197afefd82acf83041d9c05e0bd01f8b2adba5bf00fd54a97873855b.exe	31
PID 2488 wrote to memory of 320	2488	JaffaCakes118_ec3b4d2c197afefd82acf83041d9c05e0bd01f8b2adba5bf00fd54a97873855b.exe	31
PID 2488 wrote to memory of 320	2488	JaffaCakes118_ec3b4d2c197afefd82acf83041d9c05e0bd01f8b2adba5bf00fd54a97873855b.exe	31
PID 320 wrote to memory of 2112	320	WScript.exe	32
PID 320 wrote to memory of 2112	320	WScript.exe	32
PID 320 wrote to memory of 2112	320	WScript.exe	32
PID 320 wrote to memory of 2112	320	WScript.exe	32
PID 2112 wrote to memory of 2684	2112	cmd.exe	34
PID 2112 wrote to memory of 2684	2112	cmd.exe	34
PID 2112 wrote to memory of 2684	2112	cmd.exe	34
PID 2112 wrote to memory of 2684	2112	cmd.exe	34
PID 2684 wrote to memory of 2980	2684	DllCommonsvc.exe	57
PID 2684 wrote to memory of 2980	2684	DllCommonsvc.exe	57
PID 2684 wrote to memory of 2980	2684	DllCommonsvc.exe	57
PID 2684 wrote to memory of 3004	2684	DllCommonsvc.exe	58
PID 2684 wrote to memory of 3004	2684	DllCommonsvc.exe	58
PID 2684 wrote to memory of 3004	2684	DllCommonsvc.exe	58
PID 2684 wrote to memory of 2972	2684	DllCommonsvc.exe	59
PID 2684 wrote to memory of 2972	2684	DllCommonsvc.exe	59
PID 2684 wrote to memory of 2972	2684	DllCommonsvc.exe	59
PID 2684 wrote to memory of 2272	2684	DllCommonsvc.exe	60
PID 2684 wrote to memory of 2272	2684	DllCommonsvc.exe	60
PID 2684 wrote to memory of 2272	2684	DllCommonsvc.exe	60
PID 2684 wrote to memory of 2124	2684	DllCommonsvc.exe	62
PID 2684 wrote to memory of 2124	2684	DllCommonsvc.exe	62
PID 2684 wrote to memory of 2124	2684	DllCommonsvc.exe	62
PID 2684 wrote to memory of 2180	2684	DllCommonsvc.exe	63
PID 2684 wrote to memory of 2180	2684	DllCommonsvc.exe	63
PID 2684 wrote to memory of 2180	2684	DllCommonsvc.exe	63
PID 2684 wrote to memory of 2188	2684	DllCommonsvc.exe	64
PID 2684 wrote to memory of 2188	2684	DllCommonsvc.exe	64
PID 2684 wrote to memory of 2188	2684	DllCommonsvc.exe	64
PID 2684 wrote to memory of 2120	2684	DllCommonsvc.exe	65
PID 2684 wrote to memory of 2120	2684	DllCommonsvc.exe	65
PID 2684 wrote to memory of 2120	2684	DllCommonsvc.exe	65
PID 2684 wrote to memory of 2520	2684	DllCommonsvc.exe	69
PID 2684 wrote to memory of 2520	2684	DllCommonsvc.exe	69
PID 2684 wrote to memory of 2520	2684	DllCommonsvc.exe	69
PID 2520 wrote to memory of 2352	2520	cmd.exe	75
PID 2520 wrote to memory of 2352	2520	cmd.exe	75
PID 2520 wrote to memory of 2352	2520	cmd.exe	75
PID 2520 wrote to memory of 1544	2520	cmd.exe	76
PID 2520 wrote to memory of 1544	2520	cmd.exe	76
PID 2520 wrote to memory of 1544	2520	cmd.exe	76
PID 1544 wrote to memory of 2684	1544	DllCommonsvc.exe	131
PID 1544 wrote to memory of 2684	1544	DllCommonsvc.exe	131
PID 1544 wrote to memory of 2684	1544	DllCommonsvc.exe	131
PID 1544 wrote to memory of 1952	1544	DllCommonsvc.exe	132
PID 1544 wrote to memory of 1952	1544	DllCommonsvc.exe	132
PID 1544 wrote to memory of 1952	1544	DllCommonsvc.exe	132
PID 1544 wrote to memory of 2064	1544	DllCommonsvc.exe	133
PID 1544 wrote to memory of 2064	1544	DllCommonsvc.exe	133
PID 1544 wrote to memory of 2064	1544	DllCommonsvc.exe	133
PID 1544 wrote to memory of 2120	1544	DllCommonsvc.exe	135
PID 1544 wrote to memory of 2120	1544	DllCommonsvc.exe	135
PID 1544 wrote to memory of 2120	1544	DllCommonsvc.exe	135
PID 1544 wrote to memory of 2880	1544	DllCommonsvc.exe	136
PID 1544 wrote to memory of 2880	1544	DllCommonsvc.exe	136
PID 1544 wrote to memory of 2880	1544	DllCommonsvc.exe	136
PID 1544 wrote to memory of 3060	1544	DllCommonsvc.exe	137
PID 1544 wrote to memory of 3060	1544	DllCommonsvc.exe	137
PID 1544 wrote to memory of 3060	1544	DllCommonsvc.exe	137
PID 1544 wrote to memory of 2320	1544	DllCommonsvc.exe	138

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec3b4d2c197afefd82acf83041d9c05e0bd01f8b2adba5bf00fd54a97873855b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec3b4d2c197afefd82acf83041d9c05e0bd01f8b2adba5bf00fd54a97873855b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\Aero\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jDRdKfCJCw.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2520
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2352
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\explorer.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\audiodg.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\OSPPSVC.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\spoolsv.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gt2U4zX4U5.bat"
        7⤵
        
        PID:1936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1596
        
        C:\MSOCache\All Users\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\WmiPrvSE.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat"
        9⤵
        
        PID:2868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2856
        
        C:\MSOCache\All Users\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\WmiPrvSE.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cnsnMHUbNI.bat"
        11⤵
        
        PID:2832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1112
        
        C:\MSOCache\All Users\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\WmiPrvSE.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WzmeI2KvQx.bat"
        13⤵
        
        PID:2236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1752
        
        C:\MSOCache\All Users\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\WmiPrvSE.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat"
        15⤵
        
        PID:1772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1368
        
        C:\MSOCache\All Users\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\WmiPrvSE.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFXOGCU6Cq.bat"
        17⤵
        
        PID:1520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1624
        
        C:\MSOCache\All Users\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\WmiPrvSE.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GrfoiSU1wP.bat"
        19⤵
        
        PID:900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2292
        
        C:\MSOCache\All Users\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\WmiPrvSE.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat"
        21⤵
        
        PID:2400
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1048
        
        C:\MSOCache\All Users\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\WmiPrvSE.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat"
        23⤵
        
        PID:468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1824
        
        C:\MSOCache\All Users\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\WmiPrvSE.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IVqzzTSBcr.bat"
        25⤵
        
        PID:2004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1304
        
        C:\MSOCache\All Users\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\WmiPrvSE.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Themes\Aero\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\Themes\Aero\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\en-US\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\en-US\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Tasks\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Downloads\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\DllCommonsvc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\42af1c969fbb7b

Filesize
216B

MD5
84f256d3643f3df4894b9e472b5ef105

SHA1
d2ca3d208806666c22230f4e512bfe30307eac96

SHA256
f79e43247f7a350aaaa4b4801e459041de1e293b0f54621f00ca669aba0403f5

SHA512
f006fa969c5a9538de0e95f3327c5f71d7c4c6fcefc16e32ff84af09afae291faff37ee5cb49eb4a66e8202fb0fe755299556abac527c9764483281dbaab87c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fb6b68fbc5aa7f89cecf50289717c9e

SHA1
8fbec47cff8f12c96424bcc537bba53616a8db5a

SHA256
c407f7bac801a4ec5f597b3f23accc158f5077c94ae0acaafedcbfb03198b5bf

SHA512
70455764613b58f07baa2747d3df8bebc91790217874488123e9c2cfd0e4703d8b72ea426c31a0f88df71a47f425e9fff949d49d24ab61c09151df747ac0416a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0d48d5e187b29f9096889e2550b9271

SHA1
263542044f2b9d3e28eb66de9b0f260104c87344

SHA256
f868ca4abdb18fa0de29c98f9724bdb9b309cb9424b214458b6de0528677b21c

SHA512
afbb43e0ef60dccfb50d4cfab89de1cce827b8be1ac84e9d2ff50b1bd9d8a6f23357bc881f53e06c7b475f39bac18f6edf0631ff7f9ecd7e5e6a3b71e5587b35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44f8d43ff122dfe023279be822f18fc4

SHA1
478d90f7579a9f855919940c1c747e9c2e59a265

SHA256
8aeb148c0cfa5d1ede40156226cbc54939845d9ba3833e041ad019f03308b4f2

SHA512
049e581e61c2c10b61ce51f716884088bfb01b60fe14322b57c0ea6223fb35e307ce85231cc3533e0715145ba65b897814ad99048c8b102e214f06333ff205e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f86ca5091252392e8dabfe117a7a0522

SHA1
273718ab454813d8b14e478ca94ff3282293d488

SHA256
f9c3219e5e765bfbca37d0cc70bb4f072d7f64ec1d261fcd22e9add3c3ad56be

SHA512
76d374c3fea34ff11682a34d2d9101696ad2d3a2a2d18b4e858e7f1924e7fd23d345315af37194a123af968fa3596f9d638a16bad66c4e1a36f503ebd1e0d6c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7dcd97bc2e781c432b5717619643264

SHA1
cbbb19328639941cccf22fa43899094a2bed7a7d

SHA256
767bd667899305335b4673d53a172cafc8eeeb23d3035239bf444d01611ae714

SHA512
7dab2691627d9c56c6531b5ef1aad2ae54f6d07cfa8a3078c1ef54f6dcdd31363cecd53dbabb435cfa5af3164be77811429c4925bc77bebe09ba3437a02f2627

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ede090c85d7449bfe0f8d472b57c0dc

SHA1
75e2cd2c8f7508f904edbbafdf47b35b754a50c0

SHA256
7cf30d8f40ff2ee44fc4b8e520465b251f21cd4709e5f481e6418b53b31ad0c2

SHA512
34d47dfd0492230060b3db74913c54d41ab570b7d1aafa7826390553f6a79905e08b486dce0ab3e52c2cb6a443eed0829c0ec3649631658af6a8d25df5240f52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37c2aa5089d03c1a94eb1f591a65f24c

SHA1
b1ddea84efd8100728b60a672723a142d44b74b4

SHA256
0e57480e72ca2ede47cb06b0c4440f773191b487a1e76be9464d084cccc13c2f

SHA512
0b531bbcb56a79562ed4a6a00acafac71eb6ebe15895a479183fb689ce9bbf8bea86d2f995602c2310608fbc4ec0f803fc13752a5dbe2ef5dc0b9cb62b2579d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat

Filesize
199B

MD5
47e5b940f600cf2e8e75fc8149e23ae4

SHA1
7bcfe6545535a9fe668d02237f4c7b3f5c173012

SHA256
31efb031a914cffd24e92bb9c0792f4f476925fd8bca3f5b582d52690d83a060

SHA512
478dbdda8b50d5d7f35ff75621adf7880588a7ef0522441a3019573911c87d4bc1e511d1c34b92557fcc8b5367caa33644bf531f02d70e3910bae0892e73939d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab515D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GrfoiSU1wP.bat

Filesize
199B

MD5
5c4327128dbc23b79b44e2f9cb1d4369

SHA1
bb999a1be50671278f9b11efb600f30ca37d083c

SHA256
47aab50e32b286c29c1dc1db73bfe084800dcba24422b0cf88e8d43015a96daf

SHA512
496461fd46c78d617f3596c9c103f3d5049a6449e8f5dbe4c47835f538546643c21ccb3670cfec5f0fd53ea3cd2b31218f9e0c1cf3398e501168e56c9af54898

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gt2U4zX4U5.bat

Filesize
199B

MD5
3e18e8f3698b583396bf4a374e644fc7

SHA1
fe7088aabd36d55bf516ca2c95b0b8fa7f7e9e4f

SHA256
9c000154dadd34d205a0119ffbec84cc77863c9eaae7acac4390cb3193c0d23e

SHA512
80e3a23ec2c57a0647e95a074d123ae4920f447a0080b291c9c600745ec40522f803bfbb1d35c8f38bdab719b6c8d42829ba50c3665e79e8c7d874d1fc0956a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar517F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzmeI2KvQx.bat

Filesize
199B

MD5
eddcbff372ee24fe1da745a072898d81

SHA1
bc7f493ee0c7c328b7e9689eaf0901a2b431a8c8

SHA256
0c4245796f03e7f6ac40c2aec385a225409d55a9ef6404e711e6b0d2f5f9b2ec

SHA512
a200c188ac91d1d879d8bf880a8fec372e0df7b77ab24350a0d4fd58f0c7709dbb36f115c226080cfe1fdb3ca1f386d9030c453baffdaaad5e9a686f6122b8b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cnsnMHUbNI.bat

Filesize
199B

MD5
599f3c4b47f9373de28e34aa746eef7d

SHA1
1ffa3b672f71d99861da702d12febd6e4d309c45

SHA256
13036b09f41ab6eb1e8b1be7b93b4d9e8ef84a7227635b7d32a66a0121ca0107

SHA512
b224b6e6723e79a02f54c6f5a68ea2ed7c23f3e33583ec084264f709c90467d58ec57ed47067b63d57ba004e4dd16966adbfd96ad22fe7a442f0ef86cd8510d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat

Filesize
199B

MD5
d92d87426b7df41a9ad2f21944a1c814

SHA1
2312e5f2a565be589047f24802b21c3fa0b27959

SHA256
8c32221e1f36ec994229fd9b4883047f965093ded127a7eeaecb092bef5bc5f3

SHA512
c0c34066fac7bde30324abf61156f45efe1e3f6b3d6d0c4de050c7666c4d77b8c57b08809322fba7b0ae83db3a159231a650fde63a84452c762001ace6178b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat

Filesize
199B

MD5
10f24019e3f144b8e73de0aa948ab48e

SHA1
13f6a83add27b872da71b133a1897eb3bfa1f3dc

SHA256
c7e0ef599443912794e272f6e6fb870908ea9ddfc3cdd8a611ca9b9f68ceb8a8

SHA512
78ec51a8339a1abc146782bd43c5dea335e5e03b5a5f521891c378b6499f1a5d4f79db00d2bb8b9a128ed5279ec8037578c0a513229b9bb9034a26275bf2230f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jDRdKfCJCw.bat

Filesize
199B

MD5
7aa25c482dab62e4d5e61d3e70dd47d2

SHA1
94a67d3c7361207a7d3cd473301e120705d033ff

SHA256
179a41986c3599e79bfa17689283c1345bb857ceec1262660da29b89008ce315

SHA512
9ce5979860ddd58206d939fec5580076ba326bfe648ccb2cf776ed9f7aa47d3991686ec7692ec9481fd72066da49210583bf8f454140dadcca462c47b45a6335

Download Submit
C:\Users\Admin\AppData\Local\Temp\jFXOGCU6Cq.bat

Filesize
199B

MD5
46c1c2c6b31a1958690c2e04a5017d66

SHA1
aa43211cfb7a6ef53834cf5f5b1f1cbe4ee4e938

SHA256
06eed9cec309e5911426745bc6d12bc939d25033a9f366410443004a591b9285

SHA512
c6615a4f2440e3d9ac0d7a2618692266d86c2b6f6f976ff479ebc905f5e272410600602919f600fb039b1883597657baf7bc4f523f2b8fcbf9dcba304e69a5a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat

Filesize
199B

MD5
3d859733389466883429a010f6fff1db

SHA1
31d6bcc64721d3ad90fbd1e251c2015c80f5e860

SHA256
668dd952c016a40fee33c4d69c2d13cb8560da3bb4f1eff8da4994e467261a6e

SHA512
c76f0b5ecbaf367a232aa015da84aeacee3e772ac77aec8fc8e64e1421b9d3a72d64720307e125b1311ee57d2fdcefed10d9723ceed5d815422ffc2f5de61b51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
041a3936675f453e31e72bacb8b1ac02

SHA1
1c65269769a1cebed7edeb103de35c0a07ef212d

SHA256
ea73b1069252f8f12bdf6aab85117a64a2d134f12e0411c15af29d8612e7a7d3

SHA512
eedf41c1f1a7f2e32add5b0b023b72bd6c718a5cf7205260e731e68fec83cfabaecb97cc809280683648b71c527dafe1a12d6a1cc01b353dcaf788fbd20cbbd6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NDEQU74WJ0UPHKIOV41H.temp

Filesize
7KB

MD5
d535ebdcb3b6af17614806e193c9556a

SHA1
949841595b269973f1508a10fbe277ad92071117

SHA256
f3cd841c0ba63e1c06cec49fe50f6887ba135230adb2a15175cfcb6b64b96c77

SHA512
77148cb7e1576080c6b0984e610a47b8e19135914059154f46e4e29a0f1627d257dfb8bf6f911967411c18ea844e846e71e7ddaf617da922d2a44d2b46f5d4bc

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/760-643-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/760-642-0x0000000000FD0000-0x00000000010E0000-memory.dmp

Filesize
1.1MB

Download
memory/1544-80-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1544-79-0x0000000000820000-0x0000000000930000-memory.dmp

Filesize
1.1MB

Download
memory/1592-522-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1628-342-0x00000000010F0000-0x0000000001200000-memory.dmp

Filesize
1.1MB

Download
memory/2188-45-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2188-46-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2240-582-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/2280-223-0x0000000000D70000-0x0000000000E80000-memory.dmp

Filesize
1.1MB

Download
memory/2320-152-0x0000000001CF0000-0x0000000001CF8000-memory.dmp

Filesize
32KB

Download
memory/2320-151-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2488-402-0x0000000000020000-0x0000000000130000-memory.dmp

Filesize
1.1MB

Download
memory/2684-13-0x0000000000220000-0x0000000000330000-memory.dmp

Filesize
1.1MB

Download
memory/2684-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2684-15-0x00000000006D0000-0x00000000006DC000-memory.dmp

Filesize
48KB

Download
memory/2684-16-0x00000000006C0000-0x00000000006CC000-memory.dmp

Filesize
48KB

Download
memory/2684-17-0x00000000006E0000-0x00000000006EC000-memory.dmp

Filesize
48KB

Download
memory/2740-759-0x0000000000240000-0x0000000000350000-memory.dmp

Filesize
1.1MB

Download
memory/3008-462-0x0000000000EC0000-0x0000000000FD0000-memory.dmp

Filesize
1.1MB

Download
memory/3016-282-0x0000000000E60000-0x0000000000F70000-memory.dmp

Filesize
1.1MB

Download