dcrat | 76b19dd372be0e7905a17871c99ebe48712907e77ca4c8246740adc5f2f51df6

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_76b19dd372be0e7905a17871c99ebe48712907e77ca4c8246740adc5f2f51df6.exe
Size

1.3MB
MD5

1b48e7a93f3e22006531047c94d0fd4e
SHA1

f40cb5410671b8145ad235f0832d7d38c4b4b337
SHA256

76b19dd372be0e7905a17871c99ebe48712907e77ca4c8246740adc5f2f51df6
SHA512

7cc521d22b185ba47ae33a3e663f98e1bcb3b1c520c4279b5f18f18f686fe8efb8be23ff844fff08c875dabaefdbf58c1ad09426c34e9b1bfd34c715ba450425
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2648	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016edc-11.dat	dcrat
behavioral1/memory/2752-13-0x0000000000020000-0x0000000000130000-memory.dmp	dcrat
behavioral1/memory/2724-164-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/1908-223-0x0000000000B30000-0x0000000000C40000-memory.dmp	dcrat
behavioral1/memory/832-283-0x0000000000080000-0x0000000000190000-memory.dmp	dcrat
behavioral1/memory/2828-343-0x0000000000820000-0x0000000000930000-memory.dmp	dcrat
behavioral1/memory/1964-403-0x0000000001110000-0x0000000001220000-memory.dmp	dcrat
behavioral1/memory/2016-523-0x0000000001250000-0x0000000001360000-memory.dmp	dcrat
behavioral1/memory/2208-642-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/2492-702-0x00000000003E0000-0x00000000004F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2948	powershell.exe
2808	powershell.exe
804	powershell.exe
2160	powershell.exe
2824	powershell.exe
2632	powershell.exe
2788	powershell.exe
2268	powershell.exe
2228	powershell.exe
624	powershell.exe
1288	powershell.exe
1640	powershell.exe
1648	powershell.exe
616	powershell.exe
1912	powershell.exe
1588	powershell.exe
1208	powershell.exe
1908	powershell.exe
2020	powershell.exe
2812	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2752	DllCommonsvc.exe
2724	WmiPrvSE.exe
1908	WmiPrvSE.exe
832	WmiPrvSE.exe
2828	WmiPrvSE.exe
1964	WmiPrvSE.exe
1424	WmiPrvSE.exe
2016	WmiPrvSE.exe
1480	WmiPrvSE.exe
2208	WmiPrvSE.exe
2492	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2772	cmd.exe
2772	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\27d1bcfc3c54e0	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Media\Characters\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\Media\Afternoon\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Media\Afternoon\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\Media\Characters\Idle.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_76b19dd372be0e7905a17871c99ebe48712907e77ca4c8246740adc5f2f51df6.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1976	schtasks.exe
1544	schtasks.exe
2984	schtasks.exe
1172	schtasks.exe
2168	schtasks.exe
2824	schtasks.exe
916	schtasks.exe
832	schtasks.exe
2440	schtasks.exe
2396	schtasks.exe
2136	schtasks.exe
1672	schtasks.exe
1692	schtasks.exe
2244	schtasks.exe
320	schtasks.exe
1928	schtasks.exe
1540	schtasks.exe
2640	schtasks.exe
2820	schtasks.exe
1748	schtasks.exe
2500	schtasks.exe
844	schtasks.exe
2660	schtasks.exe
2308	schtasks.exe
1272	schtasks.exe
2460	schtasks.exe
1676	schtasks.exe
2424	schtasks.exe
2380	schtasks.exe
1916	schtasks.exe
2128	schtasks.exe
2980	schtasks.exe
1320	schtasks.exe
600	schtasks.exe
1532	schtasks.exe
2704	schtasks.exe
2328	schtasks.exe
1556	schtasks.exe
1252	schtasks.exe
2552	schtasks.exe
1104	schtasks.exe
1200	schtasks.exe
2556	schtasks.exe
2956	schtasks.exe
2768	schtasks.exe
2196	schtasks.exe
2472	schtasks.exe
1580	schtasks.exe
1708	schtasks.exe
2736	schtasks.exe
960	schtasks.exe
860	schtasks.exe
2432	schtasks.exe
2600	schtasks.exe
2860	schtasks.exe
2520	schtasks.exe
2864	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2752	DllCommonsvc.exe
2788	powershell.exe
616	powershell.exe
1648	powershell.exe
2020	powershell.exe
1588	powershell.exe
2808	powershell.exe
804	powershell.exe
2160	powershell.exe
1288	powershell.exe
2228	powershell.exe
1640	powershell.exe
2632	powershell.exe
1908	powershell.exe
2268	powershell.exe
1912	powershell.exe
2824	powershell.exe
1208	powershell.exe
2948	powershell.exe
2812	powershell.exe
624	powershell.exe
2724	WmiPrvSE.exe
1908	WmiPrvSE.exe
832	WmiPrvSE.exe
2828	WmiPrvSE.exe
1964	WmiPrvSE.exe
1424	WmiPrvSE.exe
2016	WmiPrvSE.exe
1480	WmiPrvSE.exe
2208	WmiPrvSE.exe
2492	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	DllCommonsvc.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	616	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	624	powershell.exe
Token: SeDebugPrivilege	2724	WmiPrvSE.exe
Token: SeDebugPrivilege	1908	WmiPrvSE.exe
Token: SeDebugPrivilege	832	WmiPrvSE.exe
Token: SeDebugPrivilege	2828	WmiPrvSE.exe
Token: SeDebugPrivilege	1964	WmiPrvSE.exe
Token: SeDebugPrivilege	1424	WmiPrvSE.exe
Token: SeDebugPrivilege	2016	WmiPrvSE.exe
Token: SeDebugPrivilege	1480	WmiPrvSE.exe
Token: SeDebugPrivilege	2208	WmiPrvSE.exe
Token: SeDebugPrivilege	2492	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2860	2272	JaffaCakes118_76b19dd372be0e7905a17871c99ebe48712907e77ca4c8246740adc5f2f51df6.exe	30
PID 2272 wrote to memory of 2860	2272	JaffaCakes118_76b19dd372be0e7905a17871c99ebe48712907e77ca4c8246740adc5f2f51df6.exe	30
PID 2272 wrote to memory of 2860	2272	JaffaCakes118_76b19dd372be0e7905a17871c99ebe48712907e77ca4c8246740adc5f2f51df6.exe	30
PID 2272 wrote to memory of 2860	2272	JaffaCakes118_76b19dd372be0e7905a17871c99ebe48712907e77ca4c8246740adc5f2f51df6.exe	30
PID 2860 wrote to memory of 2772	2860	WScript.exe	31
PID 2860 wrote to memory of 2772	2860	WScript.exe	31
PID 2860 wrote to memory of 2772	2860	WScript.exe	31
PID 2860 wrote to memory of 2772	2860	WScript.exe	31
PID 2772 wrote to memory of 2752	2772	cmd.exe	33
PID 2772 wrote to memory of 2752	2772	cmd.exe	33
PID 2772 wrote to memory of 2752	2772	cmd.exe	33
PID 2772 wrote to memory of 2752	2772	cmd.exe	33
PID 2752 wrote to memory of 2632	2752	DllCommonsvc.exe	92
PID 2752 wrote to memory of 2632	2752	DllCommonsvc.exe	92
PID 2752 wrote to memory of 2632	2752	DllCommonsvc.exe	92
PID 2752 wrote to memory of 1648	2752	DllCommonsvc.exe	93
PID 2752 wrote to memory of 1648	2752	DllCommonsvc.exe	93
PID 2752 wrote to memory of 1648	2752	DllCommonsvc.exe	93
PID 2752 wrote to memory of 2808	2752	DllCommonsvc.exe	94
PID 2752 wrote to memory of 2808	2752	DllCommonsvc.exe	94
PID 2752 wrote to memory of 2808	2752	DllCommonsvc.exe	94
PID 2752 wrote to memory of 2788	2752	DllCommonsvc.exe	95
PID 2752 wrote to memory of 2788	2752	DllCommonsvc.exe	95
PID 2752 wrote to memory of 2788	2752	DllCommonsvc.exe	95
PID 2752 wrote to memory of 2948	2752	DllCommonsvc.exe	96
PID 2752 wrote to memory of 2948	2752	DllCommonsvc.exe	96
PID 2752 wrote to memory of 2948	2752	DllCommonsvc.exe	96
PID 2752 wrote to memory of 2268	2752	DllCommonsvc.exe	97
PID 2752 wrote to memory of 2268	2752	DllCommonsvc.exe	97
PID 2752 wrote to memory of 2268	2752	DllCommonsvc.exe	97
PID 2752 wrote to memory of 2228	2752	DllCommonsvc.exe	98
PID 2752 wrote to memory of 2228	2752	DllCommonsvc.exe	98
PID 2752 wrote to memory of 2228	2752	DllCommonsvc.exe	98
PID 2752 wrote to memory of 616	2752	DllCommonsvc.exe	99
PID 2752 wrote to memory of 616	2752	DllCommonsvc.exe	99
PID 2752 wrote to memory of 616	2752	DllCommonsvc.exe	99
PID 2752 wrote to memory of 1912	2752	DllCommonsvc.exe	100
PID 2752 wrote to memory of 1912	2752	DllCommonsvc.exe	100
PID 2752 wrote to memory of 1912	2752	DllCommonsvc.exe	100
PID 2752 wrote to memory of 1908	2752	DllCommonsvc.exe	101
PID 2752 wrote to memory of 1908	2752	DllCommonsvc.exe	101
PID 2752 wrote to memory of 1908	2752	DllCommonsvc.exe	101
PID 2752 wrote to memory of 1588	2752	DllCommonsvc.exe	102
PID 2752 wrote to memory of 1588	2752	DllCommonsvc.exe	102
PID 2752 wrote to memory of 1588	2752	DllCommonsvc.exe	102
PID 2752 wrote to memory of 2020	2752	DllCommonsvc.exe	103
PID 2752 wrote to memory of 2020	2752	DllCommonsvc.exe	103
PID 2752 wrote to memory of 2020	2752	DllCommonsvc.exe	103
PID 2752 wrote to memory of 624	2752	DllCommonsvc.exe	104
PID 2752 wrote to memory of 624	2752	DllCommonsvc.exe	104
PID 2752 wrote to memory of 624	2752	DllCommonsvc.exe	104
PID 2752 wrote to memory of 1208	2752	DllCommonsvc.exe	105
PID 2752 wrote to memory of 1208	2752	DllCommonsvc.exe	105
PID 2752 wrote to memory of 1208	2752	DllCommonsvc.exe	105
PID 2752 wrote to memory of 804	2752	DllCommonsvc.exe	106
PID 2752 wrote to memory of 804	2752	DllCommonsvc.exe	106
PID 2752 wrote to memory of 804	2752	DllCommonsvc.exe	106
PID 2752 wrote to memory of 2160	2752	DllCommonsvc.exe	108
PID 2752 wrote to memory of 2160	2752	DllCommonsvc.exe	108
PID 2752 wrote to memory of 2160	2752	DllCommonsvc.exe	108
PID 2752 wrote to memory of 1288	2752	DllCommonsvc.exe	109
PID 2752 wrote to memory of 1288	2752	DllCommonsvc.exe	109
PID 2752 wrote to memory of 1288	2752	DllCommonsvc.exe	109
PID 2752 wrote to memory of 2812	2752	DllCommonsvc.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76b19dd372be0e7905a17871c99ebe48712907e77ca4c8246740adc5f2f51df6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76b19dd372be0e7905a17871c99ebe48712907e77ca4c8246740adc5f2f51df6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Afternoon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Characters\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I9PZK3tXZ4.bat"
        5⤵
        
        PID:1488
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2216
      - C:\Users\All Users\Documents\WmiPrvSE.exe
        
        "C:\Users\All Users\Documents\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gN51JOWfNX.bat"
        7⤵
        
        PID:1436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:816
        
        C:\Users\All Users\Documents\WmiPrvSE.exe
        
        "C:\Users\All Users\Documents\WmiPrvSE.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UyITBGB0nG.bat"
        9⤵
        
        PID:3024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1720
        
        C:\Users\All Users\Documents\WmiPrvSE.exe
        
        "C:\Users\All Users\Documents\WmiPrvSE.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat"
        11⤵
        
        PID:2984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1520
        
        C:\Users\All Users\Documents\WmiPrvSE.exe
        
        "C:\Users\All Users\Documents\WmiPrvSE.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat"
        13⤵
        
        PID:1372
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1680
        
        C:\Users\All Users\Documents\WmiPrvSE.exe
        
        "C:\Users\All Users\Documents\WmiPrvSE.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat"
        15⤵
        
        PID:2364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2616
        
        C:\Users\All Users\Documents\WmiPrvSE.exe
        
        "C:\Users\All Users\Documents\WmiPrvSE.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat"
        17⤵
        
        PID:1364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2064
        
        C:\Users\All Users\Documents\WmiPrvSE.exe
        
        "C:\Users\All Users\Documents\WmiPrvSE.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7lFc7N4hi3.bat"
        19⤵
        
        PID:2912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2864
        
        C:\Users\All Users\Documents\WmiPrvSE.exe
        
        "C:\Users\All Users\Documents\WmiPrvSE.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"
        21⤵
        
        PID:1120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2268
        
        C:\Users\All Users\Documents\WmiPrvSE.exe
        
        "C:\Users\All Users\Documents\WmiPrvSE.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat"
        23⤵
        
        PID:944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2740
        
        C:\Users\All Users\Documents\WmiPrvSE.exe
        
        "C:\Users\All Users\Documents\WmiPrvSE.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\Afternoon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Media\Afternoon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\Media\Afternoon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Documents\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Documents\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Media\Characters\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Media\Characters\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Media\Characters\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
008e97dc8119d55db93c07680c348702

SHA1
deda8e08bba23ebe57fb89fb535282fa395be77e

SHA256
ee8e20d4ce526f29311100a1e457955f633c76b7a262143dc04051aec68dd0ea

SHA512
197d5197a798e94671c2b6f0c81e13250064bd94f32a31ba06dba03b62cb5738a6db2ef12b0bbe80ff972613f5c04ead7f72bf20cdaa46f94c7ea58f96abf73f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7596cfefb65dc0766e657fc994597ea

SHA1
46e94d825d46af57800d0e1f5ae491f83979246b

SHA256
2a64b33273f4f32d14c19ee83de89de4ea7290165f31668ff591e36a1bb582af

SHA512
46ca7ccc6f3a7353623554badcb2ebc289e51137a94c8a0e54197997eb18104e00c1b2ff47b5c0d38fbb894ae13006d36bf6abdf8430d97b51d0d073a6678a27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73210ebf89a14b000699187c2725ba75

SHA1
2766c07779d2725d29f8b843f5601346a93e19b2

SHA256
3d163b6b73c9de1e7668d89e2f8471eb5be14ddaefbc724c815cc31929c03164

SHA512
75acad22c1846366a67e5d8af5aa60b390e755ba795711ab117c8644419a1749ee913c3e981e32d98e89a1359c4c1ecd412dfb78b163d9b604680ee5f1b0862c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ebb3927a43abbbca584720ac2a68123

SHA1
cb46d74fe35e5cbb5adc2a4029f997592f6b8984

SHA256
0121a36de3b9f429ac2c0a0bd3fd9d8ebe45035dcc10f42d45916d2ffec1d678

SHA512
7e0fbf973e69c7aa71d1715469ef9e908fd4b000636d5e9ac76d85d0b5ea0f28308e48c44072dfa1aa94001493c67652610631415901d422b05bf84fb3083d52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbfb8f7f2c1d115223e4aa73b88e3dd8

SHA1
2bf892d8cc8632c42a1ba4ad72fa0ef15345fd04

SHA256
6ac79fd183cc6b101ecca2b612deefe784f138fa7042ebf201cf153e0ea434d8

SHA512
3bb878e15fc2c9f60db130a61a93d0f1add018db08af25641791d59a23318015ae4ed2c87904d0ad5fc2d588773ae6ff45cde18664747193cee3d8495494ce2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71bc5e3a953e6859562c65ed2366434f

SHA1
885180489c675cbc3cc6ad885e2540a7f3eee8f8

SHA256
0eb4edde5bee0965a369e7d6bae5c21cc2f72442379d4ebac28063fd2f8eec43

SHA512
71e6fad00df2a6b526ac75b703207032d6af9563cb8088a6f26ba584e1cbbc0a0f8b7cd12a65d34d4728c6d8574a2a7503afdc6b91f42587f1de046238f6ad7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20ab7b6715aa5b40721fe6b34a704fc6

SHA1
0ca4ecf3e57ee07b0ba10a040e7718254181725d

SHA256
a42a1b0c8fc8e13d7d5ae022c3e085102981dfec735f9714221d9554116b30e5

SHA512
a4c22db002fcd480ea934b726fd96e61002bdb1c7e375471ccd2c1d34b2bb0ebb660303b0ca071aed685fdc0cb1d81d58a89710f5e78850f1364e165061ad33d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b79c87f89a528f166564c563ad409777

SHA1
82065d42cb721440facd6f699921ec2a38e94092

SHA256
27811c6eab4867866f983eb5744bc203bb82432602aebc30fbe65a8df74edd50

SHA512
40afee8e1e95fdfba052da9399a34b173dee0eab84ab6f016c0e20a129732b4b4a54b9f957459cb06689ca9f43775e7c0160789eaedcd2976b4ee145005d46fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7lFc7N4hi3.bat

Filesize
206B

MD5
ba3d198b0a39583ef02a97e44e87c1a3

SHA1
81bc92385e9222cae0572088d800b9c9daa3e160

SHA256
7b8b4593516dc9c320740266cafc7b83206e6bef81622d326e5b80fb344c43d4

SHA512
b242fcaf9e1725feec74e89f794ad471bb2927efc6369bb86535c7d7db07f53abc1f060d6a7168bfb9e75250219e0a78796099c24278be1833e6817f28b6d56e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3A92.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat

Filesize
206B

MD5
6078a825a25b3744b420ad93bbefdecc

SHA1
b3c6e03b7cfe02993d6472dbdd068e1f9548a627

SHA256
265dfb42ee72b492c41b35129cbcd1aa7958c73365c651b1fcb2f0b14c524072

SHA512
d1c20ec4791afc4eda220ffc3dcb152ace788f05fc84a74179cdeacead8910a4910b533b1eab30e92e2c13927f31d7996765abfdceda3b7fe22b5d674bf2fb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\I9PZK3tXZ4.bat

Filesize
206B

MD5
1b81653ea1f3a66947b6955604ac76c3

SHA1
2753def0487281b87abfdece8a7e0b5bbabb3c21

SHA256
535607149c93bda725cdc5e084f68b42d4bde065ec556afe67658cc19b7683a7

SHA512
8ed3d79a71c2080eb7f7e29f888702319c2b54d940331f0542412c6d3aa51f48f7577b39e81fe95052a994eebcca07b92c2ebc48d1af4952b6b0b4e927e1f6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat

Filesize
206B

MD5
6ec4098e46fb0b8dbfd9ee93adf991e5

SHA1
e8be92bcdf2e54ae8d3de3532a4556fde211087c

SHA256
490ad0aceabfec3dfb8ffaf8f2a67e0b01ed7326e837d81ed26cbbe4b73118ae

SHA512
0129b4002266a2a484ae2fb40e18470e5e266986860c7d3ef086698f543f146574214f768f052a18f07065fad88b43d83369de6e5effaf82ec4b3fbdb0f352db

Download Submit
C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat

Filesize
206B

MD5
50d0fe86db645e5dfdefff791f16e5d7

SHA1
4b81cd17b3a64196b2832d64c416a5c2afe9709b

SHA256
e049011e0beaf36f450f494246a978c180cfe74a05931ea9b1050afb07266828

SHA512
e0e087c2336591faa9aa9b4cd68fe319075489557ac136ba930d80bf99a733a7c47c745237d5169db23484b68698e38e558265068c804020dc76ffa70e848586

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat

Filesize
206B

MD5
cf767a3302b8bf1ca410856741d07312

SHA1
897ff113bc4cdcd4c872bd69b1acc953da623059

SHA256
e693d5095734f842196d459f58d7f4cfe8303ee7758f585067443a056173980f

SHA512
16365314b02cc9364cefd0a2b63cec79940fe05367087065d1a93d6b49269e1a2256249e4bec6220622878f60c7b372ddfc5252c60ac1184a0590110ecf99550

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3AB5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UyITBGB0nG.bat

Filesize
206B

MD5
af509d724ef061358a130d54201c2492

SHA1
f80a5c6891554f36987ab916956a4c066856ca15

SHA256
88406d92af7a27b962b1f694fa2d14a65336fd98765189eb44642f69337ab4ae

SHA512
297f67d476de766bb07fb8418de85a8a7ce494b8053c283e933e60679e54012cbb88672fa6caae7f946451233b388f17bc11cc5cfc9a7b4f0a6a61ba21262044

Download Submit
C:\Users\Admin\AppData\Local\Temp\gN51JOWfNX.bat

Filesize
206B

MD5
d80799695fb778015112af85c68683a6

SHA1
192a137149b304a2a3826a5bbae192acfb199ca4

SHA256
45e6f8f38f0492977b255004fe551c33428c506f2aecc3d4f12d8d962d2bc0c9

SHA512
73fca0b397c398b5e5a18871bf4fbbf5d389fd5faedf3b31d161a5050c0c9265902d0eac9e882fa123e1dfecb68386e658975187a438562d679cb5de0dd79c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat

Filesize
206B

MD5
d7fc5a1d4d9085fe2161f712e5eb890d

SHA1
2665b1b132d20271c6a7fc2e1428027ce05780b8

SHA256
63964f86495da5df37ef3e9f80937b3d79bc1e12f6b735c05fa10f16c6131b3d

SHA512
3cb57f825d4fff9373ad57caf659e711e8329532174eda4f848fa07d2f51029b2cab0e8e3a996e307be7f75f4411570d63ceb839cfe89e8781768b6f5691b25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat

Filesize
206B

MD5
aa8a38bad018c936057ed3ffb303180b

SHA1
a087c0eca7dd915bdadbff27393d6a46b54a274e

SHA256
b77167e184875f67c8f5e826f285fd7eafef230ef47ec5a53fd8c50ffd0e0766

SHA512
b64a392769c0b96c59cd509870dea92da4868ce23181ac9acfe19bb27481de164d4f8a8ae3cd0c7959ac7c921f269c837002c7f33510c83c3510648266635013

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
147a5b5db5fc41524c313bf6b2d2582c

SHA1
c0cf282dd263faa4a0486d4072a2c8c66a379a5e

SHA256
cd77d9cf3570a4e51d82fad56e869c98ec1b6f78b1091116ae4c99d844de276a

SHA512
79ac17a963bfef9a848edbb3d38b42fcac86eb7095958613fc570d453e836865252fa86c7981f10d2198d5575345f384ce52f3108d6ee28f15279101fee9ad28

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/616-78-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/832-283-0x0000000000080000-0x0000000000190000-memory.dmp

Filesize
1.1MB

Download
memory/1908-223-0x0000000000B30000-0x0000000000C40000-memory.dmp

Filesize
1.1MB

Download
memory/1964-403-0x0000000001110000-0x0000000001220000-memory.dmp

Filesize
1.1MB

Download
memory/1964-404-0x00000000001E0000-0x00000000001F2000-memory.dmp

Filesize
72KB

Download
memory/2016-523-0x0000000001250000-0x0000000001360000-memory.dmp

Filesize
1.1MB

Download
memory/2208-642-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/2492-702-0x00000000003E0000-0x00000000004F0000-memory.dmp

Filesize
1.1MB

Download
memory/2724-164-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/2752-16-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2752-15-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2752-14-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2752-13-0x0000000000020000-0x0000000000130000-memory.dmp

Filesize
1.1MB

Download
memory/2752-17-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2788-72-0x000000001B810000-0x000000001BAF2000-memory.dmp

Filesize
2.9MB

Download
memory/2828-343-0x0000000000820000-0x0000000000930000-memory.dmp

Filesize
1.1MB

Download