dcrat | 8db0ab9d6fd8a68f5d240a1c7cec0f1c037dd00499f2f71e9432d9076622151c

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8db0ab9d6fd8a68f5d240a1c7cec0f1c037dd00499f2f71e9432d9076622151c.exe
Size

1.3MB
MD5

19ce1f1988c6c207fff94b633f3ee46b
SHA1

93e6a42aa2909bdc39eb934caeeec4359410adfe
SHA256

8db0ab9d6fd8a68f5d240a1c7cec0f1c037dd00499f2f71e9432d9076622151c
SHA512

f5337940e454d99a51d3f423e1ae79a874a41a21b435a55186cf797bf85fd8a88e5bedd501ab60a027dce3bb6690c70c48de1c4a1b99acc8f3ae98e146915b0f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 63 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2796	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2796	schtasks.exe	32

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001567f-12.dat	dcrat
behavioral1/memory/2888-13-0x0000000001150000-0x0000000001260000-memory.dmp	dcrat
behavioral1/memory/2744-189-0x00000000012B0000-0x00000000013C0000-memory.dmp	dcrat
behavioral1/memory/2984-308-0x00000000013B0000-0x00000000014C0000-memory.dmp	dcrat
behavioral1/memory/1804-604-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/1864-664-0x0000000000E80000-0x0000000000F90000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 23 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2880	powershell.exe
2204	powershell.exe
2176	powershell.exe
1872	powershell.exe
1652	powershell.exe
2060	powershell.exe
2524	powershell.exe
2204	powershell.exe
588	powershell.exe
2968	powershell.exe
2952	powershell.exe
2300	powershell.exe
2908	powershell.exe
2636	powershell.exe
1888	powershell.exe
2344	powershell.exe
304	powershell.exe
776	powershell.exe
988	powershell.exe
772	powershell.exe
2864	powershell.exe
2140	powershell.exe
2084	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2888	DllCommonsvc.exe
2732	DllCommonsvc.exe
2744	sppsvc.exe
2624	sppsvc.exe
2984	sppsvc.exe
2836	sppsvc.exe
1116	sppsvc.exe
1288	sppsvc.exe
1876	sppsvc.exe
1804	sppsvc.exe
1864	sppsvc.exe
2868	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2108	cmd.exe
2108	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\ja-JP\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\ja-JP\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\886983d96e3d3e	DllCommonsvc.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\security\database\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Installer\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\twain_32\csrss.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\security\database\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\security\database\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\Installer\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\twain_32\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Performance\WinSAT\DataStore\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\Performance\WinSAT\DataStore\b75386f1303e64	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8db0ab9d6fd8a68f5d240a1c7cec0f1c037dd00499f2f71e9432d9076622151c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 63 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2188	schtasks.exe
1076	schtasks.exe
2504	schtasks.exe
2028	schtasks.exe
2500	schtasks.exe
2168	schtasks.exe
1728	schtasks.exe
1240	schtasks.exe
2664	schtasks.exe
1268	schtasks.exe
1688	schtasks.exe
1580	schtasks.exe
2900	schtasks.exe
1256	schtasks.exe
700	schtasks.exe
2980	schtasks.exe
1728	schtasks.exe
3024	schtasks.exe
1776	schtasks.exe
2708	schtasks.exe
2600	schtasks.exe
1612	schtasks.exe
2816	schtasks.exe
2540	schtasks.exe
2972	schtasks.exe
1780	schtasks.exe
2364	schtasks.exe
2664	schtasks.exe
996	schtasks.exe
1136	schtasks.exe
2568	schtasks.exe
1864	schtasks.exe
2504	schtasks.exe
2532	schtasks.exe
600	schtasks.exe
372	schtasks.exe
1948	schtasks.exe
2856	schtasks.exe
1116	schtasks.exe
1708	schtasks.exe
2764	schtasks.exe
996	schtasks.exe
1676	schtasks.exe
2236	schtasks.exe
1948	schtasks.exe
2724	schtasks.exe
2688	schtasks.exe
2744	schtasks.exe
320	schtasks.exe
2672	schtasks.exe
592	schtasks.exe
540	schtasks.exe
2624	schtasks.exe
2528	schtasks.exe
2152	schtasks.exe
2620	schtasks.exe
3016	schtasks.exe
2856	schtasks.exe
2184	schtasks.exe
1448	schtasks.exe
308	schtasks.exe
2672	schtasks.exe
868	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs

pid	Process
2744	sppsvc.exe
2624	sppsvc.exe
2984	sppsvc.exe
2836	sppsvc.exe
1116	sppsvc.exe
1288	sppsvc.exe
1876	sppsvc.exe
1804	sppsvc.exe
1864	sppsvc.exe
2868	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2888	DllCommonsvc.exe
2968	powershell.exe
1888	powershell.exe
2880	powershell.exe
304	powershell.exe
588	powershell.exe
2204	powershell.exe
2864	powershell.exe
772	powershell.exe
2176	powershell.exe
2344	powershell.exe
2952	powershell.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2300	powershell.exe
2908	powershell.exe
988	powershell.exe
2636	powershell.exe
2060	powershell.exe
1652	powershell.exe
1872	powershell.exe
2140	powershell.exe
2204	powershell.exe
776	powershell.exe
2524	powershell.exe
2084	powershell.exe
2744	sppsvc.exe
2624	sppsvc.exe
2984	sppsvc.exe
2836	sppsvc.exe
1116	sppsvc.exe
1288	sppsvc.exe
1876	sppsvc.exe
1804	sppsvc.exe
1864	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	DllCommonsvc.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	304	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2732	DllCommonsvc.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2744	sppsvc.exe
Token: SeDebugPrivilege	2624	sppsvc.exe
Token: SeDebugPrivilege	2984	sppsvc.exe
Token: SeDebugPrivilege	2836	sppsvc.exe
Token: SeDebugPrivilege	1116	sppsvc.exe
Token: SeDebugPrivilege	1288	sppsvc.exe
Token: SeDebugPrivilege	1876	sppsvc.exe
Token: SeDebugPrivilege	1804	sppsvc.exe
Token: SeDebugPrivilege	1864	sppsvc.exe
Token: SeDebugPrivilege	2868	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 1652	2404	JaffaCakes118_8db0ab9d6fd8a68f5d240a1c7cec0f1c037dd00499f2f71e9432d9076622151c.exe	28
PID 2404 wrote to memory of 1652	2404	JaffaCakes118_8db0ab9d6fd8a68f5d240a1c7cec0f1c037dd00499f2f71e9432d9076622151c.exe	28
PID 2404 wrote to memory of 1652	2404	JaffaCakes118_8db0ab9d6fd8a68f5d240a1c7cec0f1c037dd00499f2f71e9432d9076622151c.exe	28
PID 2404 wrote to memory of 1652	2404	JaffaCakes118_8db0ab9d6fd8a68f5d240a1c7cec0f1c037dd00499f2f71e9432d9076622151c.exe	28
PID 1652 wrote to memory of 2108	1652	WScript.exe	29
PID 1652 wrote to memory of 2108	1652	WScript.exe	29
PID 1652 wrote to memory of 2108	1652	WScript.exe	29
PID 1652 wrote to memory of 2108	1652	WScript.exe	29
PID 2108 wrote to memory of 2888	2108	cmd.exe	31
PID 2108 wrote to memory of 2888	2108	cmd.exe	31
PID 2108 wrote to memory of 2888	2108	cmd.exe	31
PID 2108 wrote to memory of 2888	2108	cmd.exe	31
PID 2888 wrote to memory of 2880	2888	DllCommonsvc.exe	63
PID 2888 wrote to memory of 2880	2888	DllCommonsvc.exe	63
PID 2888 wrote to memory of 2880	2888	DllCommonsvc.exe	63
PID 2888 wrote to memory of 1888	2888	DllCommonsvc.exe	64
PID 2888 wrote to memory of 1888	2888	DllCommonsvc.exe	64
PID 2888 wrote to memory of 1888	2888	DllCommonsvc.exe	64
PID 2888 wrote to memory of 772	2888	DllCommonsvc.exe	65
PID 2888 wrote to memory of 772	2888	DllCommonsvc.exe	65
PID 2888 wrote to memory of 772	2888	DllCommonsvc.exe	65
PID 2888 wrote to memory of 2344	2888	DllCommonsvc.exe	66
PID 2888 wrote to memory of 2344	2888	DllCommonsvc.exe	66
PID 2888 wrote to memory of 2344	2888	DllCommonsvc.exe	66
PID 2888 wrote to memory of 2204	2888	DllCommonsvc.exe	67
PID 2888 wrote to memory of 2204	2888	DllCommonsvc.exe	67
PID 2888 wrote to memory of 2204	2888	DllCommonsvc.exe	67
PID 2888 wrote to memory of 588	2888	DllCommonsvc.exe	68
PID 2888 wrote to memory of 588	2888	DllCommonsvc.exe	68
PID 2888 wrote to memory of 588	2888	DllCommonsvc.exe	68
PID 2888 wrote to memory of 2968	2888	DllCommonsvc.exe	69
PID 2888 wrote to memory of 2968	2888	DllCommonsvc.exe	69
PID 2888 wrote to memory of 2968	2888	DllCommonsvc.exe	69
PID 2888 wrote to memory of 2952	2888	DllCommonsvc.exe	70
PID 2888 wrote to memory of 2952	2888	DllCommonsvc.exe	70
PID 2888 wrote to memory of 2952	2888	DllCommonsvc.exe	70
PID 2888 wrote to memory of 304	2888	DllCommonsvc.exe	71
PID 2888 wrote to memory of 304	2888	DllCommonsvc.exe	71
PID 2888 wrote to memory of 304	2888	DllCommonsvc.exe	71
PID 2888 wrote to memory of 2176	2888	DllCommonsvc.exe	72
PID 2888 wrote to memory of 2176	2888	DllCommonsvc.exe	72
PID 2888 wrote to memory of 2176	2888	DllCommonsvc.exe	72
PID 2888 wrote to memory of 2864	2888	DllCommonsvc.exe	73
PID 2888 wrote to memory of 2864	2888	DllCommonsvc.exe	73
PID 2888 wrote to memory of 2864	2888	DllCommonsvc.exe	73
PID 2888 wrote to memory of 1096	2888	DllCommonsvc.exe	80
PID 2888 wrote to memory of 1096	2888	DllCommonsvc.exe	80
PID 2888 wrote to memory of 1096	2888	DllCommonsvc.exe	80
PID 1096 wrote to memory of 2180	1096	cmd.exe	87
PID 1096 wrote to memory of 2180	1096	cmd.exe	87
PID 1096 wrote to memory of 2180	1096	cmd.exe	87
PID 1096 wrote to memory of 2732	1096	cmd.exe	88
PID 1096 wrote to memory of 2732	1096	cmd.exe	88
PID 1096 wrote to memory of 2732	1096	cmd.exe	88
PID 2732 wrote to memory of 776	2732	DllCommonsvc.exe	122
PID 2732 wrote to memory of 776	2732	DllCommonsvc.exe	122
PID 2732 wrote to memory of 776	2732	DllCommonsvc.exe	122
PID 2732 wrote to memory of 2140	2732	DllCommonsvc.exe	123
PID 2732 wrote to memory of 2140	2732	DllCommonsvc.exe	123
PID 2732 wrote to memory of 2140	2732	DllCommonsvc.exe	123
PID 2732 wrote to memory of 2300	2732	DllCommonsvc.exe	125
PID 2732 wrote to memory of 2300	2732	DllCommonsvc.exe	125
PID 2732 wrote to memory of 2300	2732	DllCommonsvc.exe	125
PID 2732 wrote to memory of 2636	2732	DllCommonsvc.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8db0ab9d6fd8a68f5d240a1c7cec0f1c037dd00499f2f71e9432d9076622151c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8db0ab9d6fd8a68f5d240a1c7cec0f1c037dd00499f2f71e9432d9076622151c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\database\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aKuo1wi3L2.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1096
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2180
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\ja-JP\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\explorer.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Office14\sppsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\lsass.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\taskhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\faDLbbQ0dW.bat"
        7⤵
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2468
        
        C:\Program Files (x86)\Microsoft Office\Office14\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\sppsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nokcDIWAC5.bat"
        9⤵
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2128
        
        C:\Program Files (x86)\Microsoft Office\Office14\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\sppsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat"
        11⤵
        
        PID:912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2324
        
        C:\Program Files (x86)\Microsoft Office\Office14\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\sppsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4vfhrz6qhB.bat"
        13⤵
        
        PID:2728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1020
        
        C:\Program Files (x86)\Microsoft Office\Office14\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\sppsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat"
        15⤵
        
        PID:1916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2472
        
        C:\Program Files (x86)\Microsoft Office\Office14\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\sppsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat"
        17⤵
        
        PID:1716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:304
        
        C:\Program Files (x86)\Microsoft Office\Office14\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\sppsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat"
        19⤵
        
        PID:1356
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2164
        
        C:\Program Files (x86)\Microsoft Office\Office14\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\sppsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BGyPdaK1JU.bat"
        21⤵
        
        PID:2380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2216
        
        C:\Program Files (x86)\Microsoft Office\Office14\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\sppsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SXo39smTXJ.bat"
        23⤵
        
        PID:604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2268
        
        C:\Program Files (x86)\Microsoft Office\Office14\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\sppsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPOGTQits7.bat"
        25⤵
        
        PID:2052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2804
        
        C:\Program Files (x86)\Microsoft Office\Office14\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\sppsvc.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\security\database\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\security\database\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\security\database\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Desktop\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Desktop\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\ja-JP\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\Installer\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Installer\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\Installer\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Office14\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\DataStore\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7c14452c8d37eac9f9820295ee431cc

SHA1
55a470a10d9e4fddae3043cd58854f9465c4b960

SHA256
089b87fcd1bc93231edff1147bb870119fe299848a83848247486f906df24771

SHA512
8ca355994b4e21656209d72f6dc32264546f458866d56cabb037f779ae2c3f409db170883874df6ef2de89423bff813bddb3f7868e94a38d20ff21fab127500b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
537c8072b6fcef97c2b6f38c71a4485c

SHA1
9e53b867a0565e40d47a16623e04429dafc67014

SHA256
f4fb4de8e75d8a80df4475120f0586e97b8b35c926439f6d830bf1273ac76669

SHA512
fb67c37c8355a5daeef2a29126102761993f588d8ecf205db50c483141a5e4158d6a863fe6cc45730f704456716c54d3afe438648d7b8f1c5bee875a99383936

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8221b322acba74d3a0604c1fef5c3de8

SHA1
e285a692575bfd9ae3434ccb8d23c0926673f97e

SHA256
341335c88f92227d1a3dc6ea3e09d23a249c4cc2a2f302773fa8fa5779e559f8

SHA512
2b43186b077cb0351584653f73a1f87191077407928db5815e323fa016c8f69a1fc2a1d5cb6c23a891f0c60d881250155d6b00b4b6a047440ccadb8b2dbea023

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35e1ab16a8d54ae745d75fd8d44a9eed

SHA1
77ab49ff21e3985e030cec9bc022384cc8fc44f8

SHA256
7b1abda80bfd8ace543a634c9e72596355d8cc2c22c53629ce90ff8fa9d3d78c

SHA512
0ea9bf43d67de7312dbe6b04d08ec4a9294e30f210876578d0d9dfb870db3764fd0b4a615094550dd305f936cdf6f2deda0177e61cf2e18310c216eaa18e09b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3443a51c51fe263a61c76563cd126d94

SHA1
872798e2f6be34dda005a13b2af33b99adc3a011

SHA256
5ffef2cd19d26934eb3d30e365e35b6ffd64022922a84fae6b7e582fab3d852b

SHA512
9e3673abdad2a07adf86c060b13a74c288793a6d9a03f0aa2aa24e520b5eb5b9d42d6ace7b0afa02792418c045d868fdc3c5b11a5d6c468f558a753762d02e43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae0785d918989abd896e6f09a5ce8cc0

SHA1
5156daff620c193329f059a65b84fd731c618c6f

SHA256
835d17273079683365e63957e29801f74ba1b121e6beb882f53d1afb6941b4b4

SHA512
3591102c34d5cd3125491397620a28c4236e7afaa6433b69cbf721171549aba3eef2485477fa8219a8e7959460382155332f93196661d9f5f09534bf096e49d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7bd95741f8aea4ec02cb817a6073d209

SHA1
5de1e0db7e8bcf244ee691f254aa3a763ed4d019

SHA256
e1940ffd00636b9988bc7d42a4b2c4b852565799a7c47ddef0e8e368defc30e9

SHA512
6317baf960c2e668113278d59e364e9823f9c1a01f8bca234faeb94046a6f2034d10b0ad95e87e6fa70d7d745c02a3750d6fbc6a185a5466ece09cee9d6eb289

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18bf6d9a9b7b104c00114e173761636f

SHA1
698f8cc1e8b761899a49e02972e2a244e24c7ba2

SHA256
2ca019a15a0dadc67a83487933694750e4291b84f3ea5667e8be4bd6f6c4253f

SHA512
d38451b0fcbf90e52c50b277852e56ae3bc4afcde62f6b237bfb51521b919add9298a8760a7a576cfc29d5acd0b94317bc256360a3f0c90b8a4a44dafc74d910

Download Submit
C:\Users\Admin\AppData\Local\Temp\4vfhrz6qhB.bat

Filesize
224B

MD5
bb582f40c8446d43d68ed3709efdd80b

SHA1
2732d7a80d446c49a33f297980eb4640a9ad1f14

SHA256
912fbc61fe5c750c22d684e052f3bacff782e2731e219f56426e349a1bd105bf

SHA512
993453db9ad013757d7787faa96758a63abb7cd69a7babd01857f720cc0b74f7c1bc1e327ad12f350557e7d6d8c87d2ff6c1bb006ca9b716308df4b237d3aa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\BGyPdaK1JU.bat

Filesize
224B

MD5
5a92437b1e9f3777bee0b1ff4e91e12c

SHA1
9b0cbdfc32f668306e641163ccafcd03aa981c8c

SHA256
1abdc7fe66e37e4b80537137df9b083407e896b5b3893249ae4f2d7d85f4868d

SHA512
43216739e7f42ba09a0e425599fcd25bd193feb99400ba1243bb19657ee96f334efe8695a2e8e021d1f226b84f22b73bde2248dbb9f13c97653227cc7df23db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1C0B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat

Filesize
224B

MD5
45f5a3bbc55a814ad53e0f53dd37b0f8

SHA1
47d33021cf7c6e374286281b0ac8367d79ac14b2

SHA256
1d910fa930e57147e51614eaf7b366b1c33c9bd7b262456b6e05fd5772607c5a

SHA512
28b6a844ac9c212c90b1077e0540f3da27ec0e75ce12ecd1a9f03d190cccf71adbff76a8a6809d07844ff24b3d8449c674f1462c5f1bc1bcc3254441f2678f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPOGTQits7.bat

Filesize
224B

MD5
81e641a42079730d88e529b58697a747

SHA1
f2bd7ef741c443580764cefea919d951da8a9db5

SHA256
6e910863595189dbf6a5c998b1d883e24d59f9ec20a611919f3b1a3722ae98fd

SHA512
afc3fc4b3e9a44377567060d6067d83e403d56d7d1fe78e76fc11d5b6e35f2dca5682ca7c4d1964383f4484c98e10072b3dc0f01c9a0fe59700971bea2700800

Download Submit
C:\Users\Admin\AppData\Local\Temp\SXo39smTXJ.bat

Filesize
224B

MD5
50a691e06b3457ca3460c600b71a8ede

SHA1
37c8f382a3e7e9a5d5e41777c6bc231c9f5ca1ce

SHA256
7b5ff1c728d50b718feb8942854229f83e8d95704b30b636ae2cf0d5385553b5

SHA512
80fa8d5607fa83d0b3569000e8f99d85808cc245d26b9a057584eff9980a8ca070ab0775b183fd7be63729bebe8e45f38248df691519961ee9f138907cb3f85c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1C3D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aKuo1wi3L2.bat

Filesize
199B

MD5
32316f632791ef33383e83c8f08f9501

SHA1
f9c1c645e7e666810ca440b1c5597985e6f160f0

SHA256
255108d5acf1fff5dc88fa59b2fa7b13b420990e6bd27c528d1e3ae734c9e285

SHA512
df03175b523a07b73a85390329c1e69dba304328b59e4b0c37c7ad79dae5061563177a1d05a6bb77771d02e7d8073e4badd8d08abc276d5d107fe75914d955a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat

Filesize
224B

MD5
a1e713118c95f4a54507e67106409eca

SHA1
7851ed811043313586932b975f3209f80d384a1f

SHA256
04fcb8f2d79b4c66c8204b2ab9b1036993415f81218837efbfb99581036af17a

SHA512
d2e8c8ca29e25b2bef9da9dd10dbe02d0bdb7807bba02c366ab8dcaa9663e52f3c8da8febd2588f6414e47d811aa2c2d887d694f3bc09c82073abca229b341a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\faDLbbQ0dW.bat

Filesize
224B

MD5
d3c87abb778f7e3fb007a2591af22993

SHA1
1afced6bdb2671a91e7b398b433be489ccf682af

SHA256
701811b3dff9127f90c48c4d97a06afb2ec3aec92bcadcc3e3d592ab5c58d90d

SHA512
6cce95f0c6d466552c6257e89d22d19fa0e5ce43eb1766c723aceb27f7c12ca8c2dc7402f5dbf33c1b95fde71ae2daa2af0623baaea168afddcf3554f6cb01b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nokcDIWAC5.bat

Filesize
224B

MD5
805b755f51eb9df3753f1d4559ca5ce6

SHA1
33aa1b1e2a10b5f48f89f2f750aff09a6921509e

SHA256
a2aae1b43de1e4e6f47d05445c67d27aaa2e918f7a9eec5a6125ffdf9d007a2c

SHA512
9d13d239aa47c6da876343cae80870df4e5512bf12294e200cb53a50eb94956d398f85e7ff826013f392ebed785082687b3b5e0132c4d8b71733bb8b55543142

Download Submit
C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat

Filesize
224B

MD5
a9b84a8f23f7ec5cbb5908c53efaf91f

SHA1
75054179669f01c637942aa9846a4c87706be08b

SHA256
be750346eb4104ae930ef6ab43d6162a258dc48d59f8f708f0cb1efc81991a5e

SHA512
3e77255a81c25f9d87217080adbf98db5503b5d4e4246ff5f5443eb4e707cc23098f6ce936ff3aaa8ac6199a54dee27a7456eb31f5b77a289c8ebdbfa5b96cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat

Filesize
224B

MD5
8082a2dbd3cf77c3f6b8ed066ca13d3f

SHA1
38d7724565df839d0de768b504e2e349351a23a7

SHA256
7a0db213dce17804d31f1c0e3161c85c7cb50ce13c449483361e8ed36340df5e

SHA512
1431197912660efafd12b1565bae332438c79b4c8d0ce5311a5dd87d2cdab330525add6d0480336067153aeb1768fc6d6eb2901a43946557d0193dd43cd947f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5aac263772bb6d9ac9192d2bed3c3e19

SHA1
f433924c58ab60065b93c4a7018234b05bda012d

SHA256
8ff83e1688da254ab89a790f6432cea9f0d08f638cd8df989b744bddb30edf15

SHA512
d4857fa9bd57b9017f5f4374e61669d6a29c7ee84feb79ce98c4a6075ea430fe350065caa24c41bd478821181db41d62c0bd872833cf19c8228869562ec9eb19

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1804-604-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/1864-664-0x0000000000E80000-0x0000000000F90000-memory.dmp

Filesize
1.1MB

Download
memory/2300-129-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2300-128-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/2624-248-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/2744-189-0x00000000012B0000-0x00000000013C0000-memory.dmp

Filesize
1.1MB

Download
memory/2888-17-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2888-16-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2888-15-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2888-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2888-13-0x0000000001150000-0x0000000001260000-memory.dmp

Filesize
1.1MB

Download
memory/2968-50-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2968-51-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2984-308-0x00000000013B0000-0x00000000014C0000-memory.dmp

Filesize
1.1MB

Download