dcrat | e441852620b7256b9ccf076aa26b51360609ad80b99f9b49e2c7cd310597452d

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e441852620b7256b9ccf076aa26b51360609ad80b99f9b49e2c7cd310597452d.exe
Size

1.3MB
MD5

d5c70acbe76fca9d4a41cfb4cb10f15a
SHA1

ad92283619bd06d4175fd17bc08bbec976262305
SHA256

e441852620b7256b9ccf076aa26b51360609ad80b99f9b49e2c7cd310597452d
SHA512

8aaf83db4b831b6ae7acf8b75d4eb8ed12bc72a838ee2fa2a8a4c09e4a0db5f6fe8c261a111ca2867da61928e63a5dc69b64ab5d42c3163216913803659ad8c3
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	496	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2928	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016033-10.dat	dcrat
behavioral1/memory/2156-13-0x0000000000D10000-0x0000000000E20000-memory.dmp	dcrat
behavioral1/memory/1612-91-0x00000000009D0000-0x0000000000AE0000-memory.dmp	dcrat
behavioral1/memory/2604-210-0x0000000000EE0000-0x0000000000FF0000-memory.dmp	dcrat
behavioral1/memory/2636-270-0x0000000001220000-0x0000000001330000-memory.dmp	dcrat
behavioral1/memory/2708-449-0x0000000000350000-0x0000000000460000-memory.dmp	dcrat
behavioral1/memory/2232-509-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/2088-569-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
behavioral1/memory/1688-629-0x0000000000C40000-0x0000000000D50000-memory.dmp	dcrat
behavioral1/memory/1960-689-0x0000000000E50000-0x0000000000F60000-memory.dmp	dcrat
behavioral1/memory/328-749-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2684	powershell.exe
2888	powershell.exe
2852	powershell.exe
2820	powershell.exe
2784	powershell.exe
2240	powershell.exe
2604	powershell.exe
2628	powershell.exe
2524	powershell.exe
2132	powershell.exe
2616	powershell.exe
3004	powershell.exe
2804	powershell.exe
2832	powershell.exe
2164	powershell.exe
2704	powershell.exe
2224	powershell.exe
2112	powershell.exe
2656	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2156	DllCommonsvc.exe
1612	lsm.exe
2604	lsm.exe
2636	lsm.exe
2912	lsm.exe
1140	lsm.exe
2708	lsm.exe
2232	lsm.exe
2088	lsm.exe
1688	lsm.exe
1960	lsm.exe
328	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
3036	cmd.exe
3036	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
29	raw.githubusercontent.com
36	raw.githubusercontent.com
40	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\TableTextService\fr-FR\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\fr-FR\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\dllhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\b75386f1303e64	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Help\mui\0407\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Help\mui\0407\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\Microsoft.NET\authman\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\Microsoft.NET\authman\101b941d020240	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e441852620b7256b9ccf076aa26b51360609ad80b99f9b49e2c7cd310597452d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1084	schtasks.exe
1796	schtasks.exe
1536	schtasks.exe
2176	schtasks.exe
2464	schtasks.exe
2840	schtasks.exe
2440	schtasks.exe
1416	schtasks.exe
1632	schtasks.exe
1640	schtasks.exe
3024	schtasks.exe
1872	schtasks.exe
1272	schtasks.exe
888	schtasks.exe
2868	schtasks.exe
2812	schtasks.exe
2468	schtasks.exe
2520	schtasks.exe
2036	schtasks.exe
3028	schtasks.exe
1136	schtasks.exe
884	schtasks.exe
1652	schtasks.exe
300	schtasks.exe
1668	schtasks.exe
1676	schtasks.exe
2084	schtasks.exe
2612	schtasks.exe
848	schtasks.exe
2296	schtasks.exe
2456	schtasks.exe
2304	schtasks.exe
3060	schtasks.exe
2760	schtasks.exe
748	schtasks.exe
2428	schtasks.exe
1852	schtasks.exe
1764	schtasks.exe
2816	schtasks.exe
2120	schtasks.exe
2136	schtasks.exe
2500	schtasks.exe
2860	schtasks.exe
844	schtasks.exe
1624	schtasks.exe
2752	schtasks.exe
1944	schtasks.exe
1752	schtasks.exe
3020	schtasks.exe
496	schtasks.exe
548	schtasks.exe
2756	schtasks.exe
2904	schtasks.exe
2680	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2156	DllCommonsvc.exe
2156	DllCommonsvc.exe
2156	DllCommonsvc.exe
2604	powershell.exe
2524	powershell.exe
2240	powershell.exe
2784	powershell.exe
2804	powershell.exe
2112	powershell.exe
2628	powershell.exe
2704	powershell.exe
2164	powershell.exe
2224	powershell.exe
2888	powershell.exe
2852	powershell.exe
2616	powershell.exe
2656	powershell.exe
2832	powershell.exe
2132	powershell.exe
2684	powershell.exe
3004	powershell.exe
2820	powershell.exe
1612	lsm.exe
2604	lsm.exe
2636	lsm.exe
2912	lsm.exe
1140	lsm.exe
2708	lsm.exe
2232	lsm.exe
2088	lsm.exe
1688	lsm.exe
1960	lsm.exe
328	lsm.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	DllCommonsvc.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	1612	lsm.exe
Token: SeDebugPrivilege	2604	lsm.exe
Token: SeDebugPrivilege	2636	lsm.exe
Token: SeDebugPrivilege	2912	lsm.exe
Token: SeDebugPrivilege	1140	lsm.exe
Token: SeDebugPrivilege	2708	lsm.exe
Token: SeDebugPrivilege	2232	lsm.exe
Token: SeDebugPrivilege	2088	lsm.exe
Token: SeDebugPrivilege	1688	lsm.exe
Token: SeDebugPrivilege	1960	lsm.exe
Token: SeDebugPrivilege	328	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2524	2384	JaffaCakes118_e441852620b7256b9ccf076aa26b51360609ad80b99f9b49e2c7cd310597452d.exe	30
PID 2384 wrote to memory of 2524	2384	JaffaCakes118_e441852620b7256b9ccf076aa26b51360609ad80b99f9b49e2c7cd310597452d.exe	30
PID 2384 wrote to memory of 2524	2384	JaffaCakes118_e441852620b7256b9ccf076aa26b51360609ad80b99f9b49e2c7cd310597452d.exe	30
PID 2384 wrote to memory of 2524	2384	JaffaCakes118_e441852620b7256b9ccf076aa26b51360609ad80b99f9b49e2c7cd310597452d.exe	30
PID 2524 wrote to memory of 3036	2524	WScript.exe	31
PID 2524 wrote to memory of 3036	2524	WScript.exe	31
PID 2524 wrote to memory of 3036	2524	WScript.exe	31
PID 2524 wrote to memory of 3036	2524	WScript.exe	31
PID 3036 wrote to memory of 2156	3036	cmd.exe	33
PID 3036 wrote to memory of 2156	3036	cmd.exe	33
PID 3036 wrote to memory of 2156	3036	cmd.exe	33
PID 3036 wrote to memory of 2156	3036	cmd.exe	33
PID 2156 wrote to memory of 2112	2156	DllCommonsvc.exe	89
PID 2156 wrote to memory of 2112	2156	DllCommonsvc.exe	89
PID 2156 wrote to memory of 2112	2156	DllCommonsvc.exe	89
PID 2156 wrote to memory of 2132	2156	DllCommonsvc.exe	90
PID 2156 wrote to memory of 2132	2156	DllCommonsvc.exe	90
PID 2156 wrote to memory of 2132	2156	DllCommonsvc.exe	90
PID 2156 wrote to memory of 2164	2156	DllCommonsvc.exe	91
PID 2156 wrote to memory of 2164	2156	DllCommonsvc.exe	91
PID 2156 wrote to memory of 2164	2156	DllCommonsvc.exe	91
PID 2156 wrote to memory of 2524	2156	DllCommonsvc.exe	92
PID 2156 wrote to memory of 2524	2156	DllCommonsvc.exe	92
PID 2156 wrote to memory of 2524	2156	DllCommonsvc.exe	92
PID 2156 wrote to memory of 2224	2156	DllCommonsvc.exe	93
PID 2156 wrote to memory of 2224	2156	DllCommonsvc.exe	93
PID 2156 wrote to memory of 2224	2156	DllCommonsvc.exe	93
PID 2156 wrote to memory of 2684	2156	DllCommonsvc.exe	94
PID 2156 wrote to memory of 2684	2156	DllCommonsvc.exe	94
PID 2156 wrote to memory of 2684	2156	DllCommonsvc.exe	94
PID 2156 wrote to memory of 2240	2156	DllCommonsvc.exe	95
PID 2156 wrote to memory of 2240	2156	DllCommonsvc.exe	95
PID 2156 wrote to memory of 2240	2156	DllCommonsvc.exe	95
PID 2156 wrote to memory of 2784	2156	DllCommonsvc.exe	96
PID 2156 wrote to memory of 2784	2156	DllCommonsvc.exe	96
PID 2156 wrote to memory of 2784	2156	DllCommonsvc.exe	96
PID 2156 wrote to memory of 2804	2156	DllCommonsvc.exe	97
PID 2156 wrote to memory of 2804	2156	DllCommonsvc.exe	97
PID 2156 wrote to memory of 2804	2156	DllCommonsvc.exe	97
PID 2156 wrote to memory of 2820	2156	DllCommonsvc.exe	98
PID 2156 wrote to memory of 2820	2156	DllCommonsvc.exe	98
PID 2156 wrote to memory of 2820	2156	DllCommonsvc.exe	98
PID 2156 wrote to memory of 2852	2156	DllCommonsvc.exe	99
PID 2156 wrote to memory of 2852	2156	DllCommonsvc.exe	99
PID 2156 wrote to memory of 2852	2156	DllCommonsvc.exe	99
PID 2156 wrote to memory of 2628	2156	DllCommonsvc.exe	100
PID 2156 wrote to memory of 2628	2156	DllCommonsvc.exe	100
PID 2156 wrote to memory of 2628	2156	DllCommonsvc.exe	100
PID 2156 wrote to memory of 2832	2156	DllCommonsvc.exe	101
PID 2156 wrote to memory of 2832	2156	DllCommonsvc.exe	101
PID 2156 wrote to memory of 2832	2156	DllCommonsvc.exe	101
PID 2156 wrote to memory of 2888	2156	DllCommonsvc.exe	102
PID 2156 wrote to memory of 2888	2156	DllCommonsvc.exe	102
PID 2156 wrote to memory of 2888	2156	DllCommonsvc.exe	102
PID 2156 wrote to memory of 2616	2156	DllCommonsvc.exe	103
PID 2156 wrote to memory of 2616	2156	DllCommonsvc.exe	103
PID 2156 wrote to memory of 2616	2156	DllCommonsvc.exe	103
PID 2156 wrote to memory of 2704	2156	DllCommonsvc.exe	104
PID 2156 wrote to memory of 2704	2156	DllCommonsvc.exe	104
PID 2156 wrote to memory of 2704	2156	DllCommonsvc.exe	104
PID 2156 wrote to memory of 2604	2156	DllCommonsvc.exe	105
PID 2156 wrote to memory of 2604	2156	DllCommonsvc.exe	105
PID 2156 wrote to memory of 2604	2156	DllCommonsvc.exe	105
PID 2156 wrote to memory of 2656	2156	DllCommonsvc.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e441852620b7256b9ccf076aa26b51360609ad80b99f9b49e2c7cd310597452d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e441852620b7256b9ccf076aa26b51360609ad80b99f9b49e2c7cd310597452d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\it-IT\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\mui\0407\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\fr-FR\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\authman\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\it-IT\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\ja-JP\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Office14\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
    - - C:\Windows\Microsoft.NET\authman\lsm.exe
        
        "C:\Windows\Microsoft.NET\authman\lsm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat"
        6⤵
        
        PID:1680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2324
        
        C:\Windows\Microsoft.NET\authman\lsm.exe
        
        "C:\Windows\Microsoft.NET\authman\lsm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dnlY2uCtHd.bat"
        8⤵
        
        PID:1136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1864
        
        C:\Windows\Microsoft.NET\authman\lsm.exe
        
        "C:\Windows\Microsoft.NET\authman\lsm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sT6xLp4JQ8.bat"
        10⤵
        
        PID:2232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2884
        
        C:\Windows\Microsoft.NET\authman\lsm.exe
        
        "C:\Windows\Microsoft.NET\authman\lsm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat"
        12⤵
        
        PID:2096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2424
        
        C:\Windows\Microsoft.NET\authman\lsm.exe
        
        "C:\Windows\Microsoft.NET\authman\lsm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat"
        14⤵
        
        PID:3020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2120
        
        C:\Windows\Microsoft.NET\authman\lsm.exe
        
        "C:\Windows\Microsoft.NET\authman\lsm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"
        16⤵
        
        PID:556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2472
        
        C:\Windows\Microsoft.NET\authman\lsm.exe
        
        "C:\Windows\Microsoft.NET\authman\lsm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat"
        18⤵
        
        PID:912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2372
        
        C:\Windows\Microsoft.NET\authman\lsm.exe
        
        "C:\Windows\Microsoft.NET\authman\lsm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat"
        20⤵
        
        PID:2896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1700
        
        C:\Windows\Microsoft.NET\authman\lsm.exe
        
        "C:\Windows\Microsoft.NET\authman\lsm.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat"
        22⤵
        
        PID:2020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2680
        
        C:\Windows\Microsoft.NET\authman\lsm.exe
        
        "C:\Windows\Microsoft.NET\authman\lsm.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat"
        24⤵
        
        PID:864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3060
        
        C:\Windows\Microsoft.NET\authman\lsm.exe
        
        "C:\Windows\Microsoft.NET\authman\lsm.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat"
        26⤵
        
        PID:700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Help\mui\0407\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Help\mui\0407\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\mui\0407\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Recorded TV\Sample Media\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Recorded TV\Sample Media\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Microsoft.NET\authman\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\Microsoft.NET\authman\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\ja-JP\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Music\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Music\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Music\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Office14\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf02dbba3e2e543c76bf2d844cea6d61

SHA1
ea9557459820c360331fc76d43e082d7c8cc5213

SHA256
740548a95a5289eca65b3068fe7c1dcee1e12282e6dfb8a19afb31ebe7a39283

SHA512
e43b40c4c57789cfbc2074868843401d551c4178a9147996a3aca056c6469843c59d39c6bd28d05a5c954b6f706f18a2938071315c7f463826d1079739cb62e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cfc22c6ea781c64046d63a000aa27c19

SHA1
a9a60083707b443420080a09e77efbce9e97807b

SHA256
86b4557dcaff610acfd8938e56dd383a97bb4226c4f95363e61118e13f589dd2

SHA512
df15f011cdd6b92ec0a6143ffd658ce0ce883f3b7b43bc020b4f08cbc6a2a611fcea3ef28d7d742462daff4d2ef456283ec434c20d5cd17a25f3e7bba64eb988

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93bc4dbcac8ee3228f8ef22ccdb79883

SHA1
bb57dd2694d678544d97a248d84622978513946f

SHA256
8186f2aa49c379e1288a355e4155322d26caef75e695c340a80ede97ee5a4fb1

SHA512
d705e367fa2de126a647b6f77258c10435d769175494a30816a054bcc4e1ddb7ce3015dddc4a2e120b52aabb0fe3faeb1d0a908bca13a35298ba432bb837e1cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
653e003b50eb4ffb4417faa4b9e58795

SHA1
d9e0211fa9d454070e8cd614a144ea48d19cb7e9

SHA256
bf98942cc1bfc6f7b0326fbfed126b3b5fc048753fe59e0636b8e778bbef9a2a

SHA512
7e9ea47f6beddaf8b2c32e59441cb06447d176a1fb6ad22b550057e88a686910b459f0459ded488564d89797daa067b1bd6f4ae751a51a8a8f434af8ffaef502

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11f8b81cf1aa552cd8474b8febfd5fd7

SHA1
e8ac48a28669473a5a48753010e0d15e0e270e1c

SHA256
779c4d4f332da2b5ce87992c89c722a6460142742f5416acf5e7f085db3d9613

SHA512
3bec4e264b781bae57ed9cb5a8817fc044b7405230439209ea2a8cf590eeaf036415be4af3d2700cdf61498e6b05b89c4f89567e06afba1d16ba64fa64da649c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
758261faa4c1e3e4ca32f8f8d9c3de5b

SHA1
cdfd799f0d120ce3d23ee7b1b3aa8447ff35b980

SHA256
e55187876f3b2f517e6cab71b52f671445c71a7e99968fc992c5fcc5a3ee33ef

SHA512
71019cba2aac5f95afc141e5000bd1c69839fee13eead116d04f4c338be1e34f7932dd51409104102e8c9f47ff75353385b1771de482be6261f45cb355f3df76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ca8a5cbb619ce1428d7a1a75021e773

SHA1
e04b6ee9711f905d1effcb39778388b048359fba

SHA256
c0b598e7ad6e6317ca6e5684de72a236e4ba4c7fb46b4cc22665ccab9ab246bb

SHA512
12d1b51f994955db647714ea02e6521feb890ab6ec0db4ab5608335f17885fe897482239cc10fb1000b50f7c2e7082d1e42c2811b8bab62b658c456d1f95135e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e624a4de8f3bd52f6041c3c6a3cd6fe

SHA1
725374bf2526610d7d65f477157def301f79d916

SHA256
12cd5368675d77f2ccf97795f8d110681952f8733c693c983a0a786421e2aef6

SHA512
a5b32d4bdd50ea82e7382bcd072d1f872e417ac3aa7d9185252dce210ca0bd3bd4b64ac6627141210ef55e9f8a4617f6a21a326b44f78602f6aa04d1c7a3f55b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb25ae02d7eedf48dec6310673ccf149

SHA1
9e3af1ac7b08037ebe8879380682ec2b75214348

SHA256
b7c18579d963282d948e007bfc0f2c0a88a15e9826a210fec0f61db39debf3e7

SHA512
9823932db1f604c2ffdaafdb7ef6047391259c6d27c56cf3037ab82f04ca5abfdbe329182e21b8adab00168a43d871befd7d39b75172c6f0ba793ba0383c7ba1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afd52ab659c983d2c2e2e47e8b22e53c

SHA1
592de84f20f39dbf2eaa18bc8a03f25d91b7d851

SHA256
1754cce07c6800b5781395ad96706c3e6f019ec49193580174aba08f2f8627d0

SHA512
effb8f0b12afb22526a2b73bc6bce1fa25b53989f74166679691cd5723276af2ec8ed37778d02b691c634515ca23dad14a2116961e500a6515eb7656a5961f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat

Filesize
205B

MD5
b3e4f2ea1606071e7072e1e4f9e2b313

SHA1
164426eeaa82a71acb77a4967f35d2593aa6539f

SHA256
be1efdb243719e9e9d4665b70a5ab26d0b753222ded85704a58b394bc78ea4ca

SHA512
61f9f7e429f0fbe76ed0a39e556acf98cc6d3dd37067eca8a9b878d19ee712c4324d4aff1c70bc3cdfb1bacbd8a180e4533c0fb68cead61018d48b355d34d07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat

Filesize
205B

MD5
209d2f5216ed9cbd8be479667485e8fb

SHA1
c1eaacc27a9301cc0585625170bf09b483a7f17c

SHA256
1e1376271e4244c34fce80aa014ec8a7dc029e7db2556a76eaac48f2050d60f5

SHA512
d568b2877f0b6d6023f5288a82f68ebb6919b0cf28e197ea429b2efbe44625c26670dedcf2da795c0cf20b20bf889b48d880868684f9eaa930182b850f944605

Download Submit
C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat

Filesize
205B

MD5
506e676fed34b3df12ad71fa82b5213d

SHA1
2f0f486ae56c33428dd3ab80a3fd771e19d7f8b9

SHA256
2a3202b652f6695f75ec501688a7254996cb811ffce1e33fd1d52423787f8d5a

SHA512
5f74caeb8e4a017b60634f21ed8a910f1b27355e28699ac905bd42f111e5a2f93cb3ce58eaeac75bf3fdb9e9eaf0b2327966d15b646cd471704b073ffb8d6cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF8A3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat

Filesize
205B

MD5
70a39f3295b840832c740c22a97353c2

SHA1
359d4d27a6a19de3868f38122114c7ceb6592c2b

SHA256
3ff1041e84ca30262941ebdc6aa945885efe92ede408daaac813002b07207943

SHA512
608c736354fd153fd6cf95d5b77a13f4042685be5bd254f697b037a1169138de628dc7e9e812e3064a1635ecfea042fdbab10422ff1b84d28e691a7ec829ad12

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF8B6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat

Filesize
205B

MD5
02c6ed23a4e38b08e1bf32ca3ea32468

SHA1
ad42640dfdf7d69f03f1a34d0da87068cd398348

SHA256
0c662b3b632f2583e825a60f8ef9c4c859e362d460e14b05e1ddb6f0a3d7b16a

SHA512
167f8b4be58c28b1cfd99886942e99bc5ca96a200363f75a1199776619ebc9d1955979600447ed6adff97670db3734b9c681b142228e8eb351bf80af0a04845a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnlY2uCtHd.bat

Filesize
205B

MD5
d7341c26ce821b164178ec617d1893ae

SHA1
fd1f5a825d41ef3063f1fba0df740adb1a0b2db6

SHA256
2d3aa5e1d4809fe43b1b5eb80bd1daaba9d30aec172a5b1990b7485218fe53b6

SHA512
4bf37ba8ae17cab7a519b2649902e2654daf890858e67f992291afab4efce22106f97c5495564263456c6bb6a415bd55758893679570fcf554843c1978ca5d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat

Filesize
205B

MD5
43a7e4d7f4764a4c2e2a12bb9abba8bf

SHA1
057c66bf940121fedcfe94a6a4c6a2154d8af4b8

SHA256
9102a3cac1a6d281abd5438cb3ea47fd2fe58b6ddd1d43de9309fcc4d1e896f3

SHA512
34f7e4aa24f8d4a8662e61fe65baacb425848189b6a104d08a960fd183aee6f16f8fd648a8bee5ec439ab02e4d57eb667c561897a2512cc6d01fcfe99d917df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat

Filesize
205B

MD5
6b3be512970b21f9491713be483e3775

SHA1
adb3f2cfd511ff1f90c47b13939cbafe4db7647f

SHA256
15bf8bc4f9980223b27381d3fddd731dd3b9522fdfd7d0bcc7663761ae413503

SHA512
c081bd899e33826b172ca2d6dd19eebf71e9b9b371f3d863f45c6e26ec80b24ad358ed2c0febe58f6492c4479406b93dc20965d9d84f6f607f66fa84120c775a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sT6xLp4JQ8.bat

Filesize
205B

MD5
2dca31ec0e2cfe38fe1a8522af95372a

SHA1
577d40d2022fd27bfffe2288736d25c404de095c

SHA256
a08594a63a5778983896337539774707b610872d84dcaf29adc71f8fdc428501

SHA512
4a2e60d21958490f3e8bd855c71fb1220499d0e03ad8fdf4de176bfc8ad6f323acc8c61b41ffe213d093defc0f9de2a36e851a8dc5cd724dbee52f1631903230

Download Submit
C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat

Filesize
205B

MD5
9f659b7a3d577f17281fda3db4e4d424

SHA1
dddc08f509c687765e5cea7f0d9cbc299588d720

SHA256
56ab1b430d1f3cd981d9c7d9844f59a49cd8342d676cae202a592ab1a6f76c5c

SHA512
edd7b71fecf0b3e7eb3049e8489c42f31f7d7e1fb7d81f47e4da376c10bd7378703d4cbbc5704812c396925087775c6bee20d30cec7dabca346e0c0d08ad298f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat

Filesize
205B

MD5
faa7a2bffc85b50ace7d2d7d1b66ed2d

SHA1
77ec5dcb48f4a60725c81e6ab34106115748b805

SHA256
e94e0465350dffd5ba82bbb47bcddceb61d429471ecd58e669078fada5484450

SHA512
78ab5efcd9b2247d94ff7c7a6a8a248404d7f317386d788d68743983cedd36d5f468efdc21f2cac522973c31e4de8776d325356362a7e42c4c783710e687812e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
77cdb46a51ed571d8b8afc64f87427e0

SHA1
b4b61a61619dd646916e143769ca3df196a13075

SHA256
b973c9d6cde4ffd72f454a556f4184ba19ac872037277b1e65f33c1c0a97b5bb

SHA512
ce29b3e3cdb9b05cfe515eb38cf7759e28dfe38ffd40ecd17aafd4daa2f81dd353284b743991c0d3dbcf2c6e594a782ecc99e7e364a3e25e50a1f94d90095a15

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/328-749-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download
memory/1612-91-0x00000000009D0000-0x0000000000AE0000-memory.dmp

Filesize
1.1MB

Download
memory/1688-629-0x0000000000C40000-0x0000000000D50000-memory.dmp

Filesize
1.1MB

Download
memory/1960-689-0x0000000000E50000-0x0000000000F60000-memory.dmp

Filesize
1.1MB

Download
memory/2088-569-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/2156-15-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2156-17-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2156-16-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2156-13-0x0000000000D10000-0x0000000000E20000-memory.dmp

Filesize
1.1MB

Download
memory/2156-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2232-509-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/2604-210-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

Filesize
1.1MB

Download
memory/2604-92-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2636-270-0x0000000001220000-0x0000000001330000-memory.dmp

Filesize
1.1MB

Download
memory/2708-449-0x0000000000350000-0x0000000000460000-memory.dmp

Filesize
1.1MB

Download
memory/2804-79-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/2912-330-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download