dcrat | ba099f212647b418c123a48c46767baac59297826025423e53e72d068c100121

Analysis

max time kernel
146s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ba099f212647b418c123a48c46767baac59297826025423e53e72d068c100121.exe
Size

1.3MB
MD5

441496886fe207aecce88f72ded7acc0
SHA1

11734e54de9fc0693e1e601d33537b38dde8ba88
SHA256

ba099f212647b418c123a48c46767baac59297826025423e53e72d068c100121
SHA512

31ccc3a66e5e2b10eb735eef501de5ff34e3864adc6ad704512be2292067003365b1782b2a63ff96e285e7b9a26da5c3863637628d0952c826c5cd880fe9f05a
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 63 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2964	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2964	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000173aa-12.dat	dcrat
behavioral1/memory/2196-13-0x0000000001040000-0x0000000001150000-memory.dmp	dcrat
behavioral1/memory/2524-72-0x0000000000290000-0x00000000003A0000-memory.dmp	dcrat
behavioral1/memory/2772-189-0x0000000000CC0000-0x0000000000DD0000-memory.dmp	dcrat
behavioral1/memory/264-248-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat
behavioral1/memory/2184-427-0x0000000000010000-0x0000000000120000-memory.dmp	dcrat
behavioral1/memory/852-487-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/1032-547-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/1276-607-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/2612-667-0x00000000012E0000-0x00000000013F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 23 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
704	powershell.exe
1632	powershell.exe
2884	powershell.exe
1400	powershell.exe
1436	powershell.exe
1900	powershell.exe
688	powershell.exe
1432	powershell.exe
1148	powershell.exe
1516	powershell.exe
1356	powershell.exe
608	powershell.exe
2104	powershell.exe
1800	powershell.exe
2640	powershell.exe
1660	powershell.exe
2068	powershell.exe
1520	powershell.exe
1800	powershell.exe
1432	powershell.exe
2376	powershell.exe
2888	powershell.exe
2908	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2196	DllCommonsvc.exe
2524	DllCommonsvc.exe
2772	services.exe
264	services.exe
2588	services.exe
544	services.exe
2184	services.exe
852	services.exe
1032	services.exe
1276	services.exe
2612	services.exe
2104	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2504	cmd.exe
2504	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
30	raw.githubusercontent.com
34	raw.githubusercontent.com
23	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
27	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\ja-JP\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\ja-JP\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\services.exe	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\System.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\ServiceProfiles\System.exe	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\winsxs\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\IME\IMETC10\DICTS\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\IME\IMETC10\DICTS\b75386f1303e64	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ba099f212647b418c123a48c46767baac59297826025423e53e72d068c100121.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 63 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2096	schtasks.exe
1728	schtasks.exe
2744	schtasks.exe
2288	schtasks.exe
576	schtasks.exe
1672	schtasks.exe
2460	schtasks.exe
2920	schtasks.exe
2608	schtasks.exe
2280	schtasks.exe
1720	schtasks.exe
1276	schtasks.exe
840	schtasks.exe
2236	schtasks.exe
2688	schtasks.exe
3056	schtasks.exe
2584	schtasks.exe
1732	schtasks.exe
2776	schtasks.exe
2032	schtasks.exe
404	schtasks.exe
2176	schtasks.exe
2852	schtasks.exe
1696	schtasks.exe
2452	schtasks.exe
2032	schtasks.exe
2840	schtasks.exe
1596	schtasks.exe
2092	schtasks.exe
112	schtasks.exe
2488	schtasks.exe
1528	schtasks.exe
1932	schtasks.exe
788	schtasks.exe
1780	schtasks.exe
2356	schtasks.exe
2036	schtasks.exe
2324	schtasks.exe
1680	schtasks.exe
2256	schtasks.exe
2696	schtasks.exe
1988	schtasks.exe
1736	schtasks.exe
2116	schtasks.exe
2036	schtasks.exe
2720	schtasks.exe
3036	schtasks.exe
2112	schtasks.exe
2872	schtasks.exe
1512	schtasks.exe
1200	schtasks.exe
2040	schtasks.exe
2924	schtasks.exe
2572	schtasks.exe
2384	schtasks.exe
2856	schtasks.exe
2668	schtasks.exe
2816	schtasks.exe
1692	schtasks.exe
2796	schtasks.exe
624	schtasks.exe
2648	schtasks.exe
776	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2196	DllCommonsvc.exe
1432	powershell.exe
1148	powershell.exe
1436	powershell.exe
1800	powershell.exe
1516	powershell.exe
2640	powershell.exe
1400	powershell.exe
2524	DllCommonsvc.exe
2524	DllCommonsvc.exe
2524	DllCommonsvc.exe
2524	DllCommonsvc.exe
2524	DllCommonsvc.exe
2524	DllCommonsvc.exe
2524	DllCommonsvc.exe
2908	powershell.exe
704	powershell.exe
2376	powershell.exe
688	powershell.exe
1900	powershell.exe
1632	powershell.exe
608	powershell.exe
1660	powershell.exe
2104	powershell.exe
2068	powershell.exe
2888	powershell.exe
1520	powershell.exe
1356	powershell.exe
1800	powershell.exe
2884	powershell.exe
1432	powershell.exe
2772	services.exe
264	services.exe
2588	services.exe
544	services.exe
2184	services.exe
852	services.exe
1032	services.exe
1276	services.exe
2612	services.exe
2104	services.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	DllCommonsvc.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	2524	DllCommonsvc.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	704	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	608	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	2772	services.exe
Token: SeDebugPrivilege	264	services.exe
Token: SeDebugPrivilege	2588	services.exe
Token: SeDebugPrivilege	544	services.exe
Token: SeDebugPrivilege	2184	services.exe
Token: SeDebugPrivilege	852	services.exe
Token: SeDebugPrivilege	1032	services.exe
Token: SeDebugPrivilege	1276	services.exe
Token: SeDebugPrivilege	2612	services.exe
Token: SeDebugPrivilege	2104	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 776	1960	JaffaCakes118_ba099f212647b418c123a48c46767baac59297826025423e53e72d068c100121.exe	30
PID 1960 wrote to memory of 776	1960	JaffaCakes118_ba099f212647b418c123a48c46767baac59297826025423e53e72d068c100121.exe	30
PID 1960 wrote to memory of 776	1960	JaffaCakes118_ba099f212647b418c123a48c46767baac59297826025423e53e72d068c100121.exe	30
PID 1960 wrote to memory of 776	1960	JaffaCakes118_ba099f212647b418c123a48c46767baac59297826025423e53e72d068c100121.exe	30
PID 776 wrote to memory of 2504	776	WScript.exe	32
PID 776 wrote to memory of 2504	776	WScript.exe	32
PID 776 wrote to memory of 2504	776	WScript.exe	32
PID 776 wrote to memory of 2504	776	WScript.exe	32
PID 2504 wrote to memory of 2196	2504	cmd.exe	34
PID 2504 wrote to memory of 2196	2504	cmd.exe	34
PID 2504 wrote to memory of 2196	2504	cmd.exe	34
PID 2504 wrote to memory of 2196	2504	cmd.exe	34
PID 2196 wrote to memory of 1432	2196	DllCommonsvc.exe	54
PID 2196 wrote to memory of 1432	2196	DllCommonsvc.exe	54
PID 2196 wrote to memory of 1432	2196	DllCommonsvc.exe	54
PID 2196 wrote to memory of 1148	2196	DllCommonsvc.exe	55
PID 2196 wrote to memory of 1148	2196	DllCommonsvc.exe	55
PID 2196 wrote to memory of 1148	2196	DllCommonsvc.exe	55
PID 2196 wrote to memory of 1516	2196	DllCommonsvc.exe	56
PID 2196 wrote to memory of 1516	2196	DllCommonsvc.exe	56
PID 2196 wrote to memory of 1516	2196	DllCommonsvc.exe	56
PID 2196 wrote to memory of 1400	2196	DllCommonsvc.exe	57
PID 2196 wrote to memory of 1400	2196	DllCommonsvc.exe	57
PID 2196 wrote to memory of 1400	2196	DllCommonsvc.exe	57
PID 2196 wrote to memory of 1800	2196	DllCommonsvc.exe	58
PID 2196 wrote to memory of 1800	2196	DllCommonsvc.exe	58
PID 2196 wrote to memory of 1800	2196	DllCommonsvc.exe	58
PID 2196 wrote to memory of 1436	2196	DllCommonsvc.exe	59
PID 2196 wrote to memory of 1436	2196	DllCommonsvc.exe	59
PID 2196 wrote to memory of 1436	2196	DllCommonsvc.exe	59
PID 2196 wrote to memory of 2640	2196	DllCommonsvc.exe	60
PID 2196 wrote to memory of 2640	2196	DllCommonsvc.exe	60
PID 2196 wrote to memory of 2640	2196	DllCommonsvc.exe	60
PID 2196 wrote to memory of 2612	2196	DllCommonsvc.exe	65
PID 2196 wrote to memory of 2612	2196	DllCommonsvc.exe	65
PID 2196 wrote to memory of 2612	2196	DllCommonsvc.exe	65
PID 2612 wrote to memory of 1540	2612	cmd.exe	70
PID 2612 wrote to memory of 1540	2612	cmd.exe	70
PID 2612 wrote to memory of 1540	2612	cmd.exe	70
PID 2612 wrote to memory of 2524	2612	cmd.exe	71
PID 2612 wrote to memory of 2524	2612	cmd.exe	71
PID 2612 wrote to memory of 2524	2612	cmd.exe	71
PID 2524 wrote to memory of 1900	2524	DllCommonsvc.exe	117
PID 2524 wrote to memory of 1900	2524	DllCommonsvc.exe	117
PID 2524 wrote to memory of 1900	2524	DllCommonsvc.exe	117
PID 2524 wrote to memory of 2884	2524	DllCommonsvc.exe	118
PID 2524 wrote to memory of 2884	2524	DllCommonsvc.exe	118
PID 2524 wrote to memory of 2884	2524	DllCommonsvc.exe	118
PID 2524 wrote to memory of 1432	2524	DllCommonsvc.exe	119
PID 2524 wrote to memory of 1432	2524	DllCommonsvc.exe	119
PID 2524 wrote to memory of 1432	2524	DllCommonsvc.exe	119
PID 2524 wrote to memory of 1800	2524	DllCommonsvc.exe	120
PID 2524 wrote to memory of 1800	2524	DllCommonsvc.exe	120
PID 2524 wrote to memory of 1800	2524	DllCommonsvc.exe	120
PID 2524 wrote to memory of 1632	2524	DllCommonsvc.exe	121
PID 2524 wrote to memory of 1632	2524	DllCommonsvc.exe	121
PID 2524 wrote to memory of 1632	2524	DllCommonsvc.exe	121
PID 2524 wrote to memory of 704	2524	DllCommonsvc.exe	122
PID 2524 wrote to memory of 704	2524	DllCommonsvc.exe	122
PID 2524 wrote to memory of 704	2524	DllCommonsvc.exe	122
PID 2524 wrote to memory of 2104	2524	DllCommonsvc.exe	123
PID 2524 wrote to memory of 2104	2524	DllCommonsvc.exe	123
PID 2524 wrote to memory of 2104	2524	DllCommonsvc.exe	123
PID 2524 wrote to memory of 608	2524	DllCommonsvc.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ba099f212647b418c123a48c46767baac59297826025423e53e72d068c100121.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ba099f212647b418c123a48c46767baac59297826025423e53e72d068c100121.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Updater6\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Music\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\ja-JP\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fATY8not3B.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1540
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\audiodg.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\IMETC10\DICTS\taskhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Network Sharing\System.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JOPLrGNB8D.bat"
        7⤵
        
        PID:2248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2836
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat"
        9⤵
        
        PID:1668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2492
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yaFjl1awzE.bat"
        11⤵
        
        PID:2068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2380
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat"
        13⤵
        
        PID:2112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:900
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat"
        15⤵
        
        PID:2128
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1052
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\auWhjrprfd.bat"
        17⤵
        
        PID:872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:236
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat"
        19⤵
        
        PID:2220
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:444
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t3iRsZx2b7.bat"
        21⤵
        
        PID:3056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1780
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat"
        23⤵
        
        PID:1260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1168
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat"
        25⤵
        
        PID:3044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2236
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\ServiceProfiles\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Adobe\Updater6\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Adobe\Updater6\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Music\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Music\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Favorites\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\IMETC10\DICTS\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\IME\IMETC10\DICTS\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\IME\IMETC10\DICTS\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3cfd0c0ad7ed88e197fe45f56591c0a0

SHA1
9ab46583c1b0433cfcb4fa34b9e29c8fd427d086

SHA256
decf4453d924e727e7b89e4c315e6260bf3e13f797244c1a6c8404e437941d24

SHA512
fdea84a211e4e75011a59913447f66fc5bb06db7f171d5222a4d4460ce3574b01af5d5bca94727abfc37ed11c25880aa0e440cd3c727820088783a6dee6f4292

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e0563f0661e47c34b4808ebdf790a4d

SHA1
3b338c6ab2439e92fd6bb809f0c6bb9d78395566

SHA256
e5ecb3c7b3280ff78997420073a50c563d53d7c5bdb052b1f4cfd38a6a3ec398

SHA512
7eff9410bb61e09ea188b7d4c0f9b2006134dca2822c21cd625c1cb78709915003852886cc9deec5a73e3905a0956decabeb88542b7e04a4d2bd78f7a34ac2ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b78bac080d79aacdc92fb799389b3cc

SHA1
98e5eaff62a0206f437d74c82cd18257721ea3a8

SHA256
1ba47ae6b7611e88f04580a947dd2a29a0d4bac6e1db34d9e2e3a6eea893e84d

SHA512
b15912538a2f925effbc4b4dc570dbcec4ae7d4b0d6f8227bff87f0a393894c7a152b5867ff14114ac9271f46c2f0e365841347d69c693b9c48877f0aa613766

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02ccc3a2d593f76243b6087c0d8cfbc9

SHA1
13638fb03cf0252b3d7fd35d42d7f2c435072477

SHA256
7ada6f449735f007ea3517dae6d04630f4f28af53b9e32550291c9391b757359

SHA512
ec5022bfe4d8854b121d6f9b0654c9035a299c6fe2c19e3ef14dddc599b19d754498e30310ca284a0e007a32135843a037cf919fd86cf64b3a41c80f4c06df01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdab65cfc948c073726522bd06bb62d1

SHA1
1a0852d7b11b59856d08e0ac5b9f54b4f51df3a2

SHA256
a10aad082d22dac395520719c32a3edcf0949ed89a2281b1faa50b42693e8171

SHA512
083c72194179020f532e0e503ce603690a566130783be294cee8cf481365d353a4a2cf3636d5d291fa379c4722d248a74582cfe7019c9f9a748b5112b6016ac4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e91d5a7b39909584903073bdc7b09f8

SHA1
d7ccd28fdb0e01abb2f7d59b768fe2152975bcd9

SHA256
64ab7d8da5322bbae02b09cd6dd0c01c613b30978303b23a43e19fa00971adce

SHA512
42901f8c66488ac4bfa72bd4d23f6ba4d72ab15b1ccdf794a5fbaf7b24b7d4d76dfecaa7aa8af30265e2ea72c59053494d074831771716449b93bf8ceb166301

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6e1ba64abee7e34fe732be4c6905353

SHA1
25ddcf24ebcebddaa87392657ee12c0904f0c7dc

SHA256
7b767dc979206a35b39a511b94b3ddd89139a38051013e89896701ecd72c2ba3

SHA512
6fef8bd368e7401da80725e1525031fb853f2558d28dfd6ec82ab593440363223e52e9ab9985abf30fd5781109af7afef1b165576e04119c9872d4fe9f519e90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8dba3f9e9806494471b07130d3bc4c7b

SHA1
10cad039ea3917682bf5a7fb27010c80aa6f83aa

SHA256
6d1ee0ad217ca6a5072d43521127fd12fcbfa417bdebdd5407347e93bd7ec30b

SHA512
a4b77cc756e7b0e33fdbe7bdf42eb35755d894d0d5a90408ed60672e89eebf312a4ca1ab2a774b96d46c8631b762dfc8b9c87062cc54d80000fadbdb832af3ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat

Filesize
226B

MD5
e1fbde61e04ba5362d60f969cf856b1b

SHA1
d9677f2da93c97d32106de1fb21c744ed4f82eb3

SHA256
9bd8cb43160f2218f1b10e2349ee68df8abb7bb1562ea0a9d46e69ee2964fe51

SHA512
8b9d40965cf6bb777b02c8d2b90a3adac9f521924ba944213d6c8719872549a8fec80051e7c5c3b3805131f75b366afb2d421f755bb5e0c5df559ea20bc4d2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat

Filesize
226B

MD5
6024f8c556a6a18c1457362cd858a043

SHA1
a8554ca2717af8944f8bff093af16ca80b6482ec

SHA256
c18cf6fc7540a96df986c72d26e6faabd74aaa8a1c098880528993c60af23152

SHA512
345bbd877141e7cebc250e51b113cba47dbd48aa7e927c1df2e3cfc7efb89618bf3b077caa9a6ac8b231ac7783634d05ed0fa1e07f52db486ba9f68df26b89e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2B76.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JOPLrGNB8D.bat

Filesize
226B

MD5
fda258fa51eb53a31751f8a1bf379d80

SHA1
fe4f720f13cd2d9b95bcb9e21a729408336eb100

SHA256
69440b5676eb99398c028484893bf66eb4d37dca05e4ae69408e4f70cc16d4b8

SHA512
2f3ae742ace79a630a343e1cd9770187ee4dc54883d7dfdb9fbbf1cfe2ef21a4aa59418b0b4652f33141cbc74eb0b75c34f552f3f3557f413b6d2c9495ad5f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat

Filesize
226B

MD5
922ce1ce365e97599db1585906256dc6

SHA1
8f7f7bb650d3319089f277d7c5a7512b8331437c

SHA256
049108d6bb24e129d780115279b28e8ce792ef857bee670b55e68dda17edb694

SHA512
15787a023b31d2c77ccbec639ff4c14c7514e08c614aa4abaf162cb89323169645517d7b26bf4de11f474395a5f6cbe2215dbcd7b4a77ab14f72daefd688b492

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat

Filesize
226B

MD5
d0df9a061622d3ced97ba843a2f60a49

SHA1
606ee282ac168d422a7ffa345c14537e13d5631b

SHA256
0df897e48e96175dfd7b5d20726a39db787e6d5643717605ab5162c1feae2bb8

SHA512
9f83949a64929e0433a6243686d9d947880f9393c561d334919dd9c7a764afb26b38f38c69b579986a3b3438007bda25777f3363e30d820a7ab6c3092ee37a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2B88.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat

Filesize
226B

MD5
d45c614d7bb1781fc22f69a9d75954bc

SHA1
43fcf748e64b57aa51464988e59f346a848519af

SHA256
d8153b03c0d7afe5e77dc939b3bc2f85905ff2e61570a8ede06986a784b62508

SHA512
ff793eb369ca355c2c75ec3cff9839f79d2b922f7a584e860641771bb5de1929f647392b0329b7e1bf8f5717797705d9176afc5f1dab60079e06ab7effb91856

Download Submit
C:\Users\Admin\AppData\Local\Temp\auWhjrprfd.bat

Filesize
226B

MD5
397f5e864e330c25bc4494f63618aabb

SHA1
a6e67e238f9b3742a70445b4e8a3f6a37be8cde1

SHA256
92f3c1b4ec916c8ec07b44df46d08e6d42e2a28b17a97244ca2425af7be6ca2d

SHA512
aa87ed36234cfbeb0fc620580dd1303b4b55f8b966d90828c9d6be22ee4f42b6882161ffa3f3c5be9c458624d443ecfdc3403a21743c7f3e0b452b47802359ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\fATY8not3B.bat

Filesize
199B

MD5
a2b5189528ebdea939ef55f898e138ee

SHA1
004fd5a34af7e2d747987951b0a5af9d225dc3e0

SHA256
ab288f9575f3085c693efbd440d4659d269351be99423677ac9a9a383dae639e

SHA512
93a20fd87bfa42869d4ba480a6264fa06a88cc1b2d0018e78f5cc32b04758614cfc41efa38e5a3af1c8dd14e7b9c12de1e05641cf2a0cc7a957689c4a19e6f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat

Filesize
226B

MD5
1d518997498b923d3a386afa56337996

SHA1
ede61f5acfc79b49adfe25ead99873bcd9959301

SHA256
0a6a8152407fbea67f3b2b2779ce382c9a56911397ac64a523f260390887092e

SHA512
ea69d0061813de549b71029bbf1b9f67ddf4d9d06dfcb3ca90809e9c31db33c76d91d7db34852132129be41e5aaaef4f54f450efcb0a4b5280a92f539fb2ec16

Download Submit
C:\Users\Admin\AppData\Local\Temp\t3iRsZx2b7.bat

Filesize
226B

MD5
d1243d90a5cf141e0aa7988448411717

SHA1
759cd3ee458e5240af892f85c22c04ecba5bc024

SHA256
31ac8857e4f35844a16d05b08de4febf94d69d45484359eefb5f98a7559ac243

SHA512
0b11db860348b58ce1046ccf42e8687b368db6f352217df547af46691012c76382f439f10cfad742c1d61d9a14d51e9db67ac4b0e5228a97df1ae03783215069

Download Submit
C:\Users\Admin\AppData\Local\Temp\yaFjl1awzE.bat

Filesize
226B

MD5
8575fdff8f7a6c58922613ada446b69a

SHA1
410837afdcbf2a63134e7d11c37df7bfa758dab7

SHA256
79482f5a3694cf4803abf837cddf8ee4b7db1a1406a32e02f39fb948f1778854

SHA512
bbc522576b5faaad2a88509748763f7240b730bab8d561c0a1bd047cfcfa615ec87d36b5b72b32a2094ddc0a7e409009798cc97a247911b13b5c3773b4a8aede

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
97dc1fa5dfb1b536e4c12e0ad046aa60

SHA1
61ccdcb159ad9853dc898a247c41bdf43e802038

SHA256
ea1e9db069ef7427fa296d567edb4a9a5f78f7b05968bf3955692a963a899163

SHA512
d702acbf73ed0bf064a0e1ab49d7a8ca3bad8f9383971b602bcb6f421aa0e5147b2ec8b67b6ef95452d257bb2b6ea89c6117a55cbf6cfd22d861b62f89617dbc

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/264-248-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download
memory/852-487-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/1032-547-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/1276-607-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/1432-40-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/1432-39-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2184-427-0x0000000000010000-0x0000000000120000-memory.dmp

Filesize
1.1MB

Download
memory/2196-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2196-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2196-15-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2196-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2196-13-0x0000000001040000-0x0000000001150000-memory.dmp

Filesize
1.1MB

Download
memory/2524-72-0x0000000000290000-0x00000000003A0000-memory.dmp

Filesize
1.1MB

Download
memory/2524-73-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2588-308-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2612-667-0x00000000012E0000-0x00000000013F0000-memory.dmp

Filesize
1.1MB

Download
memory/2772-189-0x0000000000CC0000-0x0000000000DD0000-memory.dmp

Filesize
1.1MB

Download
memory/2908-121-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2908-120-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download