dcrat | a3772f9b1a5fdc4efce38bd4ba01d12b8fb398003a709777a8612b39b47f5b7c

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a3772f9b1a5fdc4efce38bd4ba01d12b8fb398003a709777a8612b39b47f5b7c.exe
Size

1.3MB
MD5

d8017dd7d519c8d2dffad38357c80f2b
SHA1

12ddf579d4c607473ee869ef16adc1ba24976a89
SHA256

a3772f9b1a5fdc4efce38bd4ba01d12b8fb398003a709777a8612b39b47f5b7c
SHA512

2f651c6f393f88329beac7b430f15d68abd40a3675783e9eb6c8f693bfda6d1c48b8d3ffdaac3238cf05ac44652fe0856ee9c796dbffab4661ca11bb0e8069dc
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	496	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2876	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2876	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000018687-9.dat	dcrat
behavioral1/memory/2712-13-0x0000000000C90000-0x0000000000DA0000-memory.dmp	dcrat
behavioral1/memory/756-167-0x00000000009B0000-0x0000000000AC0000-memory.dmp	dcrat
behavioral1/memory/628-226-0x0000000000EE0000-0x0000000000FF0000-memory.dmp	dcrat
behavioral1/memory/484-346-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat
behavioral1/memory/3040-406-0x0000000000D90000-0x0000000000EA0000-memory.dmp	dcrat
behavioral1/memory/1868-466-0x0000000000DD0000-0x0000000000EE0000-memory.dmp	dcrat
behavioral1/memory/1344-526-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/1844-764-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2916	powershell.exe
2680	powershell.exe
2632	powershell.exe
2776	powershell.exe
2636	powershell.exe
2316	powershell.exe
1404	powershell.exe
2808	powershell.exe
2932	powershell.exe
2896	powershell.exe
2756	powershell.exe
2816	powershell.exe
768	powershell.exe
2936	powershell.exe
2652	powershell.exe
2672	powershell.exe
2020	powershell.exe
2644	powershell.exe
2732	powershell.exe
900	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2712	DllCommonsvc.exe
756	smss.exe
628	smss.exe
2480	smss.exe
484	smss.exe
3040	smss.exe
1868	smss.exe
1344	smss.exe
2992	smss.exe
1400	smss.exe
1168	smss.exe
1844	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
2112	cmd.exe
2112	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
16	raw.githubusercontent.com
33	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\fr-FR\Licenses\eval\HomePremiumE\wininit.exe	DllCommonsvc.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\75a57c1bdf437c	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\27d1bcfc3c54e0	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\IME\ja-JP\56085415360792	DllCommonsvc.exe
File created	C:\Windows\IME\ja-JP\wininit.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a3772f9b1a5fdc4efce38bd4ba01d12b8fb398003a709777a8612b39b47f5b7c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2620	schtasks.exe
1000	schtasks.exe
496	schtasks.exe
1372	schtasks.exe
2572	schtasks.exe
2316	schtasks.exe
796	schtasks.exe
1704	schtasks.exe
840	schtasks.exe
1384	schtasks.exe
1576	schtasks.exe
444	schtasks.exe
2340	schtasks.exe
3068	schtasks.exe
1676	schtasks.exe
2260	schtasks.exe
2296	schtasks.exe
316	schtasks.exe
2808	schtasks.exe
2176	schtasks.exe
2344	schtasks.exe
1820	schtasks.exe
2196	schtasks.exe
2940	schtasks.exe
328	schtasks.exe
2988	schtasks.exe
896	schtasks.exe
2312	schtasks.exe
2796	schtasks.exe
1800	schtasks.exe
332	schtasks.exe
2836	schtasks.exe
2256	schtasks.exe
2528	schtasks.exe
1296	schtasks.exe
1064	schtasks.exe
2540	schtasks.exe
2668	schtasks.exe
2584	schtasks.exe
1040	schtasks.exe
2780	schtasks.exe
2060	schtasks.exe
2732	schtasks.exe
1928	schtasks.exe
2244	schtasks.exe
2128	schtasks.exe
1972	schtasks.exe
2144	schtasks.exe
2012	schtasks.exe
1592	schtasks.exe
1816	schtasks.exe
2148	schtasks.exe
2604	schtasks.exe
2480	schtasks.exe
2108	schtasks.exe
1708	schtasks.exe
604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2712	DllCommonsvc.exe
2712	DllCommonsvc.exe
2712	DllCommonsvc.exe
2712	DllCommonsvc.exe
2712	DllCommonsvc.exe
2712	DllCommonsvc.exe
2712	DllCommonsvc.exe
2644	powershell.exe
2776	powershell.exe
2636	powershell.exe
2936	powershell.exe
2916	powershell.exe
2732	powershell.exe
2632	powershell.exe
2020	powershell.exe
2816	powershell.exe
1404	powershell.exe
2932	powershell.exe
2652	powershell.exe
2680	powershell.exe
768	powershell.exe
2756	powershell.exe
900	powershell.exe
2896	powershell.exe
2316	powershell.exe
2808	powershell.exe
2672	powershell.exe
756	smss.exe
628	smss.exe
2480	smss.exe
484	smss.exe
3040	smss.exe
1868	smss.exe
1344	smss.exe
2992	smss.exe
1400	smss.exe
1168	smss.exe
1844	smss.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	DllCommonsvc.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	756	smss.exe
Token: SeDebugPrivilege	628	smss.exe
Token: SeDebugPrivilege	2480	smss.exe
Token: SeDebugPrivilege	484	smss.exe
Token: SeDebugPrivilege	3040	smss.exe
Token: SeDebugPrivilege	1868	smss.exe
Token: SeDebugPrivilege	1344	smss.exe
Token: SeDebugPrivilege	2992	smss.exe
Token: SeDebugPrivilege	1400	smss.exe
Token: SeDebugPrivilege	1168	smss.exe
Token: SeDebugPrivilege	1844	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2580	2532	JaffaCakes118_a3772f9b1a5fdc4efce38bd4ba01d12b8fb398003a709777a8612b39b47f5b7c.exe	31
PID 2532 wrote to memory of 2580	2532	JaffaCakes118_a3772f9b1a5fdc4efce38bd4ba01d12b8fb398003a709777a8612b39b47f5b7c.exe	31
PID 2532 wrote to memory of 2580	2532	JaffaCakes118_a3772f9b1a5fdc4efce38bd4ba01d12b8fb398003a709777a8612b39b47f5b7c.exe	31
PID 2532 wrote to memory of 2580	2532	JaffaCakes118_a3772f9b1a5fdc4efce38bd4ba01d12b8fb398003a709777a8612b39b47f5b7c.exe	31
PID 2580 wrote to memory of 2112	2580	WScript.exe	32
PID 2580 wrote to memory of 2112	2580	WScript.exe	32
PID 2580 wrote to memory of 2112	2580	WScript.exe	32
PID 2580 wrote to memory of 2112	2580	WScript.exe	32
PID 2112 wrote to memory of 2712	2112	cmd.exe	34
PID 2112 wrote to memory of 2712	2112	cmd.exe	34
PID 2112 wrote to memory of 2712	2112	cmd.exe	34
PID 2112 wrote to memory of 2712	2112	cmd.exe	34
PID 2712 wrote to memory of 2932	2712	DllCommonsvc.exe	93
PID 2712 wrote to memory of 2932	2712	DllCommonsvc.exe	93
PID 2712 wrote to memory of 2932	2712	DllCommonsvc.exe	93
PID 2712 wrote to memory of 2896	2712	DllCommonsvc.exe	94
PID 2712 wrote to memory of 2896	2712	DllCommonsvc.exe	94
PID 2712 wrote to memory of 2896	2712	DllCommonsvc.exe	94
PID 2712 wrote to memory of 2776	2712	DllCommonsvc.exe	95
PID 2712 wrote to memory of 2776	2712	DllCommonsvc.exe	95
PID 2712 wrote to memory of 2776	2712	DllCommonsvc.exe	95
PID 2712 wrote to memory of 2936	2712	DllCommonsvc.exe	96
PID 2712 wrote to memory of 2936	2712	DllCommonsvc.exe	96
PID 2712 wrote to memory of 2936	2712	DllCommonsvc.exe	96
PID 2712 wrote to memory of 2652	2712	DllCommonsvc.exe	97
PID 2712 wrote to memory of 2652	2712	DllCommonsvc.exe	97
PID 2712 wrote to memory of 2652	2712	DllCommonsvc.exe	97
PID 2712 wrote to memory of 2756	2712	DllCommonsvc.exe	98
PID 2712 wrote to memory of 2756	2712	DllCommonsvc.exe	98
PID 2712 wrote to memory of 2756	2712	DllCommonsvc.exe	98
PID 2712 wrote to memory of 2816	2712	DllCommonsvc.exe	99
PID 2712 wrote to memory of 2816	2712	DllCommonsvc.exe	99
PID 2712 wrote to memory of 2816	2712	DllCommonsvc.exe	99
PID 2712 wrote to memory of 2916	2712	DllCommonsvc.exe	100
PID 2712 wrote to memory of 2916	2712	DllCommonsvc.exe	100
PID 2712 wrote to memory of 2916	2712	DllCommonsvc.exe	100
PID 2712 wrote to memory of 2672	2712	DllCommonsvc.exe	101
PID 2712 wrote to memory of 2672	2712	DllCommonsvc.exe	101
PID 2712 wrote to memory of 2672	2712	DllCommonsvc.exe	101
PID 2712 wrote to memory of 2636	2712	DllCommonsvc.exe	102
PID 2712 wrote to memory of 2636	2712	DllCommonsvc.exe	102
PID 2712 wrote to memory of 2636	2712	DllCommonsvc.exe	102
PID 2712 wrote to memory of 2020	2712	DllCommonsvc.exe	103
PID 2712 wrote to memory of 2020	2712	DllCommonsvc.exe	103
PID 2712 wrote to memory of 2020	2712	DllCommonsvc.exe	103
PID 2712 wrote to memory of 2644	2712	DllCommonsvc.exe	104
PID 2712 wrote to memory of 2644	2712	DllCommonsvc.exe	104
PID 2712 wrote to memory of 2644	2712	DllCommonsvc.exe	104
PID 2712 wrote to memory of 2316	2712	DllCommonsvc.exe	105
PID 2712 wrote to memory of 2316	2712	DllCommonsvc.exe	105
PID 2712 wrote to memory of 2316	2712	DllCommonsvc.exe	105
PID 2712 wrote to memory of 2680	2712	DllCommonsvc.exe	106
PID 2712 wrote to memory of 2680	2712	DllCommonsvc.exe	106
PID 2712 wrote to memory of 2680	2712	DllCommonsvc.exe	106
PID 2712 wrote to memory of 2632	2712	DllCommonsvc.exe	107
PID 2712 wrote to memory of 2632	2712	DllCommonsvc.exe	107
PID 2712 wrote to memory of 2632	2712	DllCommonsvc.exe	107
PID 2712 wrote to memory of 768	2712	DllCommonsvc.exe	108
PID 2712 wrote to memory of 768	2712	DllCommonsvc.exe	108
PID 2712 wrote to memory of 768	2712	DllCommonsvc.exe	108
PID 2712 wrote to memory of 2808	2712	DllCommonsvc.exe	109
PID 2712 wrote to memory of 2808	2712	DllCommonsvc.exe	109
PID 2712 wrote to memory of 2808	2712	DllCommonsvc.exe	109
PID 2712 wrote to memory of 900	2712	DllCommonsvc.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3772f9b1a5fdc4efce38bd4ba01d12b8fb398003a709777a8612b39b47f5b7c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a3772f9b1a5fdc4efce38bd4ba01d12b8fb398003a709777a8612b39b47f5b7c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\lib\zi\Etc\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\ja-JP\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\en-US\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Music\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XPUYsydZFj.bat"
        5⤵
        
        PID:2864
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2268
      - C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat"
        7⤵
        
        PID:952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1056
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"
        9⤵
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1232
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ER58NgmlZn.bat"
        11⤵
        
        PID:1344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2808
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat"
        13⤵
        
        PID:1508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2000
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat"
        15⤵
        
        PID:2936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2724
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat"
        17⤵
        
        PID:292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2500
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat"
        19⤵
        
        PID:2224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1524
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat"
        21⤵
        
        PID:2792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2076
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat"
        23⤵
        
        PID:2896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1000
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat"
        25⤵
        
        PID:1908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1728
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\lib\zi\Etc\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\zi\Etc\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\lib\zi\Etc\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\IME\ja-JP\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\IME\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\IME\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Music\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Music\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\CrashReports\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\CrashReports\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Default\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Default\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13933e679c3a4ab8f7d488e9ba055f39

SHA1
84b8c642f2c66162d9d125d158ef4af26219845e

SHA256
43fe7bf4fd4e3b3d328c2cffb5cc91ca88af49696a1a7703214d2de334f17f78

SHA512
15eb3dc185fcbcf2608c9efda01d9afc9fd03475a6d8e2477cc658f9f4648f4a6acb116f89b6190a756ccdd0350f9589d8a97803e68fb6859d23ba1215d82838

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15adb0817b675ff05eee8f50a287a1c7

SHA1
b549d5a5e91c6675036867c7c225e726f9b83b1b

SHA256
509eba7db83891692cc8fcacc103be2818c387d64346239fb451416c6dc8cdce

SHA512
2b1542403da2d61b97a3791b824d862710c94c310bda647032c57e6a4daa6c16b3416733c066855148a05633cb9d68c9cf9e4b1c8a3157180c6725e148bd80fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b08f42d66d8e7602c468d000da2de9d5

SHA1
487946750743fc8bede6869a2f5377ff621621ca

SHA256
4dd6baa95fb045f686639ef78dd03c09e4aa5e61bcf3611581dc19e9f1782677

SHA512
6e1245d276058acae1cd3c49ab3b726a3abb6385961dd7fc527d26c7aee1f232a43cd24badf07e24df4a3145efd30e401b0019b29a2b0845bdf2457f9bced3af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11971a6211d74e8be2eeaaa5ba2ec640

SHA1
bce148334e3d44fd4c886f9550234d6c2678983c

SHA256
f584dcffb6775161e082f2698f38ebe9763112a653721935b24acf3e1a8c75d0

SHA512
367d628cd6b07774d68754991b07c34e198acdec836b39f0b1e4cf7495e5fc334cbc19e9b2a0760c38b818305625c290bee4717980f1cdd63d89105e7062e6bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2803b8a53184d28a04d6879277652aa

SHA1
51c3780865a7f6d33571121a1a7ce717ffb1aacc

SHA256
08256f7b193f0c35feb4ded0de7155cf746f8d7a55bd7810c985b675e29726a3

SHA512
1c60b0b69c872233b2f0cd4480c4885d167a95c82d21e5906aa0824fbd9bdd613d9156abf1a95680c39e111a48b7e3e7151467c305d7c692b16edd79098e6144

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25b3721372dd00fa7f0759fa1e4c8a28

SHA1
8569baf56d92839ac40f9e3f67ae114b69aff3ce

SHA256
24d09cbeb9bf43ecc03bba2f284b87a9205c634aead525b0616fe077724a79a8

SHA512
7fad5e41e044b27047530d6ee1263e4a96cc55e7c9e95cc0f5f0df9895833b7ac44f63d476c5d0b6c50316a6c0887ac6afb41c2e2382992312af15c5d94e2adb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e1a1cd96714acc4516cb00f9ceefe57

SHA1
897255058726bb30bd7bedb7e64e8a11a1522929

SHA256
2c715465212fb1cc5466ed0ceaed3ebca3c532050e33a635c4b68df75b2634a7

SHA512
74b60ca2ae519bb913b5d3f3f323112dd7c6ef21286804e255476caae105874f630a937555f1a7864e898feffb78003ac039009471ffbc30907de7b5233d7962

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78d9522cd3e3b0b07e497b615476002b

SHA1
beff03bb84060507ca6618e41960906900fef304

SHA256
c59d6cf549441fe9814805674617232083fd38e0fa3867cbbcedcdf8bf14f23f

SHA512
62204bc135e644c273ee8d03b65032f4a6c7d938e3751bb962200a2a52f861aa44b50284a0b86b50bfff061e638e15f39cbaf856732914186e7cbc84328294cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2e7cee502d622eb634402e23a63eed6

SHA1
a731a159f7d6bc0f78137d3c27a4325a4c41702a

SHA256
e87b464591976662275506607d8dfa547b8de4245aacdee8cd6a0ca949d59bf9

SHA512
e1d3e7fe5d71acce9b43943dc3890160c21e61e8647b1b34cd6b33daad60bfdc7903a3e0e8c0ffc20ba5bbb04a57ec687dfda8fe2a2c3bcdf6c8e91b64308be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat

Filesize
222B

MD5
3963ebb9bcd5c2de5cd4e5eb64686bd6

SHA1
f1a050a62d8166116e762539ff5dbb96757c8e1e

SHA256
0df6387cc5120db8e4f4db5f3977e39ed604ca83c7ccb78a6bcd0f17590427b6

SHA512
b7c68ee1de1aac3fcc22df731ef2676a9040c47c8cb389eab9e8dc02c2d9fc83804cfb52c4ed33849b6b9b410c4ca144a66165e9b543256e0e10c413d0f9fbba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2F9A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat

Filesize
222B

MD5
89160e12ca7dbbf031497f691991ba20

SHA1
e0dedf4e541325e79242f5cdc0418fbc444d59a2

SHA256
20620231dcd494101bef5c39473a5c741b966c0d7b19113d57e5864115be8ccb

SHA512
c2734d776819e2404d562a29dc9516469e6faa1f6ff6afada029df416efbacc49d1e5341690b3ebff256a19fba96317d1a86bda1b6cd4b03dbbfe7c9b1dbdbbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ER58NgmlZn.bat

Filesize
222B

MD5
ac04258e1446f079ca8dec46a2a4e2a5

SHA1
fef5bb9d51f9fb14bfc77bb181d538289c8a2dcd

SHA256
183030a9b134a1abff8f1b7e493b052f53a02075259f1f447bc84998d9aa889c

SHA512
e358e114c71959c3da64703831a5f9abd30a6ff0506d7e6bab75ac1f559b4914008ae25bbf6087df46753feb879e1b46c5adf4c79cec9ded84b1e45b8207bbb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat

Filesize
222B

MD5
1a2dcef734907e176a606cb3434ce201

SHA1
cbfca40bb1797c2d3df92d1786fcf3b6b0b8ec0b

SHA256
162396d27304f95d5bd9502cc7e9a1da5f80fb175c6afc6a88439fc71d5f08cc

SHA512
8cc29c0018d5bd1e57a365e54ed1c7ebd5f38d4405a2ab50328451b04b49375b9766fa8bd151735e5e2fa94f534ab43df16fa1acf4949f44106683207c0dc8c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat

Filesize
222B

MD5
20fd91521c0ad00f23dbe48fb99cb9a4

SHA1
126c323276920c8556e3b84e25c5250d891bc870

SHA256
7c12d614e76303e19580f3e125a5f47f7035934ed04ee1ac07d9ecc073392120

SHA512
7d401f79cfcb9bb85b8ed26160f898c7c7a7ffc21698a6de65bb8314c2a43a67486e84eb0b7fb4027f520ad52bd79c9d45b0c0ba43f4c72efdc15eeb7ddbe0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat

Filesize
222B

MD5
cb74512a09f47d1d8b01637da0ec2e1c

SHA1
8d341c610591329474a717fa2fc157f1e8627959

SHA256
a9cc5d97b6aded872c52c11cff3aff6cc581be273fafa02a44a3225054668dfb

SHA512
b39e8c66d9e9352c36d4b671b16729c08c395fc3d3d4e4c255c64fda6f39edc18daac8aee75d67bdd08102da1726bad8f4a450be5bcfdc3ce271ff43fc33a9c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2FEB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPUYsydZFj.bat

Filesize
222B

MD5
e9ed195755355556d2e0d4c65f2efc98

SHA1
82fa271a8ec24927271d9657eccffa62b2586e0b

SHA256
e147db1c7fa64bd06d32f039ff585f9a0e0acefff87a16594d0a5b05a8a1ac9d

SHA512
8d242a651c6054bbc15862c35ae58758165dd92ed548cd1ff5bf0d767f2bf7ff4019fb5603deb72883f3b7d798b122f6b4fbc48a1325a7963d1ac6a99a408f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat

Filesize
222B

MD5
81b27c0f626263296d31215f56d1e22d

SHA1
ebf5d67ff907a1fe720d4adaefeaf4b613e9a7f0

SHA256
60d7e82b0a69378d9a7aecc71e194694e885242061c2a151534c631cfe347246

SHA512
d80120ed39d1d30e1a9fb08aa32362c46c1beffb7b89093becc12e167399bf533786ff39ff726d5ce6d2a314599225f4078bf3a32b8d5f868fe54efcdb279435

Download Submit
C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat

Filesize
222B

MD5
065c2beac06dea78c6192cb779731f52

SHA1
83a3c07337a9903b7cfc47df94ed0fc704656055

SHA256
d4a0578e9a2fb3bfbd4a1ff84d760fb9da1691594e29ae91d30b00b9b9775aad

SHA512
b3f63e881fc26698a2ae4f7e5a5640f3b142507f4c1763dbce127a833e141f7d2123999e4c2d0e41bfdc8945bd0ac6880523275f7636432b1e28b98dd1a2be9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat

Filesize
222B

MD5
344a2fbcf235701760cdcad9d6204470

SHA1
4c483f6e7680aae1e4fbe96ce64b5a62809cb3a0

SHA256
89b6b9ff4c99b755af06617b45738b2ca540e1a89f86c78897d37a11bd982a46

SHA512
fbb77386d3d346f7f7c80bb705d31339cab59ea8a74c4ae983c099295c0cfc5a07883c17df99f03f01b1852f3a0e63597b874c8e1dee19eb7597aed3cba2f3f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat

Filesize
222B

MD5
2d57d6cdabb31728eea9a90ac8dbce5c

SHA1
203de23189fb28b8d02d704efed82bf24dffbac9

SHA256
c8502f00937354969ca9fc01fd2237eb86eabef4e4f55448806d263c7de3e889

SHA512
ebeabe6652e599ef4a73a01788da5267c0b0c70998272b5fffea7d401d2dbefb7d1e7fae6bb828ebd776a9c1708dd7e7605b6d20976ebc7aec0c8545534dc795

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6bdaa2ecf5c692b0eff6a0e055136a70

SHA1
dd7ce022b2e3d416a6f22d7071ea4663913bf58f

SHA256
a0947655b10c7e0e7858a1f02c4adc405a95b18f1ebbaad2d6f9a39879fae6d1

SHA512
9f63f177f4acbfa8a21d89280737e84c42365c9848c9924f6d6c5ef163d6be90a249c5afe48f125cb7b54cffebd0fa963e338d9d81ca09681e6e30fb1c59360f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/484-346-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download
memory/628-226-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

Filesize
1.1MB

Download
memory/756-167-0x00000000009B0000-0x0000000000AC0000-memory.dmp

Filesize
1.1MB

Download
memory/900-149-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/900-148-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/1168-704-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1344-526-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/1844-764-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download
memory/1868-466-0x0000000000DD0000-0x0000000000EE0000-memory.dmp

Filesize
1.1MB

Download
memory/2480-286-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2644-70-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/2712-16-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2712-15-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2712-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2712-13-0x0000000000C90000-0x0000000000DA0000-memory.dmp

Filesize
1.1MB

Download
memory/2712-17-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2776-65-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/3040-406-0x0000000000D90000-0x0000000000EA0000-memory.dmp

Filesize
1.1MB

Download