dcrat | 17f34f700e36b70e8f2a21814aba181aed7c9c584d8850728a4004a148729d4e

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_17f34f700e36b70e8f2a21814aba181aed7c9c584d8850728a4004a148729d4e.exe
Size

1.3MB
MD5

23345639c0ec85c28d74c22ec6c306aa
SHA1

7fc0d76b0cf28553a65d0d4382b00b33df0c0a54
SHA256

17f34f700e36b70e8f2a21814aba181aed7c9c584d8850728a4004a148729d4e
SHA512

cee42a913a15caa9762179395dab350f71944ff4ac82582f66ecbbc2d6f188ba43e7fc443aac51450a44ce56d5860d1e4f3a29210b37ec534b9262d624d0f20d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	1944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	1944	schtasks.exe	34

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d4a-9.dat	dcrat
behavioral1/memory/2788-13-0x0000000000D70000-0x0000000000E80000-memory.dmp	dcrat
behavioral1/memory/2924-146-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/2548-220-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/2932-279-0x0000000000C60000-0x0000000000D70000-memory.dmp	dcrat
behavioral1/memory/1892-339-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/880-399-0x0000000000AA0000-0x0000000000BB0000-memory.dmp	dcrat
behavioral1/memory/2860-460-0x0000000000DE0000-0x0000000000EF0000-memory.dmp	dcrat
behavioral1/memory/2364-520-0x0000000001100000-0x0000000001210000-memory.dmp	dcrat
behavioral1/memory/2292-580-0x00000000011E0000-0x00000000012F0000-memory.dmp	dcrat
behavioral1/memory/944-640-0x0000000000010000-0x0000000000120000-memory.dmp	dcrat
behavioral1/memory/2476-700-0x0000000000B20000-0x0000000000C30000-memory.dmp	dcrat
behavioral1/memory/2600-760-0x0000000000250000-0x0000000000360000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 27 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2624	powershell.exe
2808	powershell.exe
2992	powershell.exe
2080	powershell.exe
2224	powershell.exe
1044	powershell.exe
736	powershell.exe
3008	powershell.exe
2716	powershell.exe
2220	powershell.exe
2264	powershell.exe
1440	powershell.exe
2812	powershell.exe
2248	powershell.exe
2684	powershell.exe
572	powershell.exe
632	powershell.exe
1708	powershell.exe
2716	powershell.exe
2676	powershell.exe
828	powershell.exe
2680	powershell.exe
2948	powershell.exe
1928	powershell.exe
1132	powershell.exe
2220	powershell.exe
2572	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2788	DllCommonsvc.exe
2924	DllCommonsvc.exe
2548	wininit.exe
2932	wininit.exe
1892	wininit.exe
880	wininit.exe
2860	wininit.exe
2364	wininit.exe
2292	wininit.exe
944	wininit.exe
2476	wininit.exe
2600	wininit.exe

Loads dropped DLL 2 IoCs

pid	Process
2944	cmd.exe
2944	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
34	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winrm\040C\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\SysWOW64\winrm\040C\conhost.exe	DllCommonsvc.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Temp\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\es-ES\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\fr-FR\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Temp\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\es-ES\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\fr-FR\wininit.exe	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\ehome\MCX\X02\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\DigitalLocker\de-DE\services.exe	DllCommonsvc.exe
File created	C:\Windows\DigitalLocker\de-DE\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\en-US\System.exe	DllCommonsvc.exe
File created	C:\Windows\en-US\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\ehome\MCX\X02\Idle.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_17f34f700e36b70e8f2a21814aba181aed7c9c584d8850728a4004a148729d4e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1708	schtasks.exe
2144	schtasks.exe
1448	schtasks.exe
1736	schtasks.exe
1552	schtasks.exe
1620	schtasks.exe
2508	schtasks.exe
2660	schtasks.exe
3068	schtasks.exe
1188	schtasks.exe
296	schtasks.exe
2824	schtasks.exe
2776	schtasks.exe
2132	schtasks.exe
580	schtasks.exe
2640	schtasks.exe
2128	schtasks.exe
2432	schtasks.exe
2852	schtasks.exe
2344	schtasks.exe
2536	schtasks.exe
2492	schtasks.exe
1416	schtasks.exe
2756	schtasks.exe
1308	schtasks.exe
2468	schtasks.exe
2832	schtasks.exe
2552	schtasks.exe
1636	schtasks.exe
668	schtasks.exe
1308	schtasks.exe
3048	schtasks.exe
824	schtasks.exe
2492	schtasks.exe
3012	schtasks.exe
2736	schtasks.exe
2432	schtasks.exe
1808	schtasks.exe
856	schtasks.exe
2652	schtasks.exe
2000	schtasks.exe
672	schtasks.exe
2988	schtasks.exe
1320	schtasks.exe
1572	schtasks.exe
3060	schtasks.exe
1652	schtasks.exe
1924	schtasks.exe
2228	schtasks.exe
2684	schtasks.exe
1720	schtasks.exe
2112	schtasks.exe
2152	schtasks.exe
1816	schtasks.exe
1700	schtasks.exe
864	schtasks.exe
1376	schtasks.exe
1120	schtasks.exe
2104	schtasks.exe
1764	schtasks.exe
2620	schtasks.exe
1684	schtasks.exe
1492	schtasks.exe
2168	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2788	DllCommonsvc.exe
2808	powershell.exe
2716	powershell.exe
1708	powershell.exe
2224	powershell.exe
632	powershell.exe
3008	powershell.exe
2992	powershell.exe
828	powershell.exe
2220	powershell.exe
2080	powershell.exe
2680	powershell.exe
2684	powershell.exe
2812	powershell.exe
2676	powershell.exe
1132	powershell.exe
2948	powershell.exe
1928	powershell.exe
572	powershell.exe
2924	DllCommonsvc.exe
2924	DllCommonsvc.exe
2924	DllCommonsvc.exe
2248	powershell.exe
2264	powershell.exe
736	powershell.exe
1440	powershell.exe
2624	powershell.exe
2220	powershell.exe
2716	powershell.exe
1044	powershell.exe
2572	powershell.exe
2548	wininit.exe
2932	wininit.exe
1892	wininit.exe
880	wininit.exe
2860	wininit.exe
2364	wininit.exe
2292	wininit.exe
944	wininit.exe
2476	wininit.exe
2600	wininit.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	DllCommonsvc.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	828	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	2924	DllCommonsvc.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	736	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2548	wininit.exe
Token: SeDebugPrivilege	2932	wininit.exe
Token: SeDebugPrivilege	1892	wininit.exe
Token: SeDebugPrivilege	880	wininit.exe
Token: SeDebugPrivilege	2860	wininit.exe
Token: SeDebugPrivilege	2364	wininit.exe
Token: SeDebugPrivilege	2292	wininit.exe
Token: SeDebugPrivilege	944	wininit.exe
Token: SeDebugPrivilege	2476	wininit.exe
Token: SeDebugPrivilege	2600	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2792	2992	JaffaCakes118_17f34f700e36b70e8f2a21814aba181aed7c9c584d8850728a4004a148729d4e.exe	30
PID 2992 wrote to memory of 2792	2992	JaffaCakes118_17f34f700e36b70e8f2a21814aba181aed7c9c584d8850728a4004a148729d4e.exe	30
PID 2992 wrote to memory of 2792	2992	JaffaCakes118_17f34f700e36b70e8f2a21814aba181aed7c9c584d8850728a4004a148729d4e.exe	30
PID 2992 wrote to memory of 2792	2992	JaffaCakes118_17f34f700e36b70e8f2a21814aba181aed7c9c584d8850728a4004a148729d4e.exe	30
PID 2792 wrote to memory of 2944	2792	WScript.exe	31
PID 2792 wrote to memory of 2944	2792	WScript.exe	31
PID 2792 wrote to memory of 2944	2792	WScript.exe	31
PID 2792 wrote to memory of 2944	2792	WScript.exe	31
PID 2944 wrote to memory of 2788	2944	cmd.exe	33
PID 2944 wrote to memory of 2788	2944	cmd.exe	33
PID 2944 wrote to memory of 2788	2944	cmd.exe	33
PID 2944 wrote to memory of 2788	2944	cmd.exe	33
PID 2788 wrote to memory of 2808	2788	DllCommonsvc.exe	86
PID 2788 wrote to memory of 2808	2788	DllCommonsvc.exe	86
PID 2788 wrote to memory of 2808	2788	DllCommonsvc.exe	86
PID 2788 wrote to memory of 2684	2788	DllCommonsvc.exe	87
PID 2788 wrote to memory of 2684	2788	DllCommonsvc.exe	87
PID 2788 wrote to memory of 2684	2788	DllCommonsvc.exe	87
PID 2788 wrote to memory of 1132	2788	DllCommonsvc.exe	88
PID 2788 wrote to memory of 1132	2788	DllCommonsvc.exe	88
PID 2788 wrote to memory of 1132	2788	DllCommonsvc.exe	88
PID 2788 wrote to memory of 2992	2788	DllCommonsvc.exe	90
PID 2788 wrote to memory of 2992	2788	DllCommonsvc.exe	90
PID 2788 wrote to memory of 2992	2788	DllCommonsvc.exe	90
PID 2788 wrote to memory of 2716	2788	DllCommonsvc.exe	92
PID 2788 wrote to memory of 2716	2788	DllCommonsvc.exe	92
PID 2788 wrote to memory of 2716	2788	DllCommonsvc.exe	92
PID 2788 wrote to memory of 2948	2788	DllCommonsvc.exe	93
PID 2788 wrote to memory of 2948	2788	DllCommonsvc.exe	93
PID 2788 wrote to memory of 2948	2788	DllCommonsvc.exe	93
PID 2788 wrote to memory of 2224	2788	DllCommonsvc.exe	95
PID 2788 wrote to memory of 2224	2788	DllCommonsvc.exe	95
PID 2788 wrote to memory of 2224	2788	DllCommonsvc.exe	95
PID 2788 wrote to memory of 3008	2788	DllCommonsvc.exe	96
PID 2788 wrote to memory of 3008	2788	DllCommonsvc.exe	96
PID 2788 wrote to memory of 3008	2788	DllCommonsvc.exe	96
PID 2788 wrote to memory of 2812	2788	DllCommonsvc.exe	97
PID 2788 wrote to memory of 2812	2788	DllCommonsvc.exe	97
PID 2788 wrote to memory of 2812	2788	DllCommonsvc.exe	97
PID 2788 wrote to memory of 2676	2788	DllCommonsvc.exe	98
PID 2788 wrote to memory of 2676	2788	DllCommonsvc.exe	98
PID 2788 wrote to memory of 2676	2788	DllCommonsvc.exe	98
PID 2788 wrote to memory of 2680	2788	DllCommonsvc.exe	99
PID 2788 wrote to memory of 2680	2788	DllCommonsvc.exe	99
PID 2788 wrote to memory of 2680	2788	DllCommonsvc.exe	99
PID 2788 wrote to memory of 1708	2788	DllCommonsvc.exe	100
PID 2788 wrote to memory of 1708	2788	DllCommonsvc.exe	100
PID 2788 wrote to memory of 1708	2788	DllCommonsvc.exe	100
PID 2788 wrote to memory of 1928	2788	DllCommonsvc.exe	101
PID 2788 wrote to memory of 1928	2788	DllCommonsvc.exe	101
PID 2788 wrote to memory of 1928	2788	DllCommonsvc.exe	101
PID 2788 wrote to memory of 2080	2788	DllCommonsvc.exe	102
PID 2788 wrote to memory of 2080	2788	DllCommonsvc.exe	102
PID 2788 wrote to memory of 2080	2788	DllCommonsvc.exe	102
PID 2788 wrote to memory of 2220	2788	DllCommonsvc.exe	103
PID 2788 wrote to memory of 2220	2788	DllCommonsvc.exe	103
PID 2788 wrote to memory of 2220	2788	DllCommonsvc.exe	103
PID 2788 wrote to memory of 632	2788	DllCommonsvc.exe	104
PID 2788 wrote to memory of 632	2788	DllCommonsvc.exe	104
PID 2788 wrote to memory of 632	2788	DllCommonsvc.exe	104
PID 2788 wrote to memory of 572	2788	DllCommonsvc.exe	105
PID 2788 wrote to memory of 572	2788	DllCommonsvc.exe	105
PID 2788 wrote to memory of 572	2788	DllCommonsvc.exe	105
PID 2788 wrote to memory of 828	2788	DllCommonsvc.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_17f34f700e36b70e8f2a21814aba181aed7c9c584d8850728a4004a148729d4e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_17f34f700e36b70e8f2a21814aba181aed7c9c584d8850728a4004a148729d4e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\winrm\040C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\de-DE\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\es-ES\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\fr-FR\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B0tzreJzkv.bat"
        5⤵
        
        PID:2032
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2796
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\MCX\X02\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\spoolsv.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yXtY4PgZvo.bat"
        7⤵
        
        PID:2308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:880
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SQTB2Yz9K3.bat"
        9⤵
        
        PID:2432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2828
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat"
        11⤵
        
        PID:1304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2796
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat"
        13⤵
        
        PID:3008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2972
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat"
        15⤵
        
        PID:2700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:944
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat"
        17⤵
        
        PID:3016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2076
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wx0Tv0d3iA.bat"
        19⤵
        
        PID:2012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:296
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dnlY2uCtHd.bat"
        21⤵
        
        PID:300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2480
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1CE969IshF.bat"
        23⤵
        
        PID:2912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2376
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat"
        25⤵
        
        PID:2692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1892
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\SysWOW64\winrm\040C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\winrm\040C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\SysWOW64\winrm\040C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\de-DE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\es-ES\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\fr-FR\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\ehome\MCX\X02\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ehome\MCX\X02\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\ehome\MCX\X02\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Favorites\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Favorites\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\wininit.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Default\WmiPrvSE.exe'" /f
1⤵
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Default\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\27d1bcfc3c54e0

Filesize
970B

MD5
25c15b115f4fcadd3fdda269b2665ebe

SHA1
c709f9d6bf7ea0b2d564a7f8c42fb9888783a3e3

SHA256
616d211697d5715db1f8ca27285cf8e04118eb8baeeb37ececee3622568d1696

SHA512
827932858eb579fd00a416104d7b1a168c0e7145fa33ff55b7a8760ca19cf23917feb8b2b77d3435fabde101612ca0d227a10b65d90ebcd5baf5e459fdbfe468

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee9e38698501e99982ea4c86728f826d

SHA1
07a80f0d34ea432f849f53decbe71ccffd613d29

SHA256
2594a20a3cd029de1d31fcd7e790a0847eea2b5051390e167f073f2e56d40129

SHA512
7c48ba7176b27592b7a706aec6a70cc13cca9d526b83f6648dd9ef7523408db1104767e9e361c9008ece96b5173d8b3bfb8ab5e3e1158c15c879cfe66d9e1f23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6fb06176e0c8fe458487f1b19b03ccc

SHA1
b20529032b4cf53376a6b3684f8da7528da5d90c

SHA256
bb1c364818e943a1ba1df0acdc5444e99eeab861f07b8a405906a50d6a01c73f

SHA512
6d2956822339470c6419b674ddc20c3a154215e2d490e042c0a6976108d93e2add16dc55e959028862436f0a6dc47b2dc92eb097e81231fecf4dfa26451a0bb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0fe21d3556c2fe16e9bf80b04a83e849

SHA1
4bb39f9715c2725b8f6787dd5ad157ecda62609b

SHA256
cd2f56405f766471d2b52c3a5e559048f76d5ae2e49a23cb48ae5d9195d1beca

SHA512
2771c0e336e2a925369d744260c0d85200bbaa508db71ec6a28051a2cbbe5eee4eb5d445ffa160e797225aa291e37c83718b73c708488554e5c80304746dcf32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
699444ae9ad8f46b38c2b6db8a5d6583

SHA1
373c1891711aff49cf730aaeaae770731d8cc370

SHA256
40cd3fb63e0394ef34c93fd657a9b1a10d2eb141c27ba802922756b20404cd26

SHA512
753f2e4f7be58c00eb827eefb03438caee8b75a1cbe3c0ed383ca6eb258227d0fe3544a73e72da68db244d1e3f2cbec849c14a84903bcd9064a4092a2a7f6bb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
348707158f3653a8ae2d36bfba095996

SHA1
a37584e5c118923aec03ab711ff76b71593cb847

SHA256
f6ec56736705a7546fc85ca583ca4c2ff3b2d4e97d845e6e679013a94085fbd2

SHA512
13f31f94e89e3e08f8332cf8633a02c3c429bcca6a3c303a65a8aa1f9e6a8b14ab2801442f41747da19bb136aceb6ee4503517fed38c853144fcece2a907916d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed0cf3932f5898c923bf3434c46d8ada

SHA1
8512d2243a540035fa2f8d6efe92ea31576f8f40

SHA256
19775bb99c3b062577dcad3a439ce495307541f65965efa8c44704da8c930db5

SHA512
e0da4b2d2ff18bab7d2c5506713f45725bc15686761d906925987bd2891f28622f2ffb489a6aaa7692b22cacef1f66f976c99cb418b4a3c20224ee1712b146df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f5975c621f66ed7e18db26fe5c8bdab

SHA1
5936f1e0b4f053ba99b753df485ce92e4400753c

SHA256
6b46c09917ed35acdde9adbeba14f27754bd6a436a1bafbc5a3ccbfc2b854be4

SHA512
677beb1514d43a9f9b2f94285b5ea75cb6b4194c076c44c199a28208bc7a3327d4647c39cfadc7c830f5f6c09d3a096940b6c51ec3e1d9a763b84ffd3e08038c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08427872548e491b63ac857fa9a4e645

SHA1
55b6b0187b5ffd3148beae68df5002582205b392

SHA256
acec6c96bfe9d35dd8e7fdfe4362e09be263f144265abab26f9fc7d399a53fb5

SHA512
d5aed4a5056bc565d06d96d37bc608795a012a72f2fedc4d732ccb28e3ec40871610563326827b1cf99019ea2ec771d093bd97d29b5bbdd198e098a381e53d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CE969IshF.bat

Filesize
225B

MD5
a5fdb65ff6294470d4f6bd7515151c03

SHA1
d4cc807995e49fd2c6fef87a1d509e5acc1a81f2

SHA256
0434a3d9a60e1df80c4ae2edd273855e9edd0fa1da931d331a464d39e43a28ec

SHA512
bf7ee96bef458b631e60a1243c03d305665f7bb3c7a178e223399bc48de721a84725ddba6566b468b9a4a7be0c6c588ea11b5696d752796ccda69ab2985f1d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0tzreJzkv.bat

Filesize
199B

MD5
6d0fa7bc3cbffe7697365daf8df66e5c

SHA1
09cd540456454f631fbed407949b338330c614be

SHA256
167a548539ff88cd25248fc0c4f430e7105043a2e8a5ac357ff5a55e73c8b4c4

SHA512
805b905f3078e27a6e7392d1c2894cb8f6a4e99033eef7dce0426c86ec49befb6536d9b6e3dc9559b8035962b3370dd4689b3b7813821890b66f951712db85e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat

Filesize
225B

MD5
e35d093b8aaa79f9ac8d9fd33f3e4203

SHA1
f0c4a611ee8c20c662115ee61ab9caf70a133190

SHA256
393edeae2d9c95188e21e67074a090256a9b8e5c9370a67c82bfbb61ff85bcbe

SHA512
4892ae0a378f329376aa441b44bf1edd56acff87fa7813562b000817e7e48aa87c28952c557e035f6f65eb910ec66d790f94361dd792983d0e386c8d20bcddeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC6E9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat

Filesize
225B

MD5
e2ae369bc53d89305be190d1f099b00e

SHA1
61c5f86d6c0f437b668ec30bcec84ec63fb532a3

SHA256
520a173e94a7f527afe5af0a865fe97b94deb0a847f2baa59cbd5ba15a669613

SHA512
83433705f60c40d0b6231a9b22813d688f46bd0779a0220cf45341b6ccfcc12dc6ad24fe6d79386a8296e3142bbdb56d86826e8b8adb62a48f71d2dbc9b0c84e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat

Filesize
225B

MD5
a584aa1dbfe34285785e11fb86ae84da

SHA1
8d07c9debbe7447d6f1beabbee85145252549e3e

SHA256
515b990b1ab92e029e7033865ae3019c7b42e737a1b1faca06ec280788a6a355

SHA512
63902f4006851926902936f3d6469631d26cff517b92d2d938935b2057ee3936e67bf31d768809243812f35e5db55eef1f7899890e2b1c7934bab1597b93f040

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQTB2Yz9K3.bat

Filesize
225B

MD5
f0c605a752980e57f74bfad414396f89

SHA1
265b5c337110492130507fdea762c7c6f2b508bb

SHA256
78edc5dc8db1ce62e58638883bb3920b0fb64f589a5f1a2e7f6662e2f9e53d15

SHA512
79e58763a73d17ad1e6657c1c0cc33411180680849882f46e4f397f03c6e427f1826566794b740779c61e59c384c287d63952588198c2f52cce5600d3b9df819

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC6FC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat

Filesize
225B

MD5
16ce1de46e43ee20621850ca97e3b33e

SHA1
046d7ee2e5161658f44db6a8a3bf837f55854a67

SHA256
118933f72f6222e22faaa07e70e270e61774c6b2490680cbd781260ac0d91fda

SHA512
1d9ced6eccaacdaae39b73fe201070d62955290fe301335daa4ed096ab76547826394d406d166d35644e84d849a6ab994fb4b306f965cfacbe7ecbcf3872a748

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wx0Tv0d3iA.bat

Filesize
225B

MD5
f7bbeff8e5bcc4f1440ad57688276732

SHA1
266903b02abc70167a49cdcec0dce1757963ce85

SHA256
36843765bfe0256b6360703b2450f01e6330d2296e349be80ecee35a1a2be48e

SHA512
2fa62374bde87977fd4a27587d142fbcfa09714bb83f9c7a10e280fec0fa9e8d630e57567bf3c67702c2efc4d19cd9b73c79924e63b2e2e4930479b46a6cf519

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnlY2uCtHd.bat

Filesize
225B

MD5
00e06f969f02f0d803f348919c7f2d93

SHA1
b5c515872846bf581bbda5b7b9752a0216e36e84

SHA256
2ccc84bcd31e248375ff918be5c44016b6fc8268547ed93a0a21037abcec4fdd

SHA512
948a242715544e8aa71518199a2fe650bbe16d1ae68d0f7812bbcd987d435e608d1251a72fa4858fa5acdb4edd6609ce54894d5017834f5c29c7a5cdd25bba45

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat

Filesize
225B

MD5
2edcdda0ead84fc09fae189aad90ecdc

SHA1
7004e9e0e1f1fd20af19a94bbf132d476fd09e77

SHA256
7adb7c296119d5d865ccd2bb3c2b618796c432243ed9c47f3afdefa7b625a8bb

SHA512
9996351c578e7e5d0b28cab4ac4af604487ac03d774792cff4cb22cdbab2fbbce2e1e6f7b557c00e11a1ac8b1fbfbf2b1a7295cda2e246dd7e3fafd7591e86dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\yXtY4PgZvo.bat

Filesize
225B

MD5
64fd6ab0263d16e73ef33f7576192b44

SHA1
8fbc817ad0973acb48b1cbfafe0a157c30e2d3c9

SHA256
13998f162eb24d0f1d0bbe5ff7d0fea55cb5a72bb5b7b32b15a9d26e222d0457

SHA512
6a77139c096e2efdc575d1224b58571cc6d6bdc314dde674092f4b30753298a0ffe51d3f805cb1cad4dfae04334983f678bda80bcf94315bca3e53374452c938

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
25af0a571c18f0d078640422836778c2

SHA1
0c2372db9293cd1091bdaa551c44c8b6b0f24e9e

SHA256
db05ca9dc75849294eb430a871132aa6cb07cb17b9033c18e1c5822a7bd2dd97

SHA512
7f2de54e624ee821a7fccfca7a01e936921d0ceeb1f6ceb62c37915c087de4352a190bb1ef1d081f0a628c8e7a5f9977a908e0e91b738367f19bc6a6d251d98f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/880-399-0x0000000000AA0000-0x0000000000BB0000-memory.dmp

Filesize
1.1MB

Download
memory/880-400-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/944-640-0x0000000000010000-0x0000000000120000-memory.dmp

Filesize
1.1MB

Download
memory/1892-339-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/2248-206-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2248-190-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/2292-580-0x00000000011E0000-0x00000000012F0000-memory.dmp

Filesize
1.1MB

Download
memory/2364-520-0x0000000001100000-0x0000000001210000-memory.dmp

Filesize
1.1MB

Download
memory/2476-700-0x0000000000B20000-0x0000000000C30000-memory.dmp

Filesize
1.1MB

Download
memory/2476-701-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2548-220-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/2600-760-0x0000000000250000-0x0000000000360000-memory.dmp

Filesize
1.1MB

Download
memory/2600-761-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2788-15-0x0000000000A40000-0x0000000000A4C000-memory.dmp

Filesize
48KB

Download
memory/2788-16-0x0000000000A50000-0x0000000000A5C000-memory.dmp

Filesize
48KB

Download
memory/2788-14-0x0000000000A30000-0x0000000000A42000-memory.dmp

Filesize
72KB

Download
memory/2788-13-0x0000000000D70000-0x0000000000E80000-memory.dmp

Filesize
1.1MB

Download
memory/2788-17-0x0000000000A60000-0x0000000000A6C000-memory.dmp

Filesize
48KB

Download
memory/2808-61-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2808-66-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/2860-460-0x0000000000DE0000-0x0000000000EF0000-memory.dmp

Filesize
1.1MB

Download
memory/2924-146-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download
memory/2932-279-0x0000000000C60000-0x0000000000D70000-memory.dmp

Filesize
1.1MB

Download