dcrat | 9006075d4de35f7ece0891fe727df96533272aa6469f42df61eef9432f73eadb

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9006075d4de35f7ece0891fe727df96533272aa6469f42df61eef9432f73eadb.exe
Size

1.3MB
MD5

bf0eeb306f7e171fee610d81fc069957
SHA1

f1404bc5f38295145f581ca1533b1a60d3700cbe
SHA256

9006075d4de35f7ece0891fe727df96533272aa6469f42df61eef9432f73eadb
SHA512

5949ffa3c95fd416da28f2c1ecbaa731fa2cdf84e56be0465b4889c20ef02aa5bce7930b8780f80e3e951f22d4587fc398042dbe54244eff19f713cc62d991ed
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 63 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	492	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2892	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016c51-12.dat	dcrat
behavioral1/memory/2760-13-0x00000000008F0000-0x0000000000A00000-memory.dmp	dcrat
behavioral1/memory/1120-55-0x0000000000CE0000-0x0000000000DF0000-memory.dmp	dcrat
behavioral1/memory/1992-191-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
behavioral1/memory/1188-250-0x0000000001000000-0x0000000001110000-memory.dmp	dcrat
behavioral1/memory/764-369-0x0000000000010000-0x0000000000120000-memory.dmp	dcrat
behavioral1/memory/936-429-0x0000000001240000-0x0000000001350000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 23 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1912	powershell.exe
1084	powershell.exe
1544	powershell.exe
1688	powershell.exe
2008	powershell.exe
1456	powershell.exe
1604	powershell.exe
648	powershell.exe
2596	powershell.exe
2008	powershell.exe
476	powershell.exe
1600	powershell.exe
1660	powershell.exe
1524	powershell.exe
2668	powershell.exe
1912	powershell.exe
380	powershell.exe
980	powershell.exe
904	powershell.exe
2284	powershell.exe
3048	powershell.exe
2800	powershell.exe
1780	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2760	DllCommonsvc.exe
1120	DllCommonsvc.exe
1992	WmiPrvSE.exe
1188	WmiPrvSE.exe
900	WmiPrvSE.exe
764	WmiPrvSE.exe
936	WmiPrvSE.exe
2704	WmiPrvSE.exe
800	WmiPrvSE.exe
2672	WmiPrvSE.exe
668	WmiPrvSE.exe
2328	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2472	cmd.exe
2472	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
34	raw.githubusercontent.com
38	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
31	raw.githubusercontent.com

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\it-IT\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\it-IT\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\cc11b995f2a76d	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\csrss.exe	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\rescache\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\rescache\rc0004\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\Branding\ShellBrd\audiodg.exe	DllCommonsvc.exe
File created	C:\Windows\Branding\ShellBrd\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Windows\rescache\rc0004\sppsvc.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9006075d4de35f7ece0891fe727df96533272aa6469f42df61eef9432f73eadb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 63 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2936	schtasks.exe
3052	schtasks.exe
1684	schtasks.exe
2592	schtasks.exe
1824	schtasks.exe
1380	schtasks.exe
3008	schtasks.exe
1332	schtasks.exe
2264	schtasks.exe
2508	schtasks.exe
2576	schtasks.exe
2720	schtasks.exe
2672	schtasks.exe
2544	schtasks.exe
1108	schtasks.exe
2136	schtasks.exe
1504	schtasks.exe
1692	schtasks.exe
800	schtasks.exe
2780	schtasks.exe
2740	schtasks.exe
2552	schtasks.exe
2584	schtasks.exe
2616	schtasks.exe
764	schtasks.exe
1520	schtasks.exe
1996	schtasks.exe
2804	schtasks.exe
1608	schtasks.exe
2920	schtasks.exe
2748	schtasks.exe
2280	schtasks.exe
880	schtasks.exe
2856	schtasks.exe
2160	schtasks.exe
2192	schtasks.exe
2488	schtasks.exe
2260	schtasks.exe
492	schtasks.exe
772	schtasks.exe
2656	schtasks.exe
1624	schtasks.exe
2104	schtasks.exe
2872	schtasks.exe
1704	schtasks.exe
1900	schtasks.exe
1592	schtasks.exe
2556	schtasks.exe
1544	schtasks.exe
1904	schtasks.exe
1928	schtasks.exe
1852	schtasks.exe
352	schtasks.exe
1900	schtasks.exe
752	schtasks.exe
2300	schtasks.exe
2724	schtasks.exe
1500	schtasks.exe
1044	schtasks.exe
1596	schtasks.exe
2240	schtasks.exe
2692	schtasks.exe
3012	schtasks.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2760	DllCommonsvc.exe
2760	DllCommonsvc.exe
2760	DllCommonsvc.exe
1544	powershell.exe
1688	powershell.exe
2008	powershell.exe
476	powershell.exe
1912	powershell.exe
1120	DllCommonsvc.exe
1120	DllCommonsvc.exe
1120	DllCommonsvc.exe
1120	DllCommonsvc.exe
1120	DllCommonsvc.exe
1120	DllCommonsvc.exe
1120	DllCommonsvc.exe
904	powershell.exe
2668	powershell.exe
648	powershell.exe
1600	powershell.exe
2284	powershell.exe
2596	powershell.exe
2800	powershell.exe
980	powershell.exe
2008	powershell.exe
3048	powershell.exe
1780	powershell.exe
1604	powershell.exe
1912	powershell.exe
1456	powershell.exe
1660	powershell.exe
1524	powershell.exe
380	powershell.exe
1084	powershell.exe
1992	WmiPrvSE.exe
1188	WmiPrvSE.exe
900	WmiPrvSE.exe
764	WmiPrvSE.exe
936	WmiPrvSE.exe
2704	WmiPrvSE.exe
800	WmiPrvSE.exe
2672	WmiPrvSE.exe
668	WmiPrvSE.exe
2328	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	DllCommonsvc.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	476	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1120	DllCommonsvc.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	380	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	1992	WmiPrvSE.exe
Token: SeDebugPrivilege	1188	WmiPrvSE.exe
Token: SeDebugPrivilege	900	WmiPrvSE.exe
Token: SeDebugPrivilege	764	WmiPrvSE.exe
Token: SeDebugPrivilege	936	WmiPrvSE.exe
Token: SeDebugPrivilege	2704	WmiPrvSE.exe
Token: SeDebugPrivilege	800	WmiPrvSE.exe
Token: SeDebugPrivilege	2672	WmiPrvSE.exe
Token: SeDebugPrivilege	668	WmiPrvSE.exe
Token: SeDebugPrivilege	2328	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2104	2272	JaffaCakes118_9006075d4de35f7ece0891fe727df96533272aa6469f42df61eef9432f73eadb.exe	30
PID 2272 wrote to memory of 2104	2272	JaffaCakes118_9006075d4de35f7ece0891fe727df96533272aa6469f42df61eef9432f73eadb.exe	30
PID 2272 wrote to memory of 2104	2272	JaffaCakes118_9006075d4de35f7ece0891fe727df96533272aa6469f42df61eef9432f73eadb.exe	30
PID 2272 wrote to memory of 2104	2272	JaffaCakes118_9006075d4de35f7ece0891fe727df96533272aa6469f42df61eef9432f73eadb.exe	30
PID 2104 wrote to memory of 2472	2104	WScript.exe	31
PID 2104 wrote to memory of 2472	2104	WScript.exe	31
PID 2104 wrote to memory of 2472	2104	WScript.exe	31
PID 2104 wrote to memory of 2472	2104	WScript.exe	31
PID 2472 wrote to memory of 2760	2472	cmd.exe	33
PID 2472 wrote to memory of 2760	2472	cmd.exe	33
PID 2472 wrote to memory of 2760	2472	cmd.exe	33
PID 2472 wrote to memory of 2760	2472	cmd.exe	33
PID 2760 wrote to memory of 1544	2760	DllCommonsvc.exe	47
PID 2760 wrote to memory of 1544	2760	DllCommonsvc.exe	47
PID 2760 wrote to memory of 1544	2760	DllCommonsvc.exe	47
PID 2760 wrote to memory of 1912	2760	DllCommonsvc.exe	48
PID 2760 wrote to memory of 1912	2760	DllCommonsvc.exe	48
PID 2760 wrote to memory of 1912	2760	DllCommonsvc.exe	48
PID 2760 wrote to memory of 2008	2760	DllCommonsvc.exe	49
PID 2760 wrote to memory of 2008	2760	DllCommonsvc.exe	49
PID 2760 wrote to memory of 2008	2760	DllCommonsvc.exe	49
PID 2760 wrote to memory of 476	2760	DllCommonsvc.exe	50
PID 2760 wrote to memory of 476	2760	DllCommonsvc.exe	50
PID 2760 wrote to memory of 476	2760	DllCommonsvc.exe	50
PID 2760 wrote to memory of 1688	2760	DllCommonsvc.exe	51
PID 2760 wrote to memory of 1688	2760	DllCommonsvc.exe	51
PID 2760 wrote to memory of 1688	2760	DllCommonsvc.exe	51
PID 2760 wrote to memory of 296	2760	DllCommonsvc.exe	55
PID 2760 wrote to memory of 296	2760	DllCommonsvc.exe	55
PID 2760 wrote to memory of 296	2760	DllCommonsvc.exe	55
PID 296 wrote to memory of 1708	296	cmd.exe	59
PID 296 wrote to memory of 1708	296	cmd.exe	59
PID 296 wrote to memory of 1708	296	cmd.exe	59
PID 296 wrote to memory of 1120	296	cmd.exe	60
PID 296 wrote to memory of 1120	296	cmd.exe	60
PID 296 wrote to memory of 1120	296	cmd.exe	60
PID 1120 wrote to memory of 2008	1120	DllCommonsvc.exe	113
PID 1120 wrote to memory of 2008	1120	DllCommonsvc.exe	113
PID 1120 wrote to memory of 2008	1120	DllCommonsvc.exe	113
PID 1120 wrote to memory of 2596	1120	DllCommonsvc.exe	114
PID 1120 wrote to memory of 2596	1120	DllCommonsvc.exe	114
PID 1120 wrote to memory of 2596	1120	DllCommonsvc.exe	114
PID 1120 wrote to memory of 980	1120	DllCommonsvc.exe	115
PID 1120 wrote to memory of 980	1120	DllCommonsvc.exe	115
PID 1120 wrote to memory of 980	1120	DllCommonsvc.exe	115
PID 1120 wrote to memory of 2668	1120	DllCommonsvc.exe	117
PID 1120 wrote to memory of 2668	1120	DllCommonsvc.exe	117
PID 1120 wrote to memory of 2668	1120	DllCommonsvc.exe	117
PID 1120 wrote to memory of 1780	1120	DllCommonsvc.exe	120
PID 1120 wrote to memory of 1780	1120	DllCommonsvc.exe	120
PID 1120 wrote to memory of 1780	1120	DllCommonsvc.exe	120
PID 1120 wrote to memory of 904	1120	DllCommonsvc.exe	121
PID 1120 wrote to memory of 904	1120	DllCommonsvc.exe	121
PID 1120 wrote to memory of 904	1120	DllCommonsvc.exe	121
PID 1120 wrote to memory of 2800	1120	DllCommonsvc.exe	122
PID 1120 wrote to memory of 2800	1120	DllCommonsvc.exe	122
PID 1120 wrote to memory of 2800	1120	DllCommonsvc.exe	122
PID 1120 wrote to memory of 1600	1120	DllCommonsvc.exe	123
PID 1120 wrote to memory of 1600	1120	DllCommonsvc.exe	123
PID 1120 wrote to memory of 1600	1120	DllCommonsvc.exe	123
PID 1120 wrote to memory of 1524	1120	DllCommonsvc.exe	124
PID 1120 wrote to memory of 1524	1120	DllCommonsvc.exe	124
PID 1120 wrote to memory of 1524	1120	DllCommonsvc.exe	124
PID 1120 wrote to memory of 1084	1120	DllCommonsvc.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9006075d4de35f7ece0891fe727df96533272aa6469f42df61eef9432f73eadb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9006075d4de35f7ece0891fe727df96533272aa6469f42df61eef9432f73eadb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\osTEYHsKjF.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:296
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1708
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Roaming\spoolsv.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\db\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\audiodg.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\de-DE\winlogon.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\it-IT\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ELdbiYlizz.bat"
        7⤵
        
        PID:2212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1616
        
        C:\Program Files\DVD Maker\it-IT\WmiPrvSE.exe
        
        "C:\Program Files\DVD Maker\it-IT\WmiPrvSE.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0x9T38u1li.bat"
        9⤵
        
        PID:2488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1380
        
        C:\Program Files\DVD Maker\it-IT\WmiPrvSE.exe
        
        "C:\Program Files\DVD Maker\it-IT\WmiPrvSE.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9BpIS9nw5f.bat"
        11⤵
        
        PID:1680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2420
        
        C:\Program Files\DVD Maker\it-IT\WmiPrvSE.exe
        
        "C:\Program Files\DVD Maker\it-IT\WmiPrvSE.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat"
        13⤵
        
        PID:2604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2612
        
        C:\Program Files\DVD Maker\it-IT\WmiPrvSE.exe
        
        "C:\Program Files\DVD Maker\it-IT\WmiPrvSE.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat"
        15⤵
        
        PID:1608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1988
        
        C:\Program Files\DVD Maker\it-IT\WmiPrvSE.exe
        
        "C:\Program Files\DVD Maker\it-IT\WmiPrvSE.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L59TFxmxil.bat"
        17⤵
        
        PID:2744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:448
        
        C:\Program Files\DVD Maker\it-IT\WmiPrvSE.exe
        
        "C:\Program Files\DVD Maker\it-IT\WmiPrvSE.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat"
        19⤵
        
        PID:2500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:972
        
        C:\Program Files\DVD Maker\it-IT\WmiPrvSE.exe
        
        "C:\Program Files\DVD Maker\it-IT\WmiPrvSE.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat"
        21⤵
        
        PID:1228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:280
        
        C:\Program Files\DVD Maker\it-IT\WmiPrvSE.exe
        
        "C:\Program Files\DVD Maker\it-IT\WmiPrvSE.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat"
        23⤵
        
        PID:1448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2888
        
        C:\Program Files\DVD Maker\it-IT\WmiPrvSE.exe
        
        "C:\Program Files\DVD Maker\it-IT\WmiPrvSE.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat"
        25⤵
        
        PID:2812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2676
        
        C:\Program Files\DVD Maker\it-IT\WmiPrvSE.exe
        
        "C:\Program Files\DVD Maker\it-IT\WmiPrvSE.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7hfvN6zFDa.bat"
        27⤵
        
        PID:2820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Application Data\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Application Data\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Application Data\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\AppData\Roaming\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\AppData\Roaming\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\db\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\ShellBrd\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\ShellBrd\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\it-IT\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b160f887fcc9a1bef7a388543807293

SHA1
a940a9407d3f7ffed10ec76510d45fa33883f062

SHA256
0410b28eadef3af9183f42006c298165c949029b3ac3c95d4d8bb4cb776ebde6

SHA512
4ac3d048df3c6c2a2afd913366187136cc70d59522945c6252fca0a58538ba61d3a98b22131e4bad9f0e5f1cc489b31bf45a6943189bcaf55c48d10588b8a609

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
742dbea0949b678124e8426e9c236acf

SHA1
43d666485d3b7c41f687e6d92b8973ae3330103b

SHA256
dbd70ff9ac716fbb25ea412b551c0ce8cca8e57064244b211891d513b01ec74c

SHA512
fc218687dac27167bf29c1ce88625693810f608efca18d4d93f0f41a976dc836e5d636e72d0ec3ed91e260665b1798e054c009983d3b0e2f8c46de352751656b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7226cd81d5d7c7be87c04a834d343286

SHA1
4b6caeba3e3572447c90dc25608d739093a3e92f

SHA256
89041936f9cc9e678a2021c8d1aab5dd6b0d7a283d3d44ab01663f3a761c9c1f

SHA512
f45b0284648230cd746abf1b166b1b2bb8d548ac99ea47238cf034700cf8a364dd380c69a1795f591c1dcd1375fc694053c0e19aa2643471157d8adb88f8c351

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb64a5dd54e63dbceb4e7d4a88c5f032

SHA1
dfb6e25cb470d2de18bed5a23f42dddb8d34c710

SHA256
e360ad92f122e2bc4e950bd576258925161e19fc57bec330e5575cf58a3719fc

SHA512
16ce9a28b2ff86db7ca67fb8b62212e35d61d2bfac6bd945ef46aee4f5ec412a498a9871a3745be77395f60610b157f22939095d474346acf7e765dd0f636bce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8de6e319a5e66c8e1d6427393a6614d7

SHA1
b3418d374c0d3fadaf30d8b80537d6c45833255d

SHA256
398ba3ca8688c19fe5f9055d918dcc070b345a5060f6e5cdeee119eb1107fcc4

SHA512
e673559d77c46811a6318c3a4a750b57544de8d45f74b24d3e79dd116d9ba00de024d0147c917a9c330527019b6a161349be3d79ea1505aa4aaa3bc79e23465b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e091d4df37e5a405fbf777748279e790

SHA1
4b8340f1684a3ba50da772dd192482c586d13a99

SHA256
0a7c5e371b0b8bb42319197d3ae064d7969fd4fa856e45678b74d57132b8e65a

SHA512
770e25e4cb2384b7dd190a65f3d147b66a511b329d737136ec92a054b541c03c52058317aeef6a3b9cad2d80d9af14c267e8945a9a9daedf47177adbafd03d60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
181eb0aee18e4c261ab3de20e07bac8c

SHA1
7386b20e2a4bc863840955894bbedae63e69c5a6

SHA256
2f07589bc18b53ba99504f9d92839cd3fde8b57608e4ce1986617a4f3b12cc27

SHA512
e8baf2926474f4347e393f082eb82f8d8556a1f218795fd7813387d10b8162d495e258ab3633134bd32e38b48662d3ae205093d77eaf1719fae0ea8c7a072c05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
048967c31a9f25f42dcdd433bebdcf47

SHA1
48b72e13b6a52da7f910d93bb1e8c288d9a351a9

SHA256
a5af5f4a1cc5ffa5101a2db8e7f6a448ff97acf7d4f56d170513c32d032371ee

SHA512
64caedc5237c8a257000c4d75d66560e3ee878615c9202074eaacbf57f589b452d7977c7ca7f1a67d19aec8f32307a77d8de38f93106379f12a83483daf6d08d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1220240630f1171f9e622f1b9d97c1f

SHA1
4cb7fb474c275349a2eafcf476f8d959624f317e

SHA256
8f7c62bcb1c824245908976fe9c3773c9622d25a030b0735eace5b0ed5744e8f

SHA512
1d4163211e3a77b8d71aa6b3f129b49763299a7b19ea1621c6ed4dd697aa9d7dd311d59e3e9a1d9c4e27d5cb340a2e914a5fabfbaef9fc68701cdbe989f42d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0x9T38u1li.bat

Filesize
210B

MD5
14132c024584898e9ace5da646b85543

SHA1
13c0a4b39b67351bcfe3c5eeac92a5b65639af4d

SHA256
7f3fa2fc81e3b3c5a2f73a19d33b70137cdfe04985f34a2e8898ec997b589b5f

SHA512
8a5ead8b85ef0384be5c2b6309b099aab83e2334fb1bd1dab38aea09ab3cf17fd00593e1ba0d528471ef04aff1082c3aa3b10c71796df0bd7232636d5b3360e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat

Filesize
210B

MD5
88894e680709bf0e3d9d6273174b8900

SHA1
8ddd9a7578c078c1cb23c821adc33984224a0074

SHA256
3dce3ca9c7259445fe4881fbbe8ce82d49ff17a66cb15b4e7b18c05e42e2f960

SHA512
8fe793f06237496ee7752abd6b32bceb03044895fc2e3a1bca20bab888b195fa917a9151adf5bf47542e7303a04e0637e9d2c732bee1bfe3f6e199f8cd1715ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7hfvN6zFDa.bat

Filesize
210B

MD5
4ba98df70a1bec2bc3751e3fc22d3367

SHA1
2aef573576d916767cdff40c819c31921236d4c5

SHA256
68368f875b823dde9e0589937c5299eb9eda82d25574d18fffa0081a0fe7433f

SHA512
e55a769e62b28d40751abc491ac84cafaa9d1edf975a40155ae00314389ccbfb9d4d7d256b8992cf27b776cf7d02e82e42a3037a6c8f70fde8b5071d2de99d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BpIS9nw5f.bat

Filesize
210B

MD5
6049c04de7cd5bedf6c6aee8e66f4893

SHA1
61824473c40fbbbdeadea67d9a2b415dd9c765d7

SHA256
4ee9faad613edaa3a4318e63dc70e158db8a42f636b66bd13da6b359cc4ee5d8

SHA512
11df7c08816cdc5764cd98434e213ff1362bea465d1ca1f84bc20ebdcd60aaa08ded39bc22bf86be01c19869b73c9f355898550113128b1f8321da96ca6a68e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat

Filesize
210B

MD5
e39c38dafa95fe3248c3c35c659788c7

SHA1
d59267badab60b25e16982ef969c0d8e129bee24

SHA256
d7f0680d17763e5a0cdc2e8f0e8358900b68001fae30006518145705479f4b0b

SHA512
66f6a63786e5ade26435c3ff835ad6fa044c24579c271281072e7a8b50a5a508d7fb6d306dedabbaa9ac5abdb998bc5a9330483c3421efe7c89fbf4d64a92739

Download Submit
C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat

Filesize
210B

MD5
7c0777bb0f5505ca63750443411f7208

SHA1
5f159d585e4a8598382b52bf3ae6c3a70b27e2d9

SHA256
7216e4b9169d185e85d1c25dba6d4e4350584851c0c6d8a1aab36bd567279389

SHA512
209f7cfef17224b540d8516e18764fc7a27877fa3e6989197d79e49d316c0c2462d68249b02491ac4c977e618b6f0f1f73972b02ff19d9cc61a91a1c0f860ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF6FE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ELdbiYlizz.bat

Filesize
210B

MD5
6ef826639ca1ad86caee868314ded154

SHA1
b83e65d35efe36c2370c5b79f23c177699a98cf0

SHA256
651d034fd26167a1b3070a9ad449ef2a5c5e37b871077cd53ac3533a74a9ca21

SHA512
dc96b115b25e01b4b1b679c76fbf77e060c883b736f872f6a0a13791111e620537418e065418ea03557e6c22c9f817150c0b82967a86a5d9c592944111fa38a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\L59TFxmxil.bat

Filesize
210B

MD5
e05fbec002235b7c5a6c85b72a3f6c90

SHA1
664a1fbc409e919c1b9006c95596f2944012b966

SHA256
a4a12295483286e7a67a29170aaf8895d07f27c487bcf4cb01562e31ad623729

SHA512
3c2beac931c4c289a78637a8e5a7badf443137c18c32be10a6c3bc5bee4312a652ecce7a9c1d559338b9b0b8cbd474ebeb4f4300fb24c518f2dee5b6c1b400f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat

Filesize
210B

MD5
183b1b63e1f63ea52f7eaabdc1a43885

SHA1
04a848b9c9325603f92288b0bd884362f7222700

SHA256
35f056556968b4501ded056b0c4f9383cbcf856badc809766cfda16ede8c41d7

SHA512
fbe41fcd51fabdb13f3a6c0c316b70a027c0497c75d150b8cbda58cb491e1d031ace0c1c0dc0d31e3504ded9e169d770c0d0265f00323bd2d3b5750b3d491fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat

Filesize
210B

MD5
dbc7aa39579dfb3ea7d67d27ea0290f3

SHA1
e786bb79c64f6d9bd05d473f9784a5874e80e823

SHA256
d0eea156e72192e636a76294bfca03470acd8e8867cd34537edb1dda2c15350d

SHA512
e3bd2b289872b8ed00d306e9585d28b7b141dee70d0d882d718af5e25bc8621a1200bf81dc83a4cfb2523ce34671e86d69e4225619e59b7268b6aa864b61d3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF730.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\osTEYHsKjF.bat

Filesize
199B

MD5
07948ba4883336cda0393ead7a964da7

SHA1
585f2d08e7a51fe029acdf10e5148196b803e91b

SHA256
c8c78727c6aa9c8bb69904c1493775587d0df4cc99c8306d1d1d357f46ac9a66

SHA512
85ec4cc3e94ab4f50860dc55e3767b8800123d6f7b7204c96247e0b64c7316aa249f6b9d545c1f9e176b6f237c135d21dac45d13425a5c03ee33758d62f3dc3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat

Filesize
210B

MD5
69799266f5710d7f917b6325de516aba

SHA1
de02c96d4cc4127261ee54a219ceaac5ad80ff1d

SHA256
bfd90cf1776172f476c964df230caaf7fc5557b5052da02b64c5f2ad9bf3f801

SHA512
7752a1a8e6129f946c8687dff044721ea1df1c3cb40efc70211110f7be16b1faa5473bb71ee97ee66c8bb36e4bdb7954a6e32ef0a722d1bb4cfa01a2bfc391e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
defe3d9e3abe0b36916f266ee757644d

SHA1
d07f3dea2c56a89060ad33fa592e23a376382286

SHA256
73ebd9575535efc120b86561bd7610c69c3aad628213cfef557ab88f4a1f4abd

SHA512
7c5b8ec2ce4c6e3a913d714818d86159a7f3fad67efb0ae08947b22f021b4a8f42a8d70f232ef918afc14ba2c3683d4be625ea1d9554301cf8056395aac01400

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/764-369-0x0000000000010000-0x0000000000120000-memory.dmp

Filesize
1.1MB

Download
memory/904-108-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/904-100-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/936-429-0x0000000001240000-0x0000000001350000-memory.dmp

Filesize
1.1MB

Download
memory/936-430-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/1120-56-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/1120-55-0x0000000000CE0000-0x0000000000DF0000-memory.dmp

Filesize
1.1MB

Download
memory/1188-250-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/1544-53-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/1992-191-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/2008-47-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/2672-608-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2760-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2760-16-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2760-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2760-14-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2760-13-0x00000000008F0000-0x0000000000A00000-memory.dmp

Filesize
1.1MB

Download