dcrat | d56fa92a41101885dcb1337fe1d0cf73b81f6c348a7878bd6f6e449e37b82a24

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d56fa92a41101885dcb1337fe1d0cf73b81f6c348a7878bd6f6e449e37b82a24.exe
Size

1.3MB
MD5

a81284a91e939965416ed12c94135159
SHA1

bef5a065da8c8070bc7af3c291d79962dfbc664a
SHA256

d56fa92a41101885dcb1337fe1d0cf73b81f6c348a7878bd6f6e449e37b82a24
SHA512

4fc324cecacb54cffbf4abd866ddb557198ba04291441a5c3f1c049fef40b3315a21b60b28289e5a8167e9d04141f0ac88737e3f7c8f2738e840e6f67173a182
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2748	schtasks.exe	35

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015d19-11.dat	dcrat
behavioral1/memory/2256-13-0x0000000000B10000-0x0000000000C20000-memory.dmp	dcrat
behavioral1/memory/1240-79-0x0000000001020000-0x0000000001130000-memory.dmp	dcrat
behavioral1/memory/1804-281-0x0000000001080000-0x0000000001190000-memory.dmp	dcrat
behavioral1/memory/2944-342-0x0000000000070000-0x0000000000180000-memory.dmp	dcrat
behavioral1/memory/884-403-0x0000000000280000-0x0000000000390000-memory.dmp	dcrat
behavioral1/memory/2720-463-0x0000000000D80000-0x0000000000E90000-memory.dmp	dcrat
behavioral1/memory/2352-523-0x0000000001350000-0x0000000001460000-memory.dmp	dcrat
behavioral1/memory/2828-642-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/2364-702-0x0000000000A70000-0x0000000000B80000-memory.dmp	dcrat
behavioral1/memory/1892-762-0x0000000000CC0000-0x0000000000DD0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2736	powershell.exe
2820	powershell.exe
2348	powershell.exe
2800	powershell.exe
2192	powershell.exe
2940	powershell.exe
2068	powershell.exe
1788	powershell.exe
2452	powershell.exe
1696	powershell.exe
1320	powershell.exe
2364	powershell.exe
1924	powershell.exe
812	powershell.exe
288	powershell.exe
2928	powershell.exe
2816	powershell.exe
1616	powershell.exe
2808	powershell.exe
2604	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2256	DllCommonsvc.exe
1240	sppsvc.exe
2532	sppsvc.exe
1804	sppsvc.exe
2944	sppsvc.exe
884	sppsvc.exe
2720	sppsvc.exe
2352	sppsvc.exe
2108	sppsvc.exe
2828	sppsvc.exe
2364	sppsvc.exe
1892	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2908	cmd.exe
2908	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
38	raw.githubusercontent.com
22	raw.githubusercontent.com
35	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\es-ES\75a57c1bdf437c	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\es-ES\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\75a57c1bdf437c	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ShellNew\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\PLA\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\PLA\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\ShellNew\conhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d56fa92a41101885dcb1337fe1d0cf73b81f6c348a7878bd6f6e449e37b82a24.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2648	schtasks.exe
2856	schtasks.exe
2356	schtasks.exe
2068	schtasks.exe
808	schtasks.exe
1900	schtasks.exe
968	schtasks.exe
340	schtasks.exe
1836	schtasks.exe
2640	schtasks.exe
1568	schtasks.exe
2984	schtasks.exe
1984	schtasks.exe
2188	schtasks.exe
2016	schtasks.exe
816	schtasks.exe
904	schtasks.exe
892	schtasks.exe
2616	schtasks.exe
2084	schtasks.exe
1720	schtasks.exe
1676	schtasks.exe
2040	schtasks.exe
964	schtasks.exe
2720	schtasks.exe
2272	schtasks.exe
2996	schtasks.exe
1340	schtasks.exe
2560	schtasks.exe
2224	schtasks.exe
1808	schtasks.exe
320	schtasks.exe
1620	schtasks.exe
1048	schtasks.exe
992	schtasks.exe
2128	schtasks.exe
2768	schtasks.exe
2812	schtasks.exe
1380	schtasks.exe
2216	schtasks.exe
2104	schtasks.exe
2816	schtasks.exe
3000	schtasks.exe
1936	schtasks.exe
2872	schtasks.exe
2800	schtasks.exe
1764	schtasks.exe
2220	schtasks.exe
2552	schtasks.exe
2728	schtasks.exe
1600	schtasks.exe
1708	schtasks.exe
2176	schtasks.exe
2792	schtasks.exe
2328	schtasks.exe
2064	schtasks.exe
1848	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs

pid	Process
2532	sppsvc.exe
1804	sppsvc.exe
2944	sppsvc.exe
884	sppsvc.exe
2720	sppsvc.exe
2352	sppsvc.exe
2108	sppsvc.exe
2828	sppsvc.exe
2364	sppsvc.exe
1892	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2256	DllCommonsvc.exe
2256	DllCommonsvc.exe
2256	DllCommonsvc.exe
2452	powershell.exe
2736	powershell.exe
2068	powershell.exe
2348	powershell.exe
812	powershell.exe
2820	powershell.exe
2808	powershell.exe
1924	powershell.exe
2192	powershell.exe
1788	powershell.exe
1616	powershell.exe
2940	powershell.exe
2800	powershell.exe
288	powershell.exe
2364	powershell.exe
1320	powershell.exe
2928	powershell.exe
2604	powershell.exe
1696	powershell.exe
2816	powershell.exe
1240	sppsvc.exe
2532	sppsvc.exe
1804	sppsvc.exe
2944	sppsvc.exe
884	sppsvc.exe
2720	sppsvc.exe
2352	sppsvc.exe
2108	sppsvc.exe
2828	sppsvc.exe
2364	sppsvc.exe
1892	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	DllCommonsvc.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	288	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	1240	sppsvc.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2532	sppsvc.exe
Token: SeDebugPrivilege	1804	sppsvc.exe
Token: SeDebugPrivilege	2944	sppsvc.exe
Token: SeDebugPrivilege	884	sppsvc.exe
Token: SeDebugPrivilege	2720	sppsvc.exe
Token: SeDebugPrivilege	2352	sppsvc.exe
Token: SeDebugPrivilege	2108	sppsvc.exe
Token: SeDebugPrivilege	2828	sppsvc.exe
Token: SeDebugPrivilege	2364	sppsvc.exe
Token: SeDebugPrivilege	1892	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 1480	1836	JaffaCakes118_d56fa92a41101885dcb1337fe1d0cf73b81f6c348a7878bd6f6e449e37b82a24.exe	30
PID 1836 wrote to memory of 1480	1836	JaffaCakes118_d56fa92a41101885dcb1337fe1d0cf73b81f6c348a7878bd6f6e449e37b82a24.exe	30
PID 1836 wrote to memory of 1480	1836	JaffaCakes118_d56fa92a41101885dcb1337fe1d0cf73b81f6c348a7878bd6f6e449e37b82a24.exe	30
PID 1836 wrote to memory of 1480	1836	JaffaCakes118_d56fa92a41101885dcb1337fe1d0cf73b81f6c348a7878bd6f6e449e37b82a24.exe	30
PID 1480 wrote to memory of 2908	1480	WScript.exe	32
PID 1480 wrote to memory of 2908	1480	WScript.exe	32
PID 1480 wrote to memory of 2908	1480	WScript.exe	32
PID 1480 wrote to memory of 2908	1480	WScript.exe	32
PID 2908 wrote to memory of 2256	2908	cmd.exe	34
PID 2908 wrote to memory of 2256	2908	cmd.exe	34
PID 2908 wrote to memory of 2256	2908	cmd.exe	34
PID 2908 wrote to memory of 2256	2908	cmd.exe	34
PID 2256 wrote to memory of 2736	2256	DllCommonsvc.exe	93
PID 2256 wrote to memory of 2736	2256	DllCommonsvc.exe	93
PID 2256 wrote to memory of 2736	2256	DllCommonsvc.exe	93
PID 2256 wrote to memory of 2452	2256	DllCommonsvc.exe	94
PID 2256 wrote to memory of 2452	2256	DllCommonsvc.exe	94
PID 2256 wrote to memory of 2452	2256	DllCommonsvc.exe	94
PID 2256 wrote to memory of 1924	2256	DllCommonsvc.exe	96
PID 2256 wrote to memory of 1924	2256	DllCommonsvc.exe	96
PID 2256 wrote to memory of 1924	2256	DllCommonsvc.exe	96
PID 2256 wrote to memory of 1788	2256	DllCommonsvc.exe	98
PID 2256 wrote to memory of 1788	2256	DllCommonsvc.exe	98
PID 2256 wrote to memory of 1788	2256	DllCommonsvc.exe	98
PID 2256 wrote to memory of 288	2256	DllCommonsvc.exe	99
PID 2256 wrote to memory of 288	2256	DllCommonsvc.exe	99
PID 2256 wrote to memory of 288	2256	DllCommonsvc.exe	99
PID 2256 wrote to memory of 2192	2256	DllCommonsvc.exe	100
PID 2256 wrote to memory of 2192	2256	DllCommonsvc.exe	100
PID 2256 wrote to memory of 2192	2256	DllCommonsvc.exe	100
PID 2256 wrote to memory of 2068	2256	DllCommonsvc.exe	101
PID 2256 wrote to memory of 2068	2256	DllCommonsvc.exe	101
PID 2256 wrote to memory of 2068	2256	DllCommonsvc.exe	101
PID 2256 wrote to memory of 812	2256	DllCommonsvc.exe	102
PID 2256 wrote to memory of 812	2256	DllCommonsvc.exe	102
PID 2256 wrote to memory of 812	2256	DllCommonsvc.exe	102
PID 2256 wrote to memory of 2928	2256	DllCommonsvc.exe	103
PID 2256 wrote to memory of 2928	2256	DllCommonsvc.exe	103
PID 2256 wrote to memory of 2928	2256	DllCommonsvc.exe	103
PID 2256 wrote to memory of 2940	2256	DllCommonsvc.exe	104
PID 2256 wrote to memory of 2940	2256	DllCommonsvc.exe	104
PID 2256 wrote to memory of 2940	2256	DllCommonsvc.exe	104
PID 2256 wrote to memory of 2800	2256	DllCommonsvc.exe	105
PID 2256 wrote to memory of 2800	2256	DllCommonsvc.exe	105
PID 2256 wrote to memory of 2800	2256	DllCommonsvc.exe	105
PID 2256 wrote to memory of 1696	2256	DllCommonsvc.exe	107
PID 2256 wrote to memory of 1696	2256	DllCommonsvc.exe	107
PID 2256 wrote to memory of 1696	2256	DllCommonsvc.exe	107
PID 2256 wrote to memory of 2364	2256	DllCommonsvc.exe	109
PID 2256 wrote to memory of 2364	2256	DllCommonsvc.exe	109
PID 2256 wrote to memory of 2364	2256	DllCommonsvc.exe	109
PID 2256 wrote to memory of 2604	2256	DllCommonsvc.exe	112
PID 2256 wrote to memory of 2604	2256	DllCommonsvc.exe	112
PID 2256 wrote to memory of 2604	2256	DllCommonsvc.exe	112
PID 2256 wrote to memory of 1320	2256	DllCommonsvc.exe	114
PID 2256 wrote to memory of 1320	2256	DllCommonsvc.exe	114
PID 2256 wrote to memory of 1320	2256	DllCommonsvc.exe	114
PID 2256 wrote to memory of 2808	2256	DllCommonsvc.exe	116
PID 2256 wrote to memory of 2808	2256	DllCommonsvc.exe	116
PID 2256 wrote to memory of 2808	2256	DllCommonsvc.exe	116
PID 2256 wrote to memory of 1616	2256	DllCommonsvc.exe	118
PID 2256 wrote to memory of 1616	2256	DllCommonsvc.exe	118
PID 2256 wrote to memory of 1616	2256	DllCommonsvc.exe	118
PID 2256 wrote to memory of 2348	2256	DllCommonsvc.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d56fa92a41101885dcb1337fe1d0cf73b81f6c348a7878bd6f6e449e37b82a24.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d56fa92a41101885dcb1337fe1d0cf73b81f6c348a7878bd6f6e449e37b82a24.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\es-ES\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\PrintHood\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fr-FR\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
    - - C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat"
        6⤵
        
        PID:1140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2672
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wx0Tv0d3iA.bat"
        8⤵
        
        PID:332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1776
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat"
        10⤵
        
        PID:2836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1936
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y23Kn3rQqK.bat"
        12⤵
        
        PID:692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2648
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat"
        14⤵
        
        PID:2820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2532
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ww4YVzclJm.bat"
        16⤵
        
        PID:1352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2324
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat"
        18⤵
        
        PID:2972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1240
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ww4YVzclJm.bat"
        20⤵
        
        PID:1816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2512
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat"
        22⤵
        
        PID:992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2604
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat"
        24⤵
        
        PID:2484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2388
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v9lJjcBPjH.bat"
        26⤵
        
        PID:2536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Favorites\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Public\Favorites\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Favorites\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\es-ES\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\es-ES\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\ShellNew\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\ShellNew\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellNew\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\MSBuild\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\PLA\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\PrintHood\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\PrintHood\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
273a9234ff880e8934c8a256d7691f78

SHA1
4346b6df9d93307fbdba2225e84ab3b332a402bc

SHA256
26e3147b82fdead8b43141d843c1d5a653a7f8a37c9513e9c618364e3e41422a

SHA512
472900b22f3391f4be0e1af7352173bb16beea616413366aaea1a8ea60e699c5b7a8272835b79019edd3cdf3612096776afd468c9cf7edf1dfb45d41018c762f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a4aae4ff5c09b0f1cfc7126d3796abd

SHA1
d4d1e2c3ba95c2b3741b2e62733a0584d205674f

SHA256
5d6e8e00b9ffee615bff2811d36cc5223dc5a6376ac59fb6f82cadbdb27ae1c2

SHA512
e277a62131bca2dc2dd21b8051401e1e82fbf5dfce2f8947d044482d9e484b795605772d64aa3a2ff39dedf163f7c797cc1fd53c6c366baa1c7ef380e0608d7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c29391ff6e9caabc41c03a9fdfbcdc70

SHA1
59f05864e0d658b1d63e8a753923e3e203d70195

SHA256
a66b49d3ea1cd438031033195a941ba28dbaa53c0a789fc4237f7dd578188c01

SHA512
e9bf1f0c539bdfe2184ea33891e58b89d8702f716461bcf10d655379876fd75047bc3f43a3bcdd9b1b49bb5ae256e048e784d14bb466dca12754c8bd12dabf7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
846a07ff7eb85bb5c0c3099f8abdf48b

SHA1
c4ae7fe8269a964959bccc92ba87aca4c39dbd6f

SHA256
2a8f20c28c2c4da0581ac69e0e45989d7ebf423e3c2065d7462d3a704eabc9ee

SHA512
45ab68cb01176b50693facf84bb1ccff4327a61763d3e6d34f35f9dfb64a046ed47fd434daee472c15f9720d866cf8bc05d10bf87f64d468fa12508533fd6340

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a92fd15a74b248d82649267739e6dcb5

SHA1
fb0fd0fc6b55b26714771699c503952691b18f26

SHA256
77397ae3fb60a5c12c46400fa8d2b3df66e9d5e744b9db8d96f3a7ccc0eaf9fe

SHA512
aefeb8cf4306293dd6848bff7315630e0e36e9922da9162c3dda38dbc57d641050e325348df7d8d93331c4f5d31cae9e49a96c855582a31a48b98bef84dce847

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a81c367f160417c60e718342e3df7ea0

SHA1
a63c45e0a897582bf149956145ed2a38343faf5e

SHA256
665335076d232bee30921f1b43d0b24674375b230e4f711fb093b7c69e93db58

SHA512
550ac36ed937b8c7c27b6a9f1fdbeb252fec5ef230b2148f6451eb51d996090e36d465b3b5fcdaf7750ac825ab79a94530e22dca943f46587c906495128ad957

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87ca85c9f11104c51b463ae9173032e4

SHA1
637d98cb93da7712facbece69274468c643d58b9

SHA256
9d9eeef62c4deb1b7d3474743a094b9c2a84231c29f8da67c0f66f40b27b67cd

SHA512
b4af5afded92feec401f2c874ecd3c6266b20ccbe490b1a5715cd7731269f6e1d098dc9ce203f9f826a51c1e807840015c0dbc710ea7f1921739a6fd15b8615d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d19ae6717133b8bcb86fb7a4086fb9b5

SHA1
1d5a6160790e09eb7479cf7f295d9359bed0f494

SHA256
2b5a2950139497269d1f4dd89ec67a13f2bd67a6af208eb2c821f09366a2240b

SHA512
485790938255184e74ff55e0792a215def490e716c94aa25165d9a9ce49525fe3e30cdbf2e9b986c1b04e5117a37bdd5ff9d1686ad9c3469c360a9c7f9f23189

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
945952d555baffd96bf4904bb3650503

SHA1
2bba55edd0ca64b58d638453b2b433b15a2b0db2

SHA256
6e056838ce2f1fea5146f257e0b96ad931016bf6cf3f8a212b34385a5f569355

SHA512
44dc4df10713e3a05d55682630df5fd9ac8ed515b30cb09d889af86f3dd9d2b9749a036e62c3d1c18d40a169dc1223916bfe43d7558e0a9572beac727b55ae39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36bcd6cf35c9a4f0bccc79c931253a89

SHA1
570a3bac762fe4f3bc48b6609c1980988a9179e6

SHA256
638e74d70ce5ff512d5f317c6f88a9c932f868efb68222d396f8b9fedd3f5ef8

SHA512
cc7f652601a37b8cf100600182aa60a102cce693b7d6dd5e757b894cb3e67a0d109bc5c49092a3c460c39c2f0e80c3e0023b0186865d5313f4af33d7d2322d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat

Filesize
224B

MD5
8b8336ce9922bfdff5ec9f0e8349d51e

SHA1
51ddaedead6d7b35c69041947de7a53587719995

SHA256
46cbfa28672cbb015fe723b258d924eace65ea42c46a2b00ac020e54d94cc20c

SHA512
33fd91f66a0c923ec068fcc0e4e0d6ed5996bc2da3dc4bfef626a53e3b0d49ad79f5f9a012e6c8a1d1cf8b9fab722ebc1ae6c8830f191c1084acbc32b52af7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab19E9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1A0B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wx0Tv0d3iA.bat

Filesize
224B

MD5
14c6874e4017ea261b8bfc8d572679ba

SHA1
7f7a40f3afb5abdf0b992905954ac4a884de6f74

SHA256
1c55fcba6192d7b79828854ae287c3b077427e3b6ce4213939b8edf321db5c6d

SHA512
a7203dc9bc8e6d3f85b7eef5fdd4fd7bc488aba8eeb00a65b0bf3a6f29fb95308e4f570fd351ace476f80e19c093de61849e16c877ed800690029b78c1258cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y23Kn3rQqK.bat

Filesize
224B

MD5
c8c0c72db4bc233b5a57329a0277e114

SHA1
9d436c5af3708c6513f640bc061e8dca189ecec5

SHA256
6499c289800f7e583a0e0c7c4b228e8e598749610ba34aa6a3284ea52b3f6c9d

SHA512
1fe3c218a9c8e17c701d35dd58fe593c4be6d46dec10e00765086e198b31e7de53ca649a88e9f14e6782bf90dc830bb944778390df3bd47f613bfd669888d358

Download Submit
C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat

Filesize
224B

MD5
30becc5a2ede74c2e57f5514908d839f

SHA1
c8e9b598b751fdec089471de5e4bb25fe14898aa

SHA256
354bcb391a18064668132af909de2cec75207af55bf99920037d234834c4d28b

SHA512
6806c3ede178636031944e9619b2856f39901ce98d47cf1df19e4153770805260fd8b64d92ef5c782da91c0af3d2112292eee1b11709110bd578f08f3b2150e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat

Filesize
224B

MD5
eaa2b48c799bdd5ce34e29c1a03e0442

SHA1
530871df177522a3a2fd996b8283c10952a32748

SHA256
93fe2d38a75b3a03c9b6a8a2a74a50cfe998ec9a6a423ae90467e978b896b4a2

SHA512
d8338e4bcbef12161ea27dbdfa5242c5b91321e8c86d91df94f5ac318733227edd425a9133f170bf7158bca74a0bc13d30b77c2abd2f7056eb7b9a596fc23d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat

Filesize
224B

MD5
75ec09051405791c1d573a9a02fe0020

SHA1
22ca026ba1b45263e5737f96082407a2cdf16596

SHA256
fec55ee6fee301f9a63499a63f155e1536d264ffddddb67df955aa90e682f584

SHA512
d870836f2d54f852c9f9c9f0dd1168b393e317b60e1c46c42c62a65e2a696c33da8a69ea1fac724da72831a68c0a1ff4318614991a1857fefa15b75eb3447a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat

Filesize
224B

MD5
afe1b91aff649b2dcff2e14bdf9ea045

SHA1
2196c3cceab073bde729e2dd820832cc173b2421

SHA256
3823a33d09646cf43f804264e68e224bd6d846c3d289c794290902ae4b6197a0

SHA512
4165888d539fa6ebf24026c113ab435637d5d56ad76fa6381bce235e36fe1b004fe340edf932b01c883461ed42d4a590858b75d83ede279b082b35553a27c557

Download Submit
C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat

Filesize
224B

MD5
9e0cb491b420bddda5b0c9c2a361ed45

SHA1
2cda95c8a23ab5497ffb68841aca4e864b3ad608

SHA256
29f325a83a7f14058391dac8c629dc607293220f23514dcfd6ae7b472d23e6b1

SHA512
dd49507db4deb27e62cf52c6c4677215b959becd843e01b13fbae9641ad79fac3c42ed063fcb10a6dd35bd8da300c785b6517497a94d341d7367c1c17c7b241e

Download Submit
C:\Users\Admin\AppData\Local\Temp\v9lJjcBPjH.bat

Filesize
224B

MD5
aa61a8e860261d21748636dd06d4772e

SHA1
30c152a8b25ac6fa3f73e536ad7ec6689d707cb9

SHA256
2f4e2f9a3f5f21b851ee30c61882ae48b1716fd58961a3e143c0f49bf4fa2867

SHA512
9525a5c1b38b103fec3fb258d7adf8ffb157ed759c30615c2d94617af28be65da1bd06fd9ed4820fb47bb88996599d047f717f8dcb18d8ff438fe6332b8fbd9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ww4YVzclJm.bat

Filesize
224B

MD5
afc9c844879e8e580966f6abf57bdc65

SHA1
8fed26139c59b208c764496e9149b8ef15e7ddf2

SHA256
707f44cfcf84b32b0f48d981ed1ceda449092fe6325711efaaeea542509f363a

SHA512
00fbcb0ef8f5011fc30e42eeaa672c99c92ae3275f1d59ecf4badc48f7975504557017adaccfaa3fe8dbfbead40e3e72f9e507a945675bda74f5c33d2cf89f41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ede0f690de2cba754f1fd5bd5668d0a0

SHA1
dfaa44b922c0ca013dc183de6e11748d9c090e4b

SHA256
ed0ae8897c4ebc43d8fd291ac19860512d9c813a39c8978a8e44115ee6e0b182

SHA512
06bc0489bcfb85e09a19d6c3b873097d60e381528ad618ae216ecdd303307888a86e9414675c83c5dbee8d7983007c1dfdf875ebe36576fda75a157cea8dddd6

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/884-403-0x0000000000280000-0x0000000000390000-memory.dmp

Filesize
1.1MB

Download
memory/1240-79-0x0000000001020000-0x0000000001130000-memory.dmp

Filesize
1.1MB

Download
memory/1804-281-0x0000000001080000-0x0000000001190000-memory.dmp

Filesize
1.1MB

Download
memory/1804-282-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/1892-763-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/1892-762-0x0000000000CC0000-0x0000000000DD0000-memory.dmp

Filesize
1.1MB

Download
memory/2256-17-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2256-15-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/2256-14-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/2256-13-0x0000000000B10000-0x0000000000C20000-memory.dmp

Filesize
1.1MB

Download
memory/2256-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2352-523-0x0000000001350000-0x0000000001460000-memory.dmp

Filesize
1.1MB

Download
memory/2364-702-0x0000000000A70000-0x0000000000B80000-memory.dmp

Filesize
1.1MB

Download
memory/2452-77-0x0000000000300000-0x0000000000308000-memory.dmp

Filesize
32KB

Download
memory/2452-65-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2720-463-0x0000000000D80000-0x0000000000E90000-memory.dmp

Filesize
1.1MB

Download
memory/2828-642-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/2944-343-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2944-342-0x0000000000070000-0x0000000000180000-memory.dmp

Filesize
1.1MB

Download