dcrat | 66333438a52987f69dfdc9fa953a9526fc2809125f0ea52e67a57975efc5d683

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_66333438a52987f69dfdc9fa953a9526fc2809125f0ea52e67a57975efc5d683.exe
Size

1.3MB
MD5

23ac4dfead11eeaa808717d83d8eabc0
SHA1

4ea843831619fb35f8f94d30bcee9959a829c1a1
SHA256

66333438a52987f69dfdc9fa953a9526fc2809125f0ea52e67a57975efc5d683
SHA512

cc69aa8004ab764f15aa5072cde0f7db48b7aa3a54d29b3b3d29e1a4f8e7be34375aa5183fbcc03692b7e8b929d92e715c04e7c15816ba74f9c416cf02b1c6ad
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2776	schtasks.exe	34

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d2c-9.dat	dcrat
behavioral1/memory/2768-13-0x0000000000DC0000-0x0000000000ED0000-memory.dmp	dcrat
behavioral1/memory/2124-180-0x0000000001200000-0x0000000001310000-memory.dmp	dcrat
behavioral1/memory/2772-298-0x0000000001210000-0x0000000001320000-memory.dmp	dcrat
behavioral1/memory/2044-417-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1128	powershell.exe
108	powershell.exe
2088	powershell.exe
2760	powershell.exe
3016	powershell.exe
1588	powershell.exe
2144	powershell.exe
2328	powershell.exe
612	powershell.exe
932	powershell.exe
2468	powershell.exe
636	powershell.exe
3004	powershell.exe
1588	powershell.exe
1912	powershell.exe
2408	powershell.exe
2120	powershell.exe
2936	powershell.exe
2508	powershell.exe
2792	powershell.exe
1844	powershell.exe
2000	powershell.exe
2468	powershell.exe
3008	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2768	DllCommonsvc.exe
2232	DllCommonsvc.exe
2124	WmiPrvSE.exe
2700	WmiPrvSE.exe
2772	WmiPrvSE.exe
1300	WmiPrvSE.exe
2044	WmiPrvSE.exe
1508	WmiPrvSE.exe
2284	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2852	cmd.exe
2852	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ru-RU\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\SysWOW64\ru-RU\services.exe	DllCommonsvc.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\WmiPrvSE.exe	DllCommonsvc.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Panther\actionqueue\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Web\Wallpaper\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\Panther\actionqueue\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\Setup\State\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Setup\State\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Windows\de-DE\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\de-DE\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\AppPatch\AppPatch64\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\AppPatch\AppPatch64\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Windows\Web\Wallpaper\6cb0b6c459d5d3	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_66333438a52987f69dfdc9fa953a9526fc2809125f0ea52e67a57975efc5d683.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
436	schtasks.exe
1688	schtasks.exe
2664	schtasks.exe
2732	schtasks.exe
2964	schtasks.exe
1240	schtasks.exe
2392	schtasks.exe
2688	schtasks.exe
1300	schtasks.exe
2712	schtasks.exe
1100	schtasks.exe
2356	schtasks.exe
2220	schtasks.exe
2512	schtasks.exe
1040	schtasks.exe
2368	schtasks.exe
2892	schtasks.exe
2360	schtasks.exe
2348	schtasks.exe
1940	schtasks.exe
892	schtasks.exe
2528	schtasks.exe
2616	schtasks.exe
976	schtasks.exe
576	schtasks.exe
904	schtasks.exe
1740	schtasks.exe
628	schtasks.exe
2584	schtasks.exe
2268	schtasks.exe
1596	schtasks.exe
1932	schtasks.exe
2464	schtasks.exe
2016	schtasks.exe
2988	schtasks.exe
2632	schtasks.exe
1720	schtasks.exe
768	schtasks.exe
1600	schtasks.exe
3052	schtasks.exe
1564	schtasks.exe
2432	schtasks.exe
2612	schtasks.exe
1804	schtasks.exe
1824	schtasks.exe
2828	schtasks.exe
2152	schtasks.exe
1752	schtasks.exe
1052	schtasks.exe
2124	schtasks.exe
2004	schtasks.exe
1164	schtasks.exe
1992	schtasks.exe
1044	schtasks.exe
3008	schtasks.exe
1912	schtasks.exe
2420	schtasks.exe
980	schtasks.exe
2312	schtasks.exe
2176	schtasks.exe
2516	schtasks.exe
1908	schtasks.exe
2676	schtasks.exe
1704	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2768	DllCommonsvc.exe
2768	DllCommonsvc.exe
2768	DllCommonsvc.exe
2768	DllCommonsvc.exe
2768	DllCommonsvc.exe
2768	DllCommonsvc.exe
2768	DllCommonsvc.exe
3016	powershell.exe
3008	powershell.exe
2792	powershell.exe
2468	powershell.exe
3004	powershell.exe
1844	powershell.exe
1588	powershell.exe
2232	DllCommonsvc.exe
2232	DllCommonsvc.exe
2232	DllCommonsvc.exe
1588	powershell.exe
2408	powershell.exe
2000	powershell.exe
636	powershell.exe
2468	powershell.exe
108	powershell.exe
2508	powershell.exe
2328	powershell.exe
612	powershell.exe
2088	powershell.exe
1912	powershell.exe
1128	powershell.exe
2936	powershell.exe
2120	powershell.exe
2144	powershell.exe
2760	powershell.exe
932	powershell.exe
2124	WmiPrvSE.exe
2700	WmiPrvSE.exe
2772	WmiPrvSE.exe
1300	WmiPrvSE.exe
2044	WmiPrvSE.exe
1508	WmiPrvSE.exe
2284	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	DllCommonsvc.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	2232	DllCommonsvc.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	108	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	612	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	2124	WmiPrvSE.exe
Token: SeDebugPrivilege	2700	WmiPrvSE.exe
Token: SeDebugPrivilege	2772	WmiPrvSE.exe
Token: SeDebugPrivilege	1300	WmiPrvSE.exe
Token: SeDebugPrivilege	2044	WmiPrvSE.exe
Token: SeDebugPrivilege	1508	WmiPrvSE.exe
Token: SeDebugPrivilege	2284	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2420	3044	JaffaCakes118_66333438a52987f69dfdc9fa953a9526fc2809125f0ea52e67a57975efc5d683.exe	30
PID 3044 wrote to memory of 2420	3044	JaffaCakes118_66333438a52987f69dfdc9fa953a9526fc2809125f0ea52e67a57975efc5d683.exe	30
PID 3044 wrote to memory of 2420	3044	JaffaCakes118_66333438a52987f69dfdc9fa953a9526fc2809125f0ea52e67a57975efc5d683.exe	30
PID 3044 wrote to memory of 2420	3044	JaffaCakes118_66333438a52987f69dfdc9fa953a9526fc2809125f0ea52e67a57975efc5d683.exe	30
PID 2420 wrote to memory of 2852	2420	WScript.exe	31
PID 2420 wrote to memory of 2852	2420	WScript.exe	31
PID 2420 wrote to memory of 2852	2420	WScript.exe	31
PID 2420 wrote to memory of 2852	2420	WScript.exe	31
PID 2852 wrote to memory of 2768	2852	cmd.exe	33
PID 2852 wrote to memory of 2768	2852	cmd.exe	33
PID 2852 wrote to memory of 2768	2852	cmd.exe	33
PID 2852 wrote to memory of 2768	2852	cmd.exe	33
PID 2768 wrote to memory of 1588	2768	DllCommonsvc.exe	53
PID 2768 wrote to memory of 1588	2768	DllCommonsvc.exe	53
PID 2768 wrote to memory of 1588	2768	DllCommonsvc.exe	53
PID 2768 wrote to memory of 3008	2768	DllCommonsvc.exe	54
PID 2768 wrote to memory of 3008	2768	DllCommonsvc.exe	54
PID 2768 wrote to memory of 3008	2768	DllCommonsvc.exe	54
PID 2768 wrote to memory of 1844	2768	DllCommonsvc.exe	55
PID 2768 wrote to memory of 1844	2768	DllCommonsvc.exe	55
PID 2768 wrote to memory of 1844	2768	DllCommonsvc.exe	55
PID 2768 wrote to memory of 2792	2768	DllCommonsvc.exe	56
PID 2768 wrote to memory of 2792	2768	DllCommonsvc.exe	56
PID 2768 wrote to memory of 2792	2768	DllCommonsvc.exe	56
PID 2768 wrote to memory of 2468	2768	DllCommonsvc.exe	57
PID 2768 wrote to memory of 2468	2768	DllCommonsvc.exe	57
PID 2768 wrote to memory of 2468	2768	DllCommonsvc.exe	57
PID 2768 wrote to memory of 3004	2768	DllCommonsvc.exe	58
PID 2768 wrote to memory of 3004	2768	DllCommonsvc.exe	58
PID 2768 wrote to memory of 3004	2768	DllCommonsvc.exe	58
PID 2768 wrote to memory of 3016	2768	DllCommonsvc.exe	59
PID 2768 wrote to memory of 3016	2768	DllCommonsvc.exe	59
PID 2768 wrote to memory of 3016	2768	DllCommonsvc.exe	59
PID 2768 wrote to memory of 2232	2768	DllCommonsvc.exe	67
PID 2768 wrote to memory of 2232	2768	DllCommonsvc.exe	67
PID 2768 wrote to memory of 2232	2768	DllCommonsvc.exe	67
PID 2232 wrote to memory of 2144	2232	DllCommonsvc.exe	116
PID 2232 wrote to memory of 2144	2232	DllCommonsvc.exe	116
PID 2232 wrote to memory of 2144	2232	DllCommonsvc.exe	116
PID 2232 wrote to memory of 1588	2232	DllCommonsvc.exe	117
PID 2232 wrote to memory of 1588	2232	DllCommonsvc.exe	117
PID 2232 wrote to memory of 1588	2232	DllCommonsvc.exe	117
PID 2232 wrote to memory of 2000	2232	DllCommonsvc.exe	118
PID 2232 wrote to memory of 2000	2232	DllCommonsvc.exe	118
PID 2232 wrote to memory of 2000	2232	DllCommonsvc.exe	118
PID 2232 wrote to memory of 2328	2232	DllCommonsvc.exe	120
PID 2232 wrote to memory of 2328	2232	DllCommonsvc.exe	120
PID 2232 wrote to memory of 2328	2232	DllCommonsvc.exe	120
PID 2232 wrote to memory of 1128	2232	DllCommonsvc.exe	121
PID 2232 wrote to memory of 1128	2232	DllCommonsvc.exe	121
PID 2232 wrote to memory of 1128	2232	DllCommonsvc.exe	121
PID 2232 wrote to memory of 612	2232	DllCommonsvc.exe	122
PID 2232 wrote to memory of 612	2232	DllCommonsvc.exe	122
PID 2232 wrote to memory of 612	2232	DllCommonsvc.exe	122
PID 2232 wrote to memory of 108	2232	DllCommonsvc.exe	123
PID 2232 wrote to memory of 108	2232	DllCommonsvc.exe	123
PID 2232 wrote to memory of 108	2232	DllCommonsvc.exe	123
PID 2232 wrote to memory of 932	2232	DllCommonsvc.exe	124
PID 2232 wrote to memory of 932	2232	DllCommonsvc.exe	124
PID 2232 wrote to memory of 932	2232	DllCommonsvc.exe	124
PID 2232 wrote to memory of 2120	2232	DllCommonsvc.exe	125
PID 2232 wrote to memory of 2120	2232	DllCommonsvc.exe	125
PID 2232 wrote to memory of 2120	2232	DllCommonsvc.exe	125
PID 2232 wrote to memory of 2468	2232	DllCommonsvc.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_66333438a52987f69dfdc9fa953a9526fc2809125f0ea52e67a57975efc5d683.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_66333438a52987f69dfdc9fa953a9526fc2809125f0ea52e67a57975efc5d683.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Saved Games\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\actionqueue\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Application Data\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\dllhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\ru-RU\services.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dllhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:108
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\spoolsv.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Network Sharing\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:636
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\AppPatch64\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HMje0vb7T9.bat"
        6⤵
        
        PID:2860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:912
        
        C:\Program Files\Windows Media Player\Network Sharing\WmiPrvSE.exe
        
        "C:\Program Files\Windows Media Player\Network Sharing\WmiPrvSE.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"
        8⤵
        
        PID:540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1980
        
        C:\Program Files\Windows Media Player\Network Sharing\WmiPrvSE.exe
        
        "C:\Program Files\Windows Media Player\Network Sharing\WmiPrvSE.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JbtrqXgYk1.bat"
        10⤵
        
        PID:1060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1664
        
        C:\Program Files\Windows Media Player\Network Sharing\WmiPrvSE.exe
        
        "C:\Program Files\Windows Media Player\Network Sharing\WmiPrvSE.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat"
        12⤵
        
        PID:1548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3036
        
        C:\Program Files\Windows Media Player\Network Sharing\WmiPrvSE.exe
        
        "C:\Program Files\Windows Media Player\Network Sharing\WmiPrvSE.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat"
        14⤵
        
        PID:2348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1064
        
        C:\Program Files\Windows Media Player\Network Sharing\WmiPrvSE.exe
        
        "C:\Program Files\Windows Media Player\Network Sharing\WmiPrvSE.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat"
        16⤵
        
        PID:568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:700
        
        C:\Program Files\Windows Media Player\Network Sharing\WmiPrvSE.exe
        
        "C:\Program Files\Windows Media Player\Network Sharing\WmiPrvSE.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zfOrxS71E3.bat"
        18⤵
        
        PID:2356
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2772
        
        C:\Program Files\Windows Media Player\Network Sharing\WmiPrvSE.exe
        
        "C:\Program Files\Windows Media Player\Network Sharing\WmiPrvSE.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat"
        20⤵
        
        PID:2004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Saved Games\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Saved Games\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\Wallpaper\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Web\Wallpaper\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\actionqueue\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\actionqueue\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Windows\Setup\State\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Setup\State\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Windows\Setup\State\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Application Data\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Application Data\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\SysWOW64\ru-RU\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\SysWOW64\ru-RU\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\SysWOW64\ru-RU\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Network Sharing\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\Network Sharing\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Documents\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\All Users\Documents\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Documents\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Windows\AppPatch\AppPatch64\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\AppPatch\AppPatch64\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Windows\AppPatch\AppPatch64\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\6203df4a6bafc7

Filesize
457B

MD5
8a35528cfad72d99b2c1cd57d6bc1e3d

SHA1
dd23bcd1575795211bd7fd04f0ad7604f674fe7c

SHA256
53210677fb41edb1250ff7e8b004d0d02b06557bd1d5c2c924c278da2567192f

SHA512
1332a50ecfd95c313f1d546bac9d1d5de145ef1b3f373fe572cb0c1c5a8e95e256e6dc83cecc9c01b183b4f84841d58b1238c31b7a5ce63cf19799e213f4b4a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a873dca73cf3f7836aa214de8b3cbdf2

SHA1
385b765845cc96abd795aa04c5098decf22e9420

SHA256
465ad97b7cdc39e93d59f3959b0cdcef4616ffddc82fc3f1e0a42cdd6267ea55

SHA512
9d2e8db6b79b237c0958bab0a2138a8932f5552684e59dc04cf3a73f919272e5f6d623201e9ffb8214a324758d2a283008cc098df1503617c487ac39c7bc767c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32c04a3ffb87715d143a183b9c88fc7b

SHA1
248ee36c2ab7bd4fe19f9681847bc77c1f7732b6

SHA256
40980c7fd696c0a6435117696349d8d0680781c88528c39e6218e40b6aee7cce

SHA512
852ce2423e8e89ce329f8abf6c01fb4c378fbfcdb8c7bfb76f93ee035561375f8e1b1f39e5d8aed7375573059f5220a7f26750c792373e096af3f108ae9d6fa6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60ed89ca1b1d04bd07643892318815b3

SHA1
3e318337216eafedc41ebee959ba37a198290152

SHA256
8d31068b3401df03edb4198a5af8fd388cbb414732a82df6f98583c5ec4b9394

SHA512
c46caed8b86b3bcab0f4ac146ae7245f52984194e79cc95e11d233915a50fc5027c2ad246eaf6809899b4cb18940a7aa13a717d74c3d0d5cb48cdef1bbbfbe89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
968446632f9b7a89760fe3a9feced7e4

SHA1
388b92ed3d62ef11512f1c76851fded8c7a746b2

SHA256
5b1833257dfd72b0697cfb055068871e654510bd377d2b5936f9e056a20fe153

SHA512
5ca3650538229c53ebdaa83c42a7a4075f8ac9e2ccce0d0dd910e6839c52d84c00dc380674f180297bcefe2e75704f4f788ac660ca9f45bc7c5c851fd3a0ecc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b24621b110572b03ed0ff42d22dfd2e6

SHA1
a2273fb35a4f443a1f3d5627e823758bb033e750

SHA256
ab73860d34b907b5cb94b0cbd0c971873b7cdf97fe608a19e631c12107b0cd2e

SHA512
8159175e1dd05c5632b1e06746f4bdd1d7c4b21dcfc704ff31535a0faf000b496c913c4bd4090713866c0a213201dac82e101a2f2238f3435c0a022500770a00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a2b99aa176950cb7e0ebf0cd54257e4

SHA1
06e35483a67ff855bb12e418102b8e33d50bd360

SHA256
b487c9e306d3e55c93f00d81ea1d5a3876c4c085cf79715094057b663de932dc

SHA512
848b1c5a9728bb220b6ce0a2b7df750847c95ff02cc1a7c135938dea624d4d6712969d029e52667764fe156794de0d931736b2210dcc679828272f88f2948100

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8B7F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMje0vb7T9.bat

Filesize
231B

MD5
a7bb11a87d9eb6634dd2d347cb552b9c

SHA1
c97a09732271db304fc0e2dbccff0b9e4ac39056

SHA256
3f07235cafccf544bd8d86c5cbc0e7551e41622ffdbef5de9234bb0ef46c544e

SHA512
93046914315f3ed7a462f5f4e0a60ce4473c72ec4ee0832ee900b1990ca7901a38e89b867c5a4a07abc4d79c77131d168456d54cc84f4bcf9ad966b6ebd4063f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JbtrqXgYk1.bat

Filesize
231B

MD5
2f523e0c338902e50e78e4369fa8120f

SHA1
cc7be80f7c8b293589bf289bf479d361f66fc2d5

SHA256
e172bd98613022795620dd66a9a079ce7c5713dc744811b636b4230645a6a380

SHA512
a7f88cdfdc218395be6807b7699e05a2f1f41795fc9b7bc689567ca5b2a72c4214d16bdebb1e9483358098c3e405baa720cbff8f586a431c3bd5934a872e8d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8BE0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat

Filesize
231B

MD5
7bf161ec744f65b02df7ce15327c826c

SHA1
5083ace8c3c529a410c40d45821fa204e9f5aab8

SHA256
08e1ee843a64bb57d0a715a8acb91fffc8919dacfe23308350c7cae76430055d

SHA512
6f34f175b0ad6f38412ec475472cdc7e91c3a51e70697e862cd9fcac27e8e8ef18c2c8794acbd4b0c47fcd616ca880505a06da2ffdb53c6261ba17b7921ee5fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat

Filesize
231B

MD5
c6871dd6f178f20d5100f313bb633af7

SHA1
fac461aedccb1ad017d382a8e45461b6cd08ca2f

SHA256
d3fe6f5fe4043812a68ba97e4422b9959c453af7ea7f27fcf89d5a303127981c

SHA512
f12e359a9cc6e8510e3f9f7a9fd9404a52dd7864825f2bd70bb7b6c6fb606ce0fec90ae0bdedda8b97ba057db80e93b5dc03b5e56090d750faae545557e13e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat

Filesize
231B

MD5
80bc4dbcbfc7f13c42aa3eef3b82c629

SHA1
3d907ed1e45919ae35433bf30b28b566b1208f24

SHA256
7bc6d9dfbd7f2f679f98c00d6b9d13fbb2d856015ab2c2c978d829c435dddf2e

SHA512
02a5446b801cba12e483e3382157285a1a9dcbb261a8a57ffd4fb81abc34c75b37e991cb571d15bd888e993c01ee0458ebea9bd801b3ccd233242afd5540725e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat

Filesize
231B

MD5
82ccd5df59be1a370a805c5fdbbf7df3

SHA1
2c0c81bd23e0f891b31746ff93bc1ae5a7a9a899

SHA256
9f530802e6bd6a550f7b4b52461d9cecebe6d49591fcf4696415450d79dd9317

SHA512
b69b52899b28ccc800775c87713d504dd7060a6568ad25c66b7154c8154a729734d8aba99c8fa8d2a6adea9be650520f565be0977cdd664152b7407c12c8b691

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat

Filesize
231B

MD5
d1aa86ce0d96f28b1e2b0d5adef2539f

SHA1
64bc8917c9fd6685b57cc9bb1ec52b1ffb2930a5

SHA256
91ce41062154519ce86130f8ba899244ab49615e6cd6790009719991402105df

SHA512
727a6e7f9bc1c949400d59e50473d675a6d76802c83b0a641e70755556b652df1e9ab0f8914a102f094a4ef343362f881579775b8658916f10acccedb79b521f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zfOrxS71E3.bat

Filesize
231B

MD5
1f726d3b6903db2747051c8e0ac7893c

SHA1
c7317d8b0a1323e36c8d5799d4ff4d0a6fb29fbb

SHA256
7726a230cccbb052123d1dcdee193e5e8f9e4195530cc1a377308315fb87630f

SHA512
b1c6d5cba2f06083527e4bb850d77689e4aba6a0e044b53431c514421cca82562b602e9bbb4fb01869791090060159dc5805a69ed23fd9b56b95fd525e3bf163

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c76408db202fccaef380d11fd0bb3c44

SHA1
1c376accb4da49d9b51c579d0f642dec6f6e46f1

SHA256
144308e16bbff1e3dec226adfda2cf79803b8eef937fa01e4c15c436c1b49f2b

SHA512
6f0794ff004772bfc1d714428c53f4b142c64c2c1f2206bb5548e45308a5bc1181dc5974a619ab73fe75b434d80c30fb58f6a27ba225946611c2224885c2e8f7

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1588-128-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/1588-112-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/2044-417-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download
memory/2124-180-0x0000000001200000-0x0000000001310000-memory.dmp

Filesize
1.1MB

Download
memory/2284-536-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2768-15-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/2768-14-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/2768-16-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/2768-13-0x0000000000DC0000-0x0000000000ED0000-memory.dmp

Filesize
1.1MB

Download
memory/2768-17-0x0000000000C10000-0x0000000000C1C000-memory.dmp

Filesize
48KB

Download
memory/2772-298-0x0000000001210000-0x0000000001320000-memory.dmp

Filesize
1.1MB

Download
memory/2792-46-0x000000001B250000-0x000000001B532000-memory.dmp

Filesize
2.9MB

Download
memory/3016-47-0x0000000002450000-0x0000000002458000-memory.dmp

Filesize
32KB

Download