dcrat | 5c2796bbc70bc4979604fec316491d230b4b93115d6c7f0c853c562fc5d4e954

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5c2796bbc70bc4979604fec316491d230b4b93115d6c7f0c853c562fc5d4e954.exe
Size

1.3MB
MD5

5c06cb74d085247d633f06aa98b53904
SHA1

e6201bef30eb8ad1981b60476f8afad76f853b4e
SHA256

5c2796bbc70bc4979604fec316491d230b4b93115d6c7f0c853c562fc5d4e954
SHA512

9beee06788a692a1712cc2ada99c9b3f30c37022176a285ba094684225f613a40fa8d97b723f36f7dd79ef94259d152dbf55764cb5661495910975a613217433
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2724	schtasks.exe	33

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000170f8-9.dat	dcrat
behavioral1/memory/2428-13-0x00000000008F0000-0x0000000000A00000-memory.dmp	dcrat
behavioral1/memory/2316-163-0x0000000000AF0000-0x0000000000C00000-memory.dmp	dcrat
behavioral1/memory/304-223-0x0000000000CD0000-0x0000000000DE0000-memory.dmp	dcrat
behavioral1/memory/912-401-0x0000000000D80000-0x0000000000E90000-memory.dmp	dcrat
behavioral1/memory/3044-461-0x0000000000F90000-0x00000000010A0000-memory.dmp	dcrat
behavioral1/memory/2304-639-0x0000000001020000-0x0000000001130000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1660	powershell.exe
1760	powershell.exe
3044	powershell.exe
2212	powershell.exe
2228	powershell.exe
2608	powershell.exe
3060	powershell.exe
1748	powershell.exe
2128	powershell.exe
1240	powershell.exe
840	powershell.exe
2356	powershell.exe
3052	powershell.exe
2300	powershell.exe
3056	powershell.exe
2348	powershell.exe
2408	powershell.exe
2308	powershell.exe
2400	powershell.exe
1648	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2428	DllCommonsvc.exe
2316	WmiPrvSE.exe
304	WmiPrvSE.exe
2212	WmiPrvSE.exe
1104	WmiPrvSE.exe
912	WmiPrvSE.exe
3044	WmiPrvSE.exe
1552	WmiPrvSE.exe
2316	WmiPrvSE.exe
2304	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2876	cmd.exe
2876	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
17	raw.githubusercontent.com
20	raw.githubusercontent.com
27	raw.githubusercontent.com
31	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
24	raw.githubusercontent.com
34	raw.githubusercontent.com

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\Visualizations\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\c5b4cb5e9653cc	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Visualizations\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\24dbde2999530e	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\088424020bedd6	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5c2796bbc70bc4979604fec316491d230b4b93115d6c7f0c853c562fc5d4e954.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
896	schtasks.exe
320	schtasks.exe
2836	schtasks.exe
2416	schtasks.exe
940	schtasks.exe
1040	schtasks.exe
1628	schtasks.exe
2688	schtasks.exe
2816	schtasks.exe
1536	schtasks.exe
824	schtasks.exe
1280	schtasks.exe
924	schtasks.exe
3000	schtasks.exe
1332	schtasks.exe
2336	schtasks.exe
2664	schtasks.exe
1676	schtasks.exe
2848	schtasks.exe
2396	schtasks.exe
2864	schtasks.exe
2792	schtasks.exe
2348	schtasks.exe
1788	schtasks.exe
616	schtasks.exe
2172	schtasks.exe
2140	schtasks.exe
2272	schtasks.exe
1028	schtasks.exe
3020	schtasks.exe
2904	schtasks.exe
1640	schtasks.exe
2320	schtasks.exe
2040	schtasks.exe
1588	schtasks.exe
2628	schtasks.exe
1744	schtasks.exe
2456	schtasks.exe
1600	schtasks.exe
2776	schtasks.exe
2284	schtasks.exe
2216	schtasks.exe
888	schtasks.exe
2156	schtasks.exe
400	schtasks.exe
1252	schtasks.exe
2880	schtasks.exe
2220	schtasks.exe
2084	schtasks.exe
900	schtasks.exe
932	schtasks.exe
2576	schtasks.exe
992	schtasks.exe
592	schtasks.exe
2224	schtasks.exe
2564	schtasks.exe
3008	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2428	DllCommonsvc.exe
2428	DllCommonsvc.exe
2428	DllCommonsvc.exe
3052	powershell.exe
1660	powershell.exe
2408	powershell.exe
2400	powershell.exe
2128	powershell.exe
1240	powershell.exe
2348	powershell.exe
2212	powershell.exe
1760	powershell.exe
2356	powershell.exe
2300	powershell.exe
1648	powershell.exe
3056	powershell.exe
3044	powershell.exe
2608	powershell.exe
2228	powershell.exe
3060	powershell.exe
840	powershell.exe
2308	powershell.exe
1748	powershell.exe
2316	WmiPrvSE.exe
304	WmiPrvSE.exe
2212	WmiPrvSE.exe
1104	WmiPrvSE.exe
912	WmiPrvSE.exe
3044	WmiPrvSE.exe
1552	WmiPrvSE.exe
2316	WmiPrvSE.exe
2304	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	DllCommonsvc.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	2316	WmiPrvSE.exe
Token: SeDebugPrivilege	304	WmiPrvSE.exe
Token: SeDebugPrivilege	2212	WmiPrvSE.exe
Token: SeDebugPrivilege	1104	WmiPrvSE.exe
Token: SeDebugPrivilege	912	WmiPrvSE.exe
Token: SeDebugPrivilege	3044	WmiPrvSE.exe
Token: SeDebugPrivilege	1552	WmiPrvSE.exe
Token: SeDebugPrivilege	2316	WmiPrvSE.exe
Token: SeDebugPrivilege	2304	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1860	2328	JaffaCakes118_5c2796bbc70bc4979604fec316491d230b4b93115d6c7f0c853c562fc5d4e954.exe	29
PID 2328 wrote to memory of 1860	2328	JaffaCakes118_5c2796bbc70bc4979604fec316491d230b4b93115d6c7f0c853c562fc5d4e954.exe	29
PID 2328 wrote to memory of 1860	2328	JaffaCakes118_5c2796bbc70bc4979604fec316491d230b4b93115d6c7f0c853c562fc5d4e954.exe	29
PID 2328 wrote to memory of 1860	2328	JaffaCakes118_5c2796bbc70bc4979604fec316491d230b4b93115d6c7f0c853c562fc5d4e954.exe	29
PID 1860 wrote to memory of 2876	1860	WScript.exe	30
PID 1860 wrote to memory of 2876	1860	WScript.exe	30
PID 1860 wrote to memory of 2876	1860	WScript.exe	30
PID 1860 wrote to memory of 2876	1860	WScript.exe	30
PID 2876 wrote to memory of 2428	2876	cmd.exe	32
PID 2876 wrote to memory of 2428	2876	cmd.exe	32
PID 2876 wrote to memory of 2428	2876	cmd.exe	32
PID 2876 wrote to memory of 2428	2876	cmd.exe	32
PID 2428 wrote to memory of 1660	2428	DllCommonsvc.exe	91
PID 2428 wrote to memory of 1660	2428	DllCommonsvc.exe	91
PID 2428 wrote to memory of 1660	2428	DllCommonsvc.exe	91
PID 2428 wrote to memory of 2228	2428	DllCommonsvc.exe	93
PID 2428 wrote to memory of 2228	2428	DllCommonsvc.exe	93
PID 2428 wrote to memory of 2228	2428	DllCommonsvc.exe	93
PID 2428 wrote to memory of 840	2428	DllCommonsvc.exe	94
PID 2428 wrote to memory of 840	2428	DllCommonsvc.exe	94
PID 2428 wrote to memory of 840	2428	DllCommonsvc.exe	94
PID 2428 wrote to memory of 1760	2428	DllCommonsvc.exe	95
PID 2428 wrote to memory of 1760	2428	DllCommonsvc.exe	95
PID 2428 wrote to memory of 1760	2428	DllCommonsvc.exe	95
PID 2428 wrote to memory of 2356	2428	DllCommonsvc.exe	96
PID 2428 wrote to memory of 2356	2428	DllCommonsvc.exe	96
PID 2428 wrote to memory of 2356	2428	DllCommonsvc.exe	96
PID 2428 wrote to memory of 2608	2428	DllCommonsvc.exe	97
PID 2428 wrote to memory of 2608	2428	DllCommonsvc.exe	97
PID 2428 wrote to memory of 2608	2428	DllCommonsvc.exe	97
PID 2428 wrote to memory of 3052	2428	DllCommonsvc.exe	99
PID 2428 wrote to memory of 3052	2428	DllCommonsvc.exe	99
PID 2428 wrote to memory of 3052	2428	DllCommonsvc.exe	99
PID 2428 wrote to memory of 3060	2428	DllCommonsvc.exe	101
PID 2428 wrote to memory of 3060	2428	DllCommonsvc.exe	101
PID 2428 wrote to memory of 3060	2428	DllCommonsvc.exe	101
PID 2428 wrote to memory of 2128	2428	DllCommonsvc.exe	102
PID 2428 wrote to memory of 2128	2428	DllCommonsvc.exe	102
PID 2428 wrote to memory of 2128	2428	DllCommonsvc.exe	102
PID 2428 wrote to memory of 1748	2428	DllCommonsvc.exe	105
PID 2428 wrote to memory of 1748	2428	DllCommonsvc.exe	105
PID 2428 wrote to memory of 1748	2428	DllCommonsvc.exe	105
PID 2428 wrote to memory of 3056	2428	DllCommonsvc.exe	106
PID 2428 wrote to memory of 3056	2428	DllCommonsvc.exe	106
PID 2428 wrote to memory of 3056	2428	DllCommonsvc.exe	106
PID 2428 wrote to memory of 2308	2428	DllCommonsvc.exe	107
PID 2428 wrote to memory of 2308	2428	DllCommonsvc.exe	107
PID 2428 wrote to memory of 2308	2428	DllCommonsvc.exe	107
PID 2428 wrote to memory of 2408	2428	DllCommonsvc.exe	108
PID 2428 wrote to memory of 2408	2428	DllCommonsvc.exe	108
PID 2428 wrote to memory of 2408	2428	DllCommonsvc.exe	108
PID 2428 wrote to memory of 2300	2428	DllCommonsvc.exe	109
PID 2428 wrote to memory of 2300	2428	DllCommonsvc.exe	109
PID 2428 wrote to memory of 2300	2428	DllCommonsvc.exe	109
PID 2428 wrote to memory of 3044	2428	DllCommonsvc.exe	110
PID 2428 wrote to memory of 3044	2428	DllCommonsvc.exe	110
PID 2428 wrote to memory of 3044	2428	DllCommonsvc.exe	110
PID 2428 wrote to memory of 1240	2428	DllCommonsvc.exe	111
PID 2428 wrote to memory of 1240	2428	DllCommonsvc.exe	111
PID 2428 wrote to memory of 1240	2428	DllCommonsvc.exe	111
PID 2428 wrote to memory of 2348	2428	DllCommonsvc.exe	112
PID 2428 wrote to memory of 2348	2428	DllCommonsvc.exe	112
PID 2428 wrote to memory of 2348	2428	DllCommonsvc.exe	112
PID 2428 wrote to memory of 2400	2428	DllCommonsvc.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c2796bbc70bc4979604fec316491d230b4b93115d6c7f0c853c562fc5d4e954.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c2796bbc70bc4979604fec316491d230b4b93115d6c7f0c853c562fc5d4e954.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Visualizations\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\features\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WAbDQTaMdk.bat"
        5⤵
        
        PID:1496
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2460
      - C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat"
        7⤵
        
        PID:1028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1516
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat"
        9⤵
        
        PID:2408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2336
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat"
        11⤵
        
        PID:2256
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1496
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat"
        13⤵
        
        PID:524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1028
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat"
        15⤵
        
        PID:896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2408
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat"
        17⤵
        
        PID:432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1380
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"
        19⤵
        
        PID:2120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1104
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat"
        21⤵
        
        PID:1656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2128
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Visualizations\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\Visualizations\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\My Documents\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\My Documents\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\My Documents\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\browser\features\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\browser\features\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f74c23349ef4f95ab26927297f089303

SHA1
097e038385f8e0e270aa5b4af6895f48098a6a4e

SHA256
3300480674f288aa2fa8ec9a1c07bdca307e5c57dbe84a17d42f4e7f71578232

SHA512
d4323ded820ba8c5631c783018b7e4b60c23f608eebf697af7265742834d6248a6ee33cec61edd7c27400972028b70e95af86046a2e99a338cf314404b429a74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c67ad1be324b9450eac226d7f7cababf

SHA1
a812d76fb5253bc48df11680368433437cf8608d

SHA256
82d0b364f24d770e171bebc249db8939e3cb5f569f1289554a169c731770b491

SHA512
ed7e37c8d521720e74c69fddbc8307f7377e5609a77034197369f0e2eeea7095079164314e1298bc0fecbdffd925f4ec81b212f7c2293a60b6b333898982ca71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93d4156fa7c124814ada57f51d0d5594

SHA1
fbfa625e5edf6349bda3dfbfd5848edcfe091034

SHA256
9c1a180fcde3e0add1fad824986333896bb95f452cd605602507a8e02e1f3ead

SHA512
a7bee0d9a7c6646bb9995b00565926a1ea4b677f6c9658380165b6d8f4b2401ed3ddb1b1f5aa8ec0bee7424964d1952d88a72aa34dda7ee0388be76d30cd446f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
461d7be1c1d73f4abfa53ef9ea6d5319

SHA1
b6adeceafa72844851791e27b79f6ed3d255cd39

SHA256
5ba07308d113bfb359e128f0bbf84d60efb7f54ba7096e14e57a48680cf397e1

SHA512
d97269fab497a5aaafa23ad58ecb0d1cdef90156d9e2caeed3a7aa8fadcc9f4148980a53fb7830f909fbf55bc0cf395cc2262200e29c53edad07abb2e991b638

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f89da6b94e41c2dfea9ff5d6f9ae5b10

SHA1
30b1df9087406859ba3195d3a7cd98cec18d1967

SHA256
3dec5f5f4c54bc73e8f4ece3e8ad205deb3bf93a5a14a80c98e1b3ce55d7fb41

SHA512
4bf820668f21539702212fc9bf34671150867156f01689b8520aa975e74fa5b6c0c60b7d98470c4b0ec8b14b6152a44c785d47c95837b920da3c8c8dd0d70117

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12a3d560792720d534732eac12837abf

SHA1
0208a0f3327d2c6340f0a2ba224f161d03800a35

SHA256
3e8d746b8f7c898b19a6cdf7764caf0379cb65006c2fb9aa229d4909207f5bd2

SHA512
fe0dfe3c72786dbf35695f3a8f7a29a5e7521a0dd1dfa677d7565125d813fd2743970e6e89f663e910ee8201efb09126d52c644a7b3dcb1a4749326e26eed386

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6cfd255df16cae61e350588eed8526b

SHA1
e81d098a58d18c9823dd0d05797cd805f97f05d1

SHA256
a07c71fa914cb967a34d0aa943050a26cf92a721d0961d980719b7410ba2e7e2

SHA512
ab3b3c87a2efbdff6a314caecc1626d47d02d78c3a9a864cb392b00bdbe4005ba9883b35ebe5ba20fcecedf9672bc5386cd4272d6c50eafe9b9cfa7da8c94b49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c6433d43873488ce9dafb2cb3a42178

SHA1
6a0850f81251d65823bcd8f2eb40e5db591e11cd

SHA256
1a37615e0c4da371beebf6d7b6fe3c739132cb7be61869a33467604183f0cc3a

SHA512
9737d4548b73d2facc7a21ef246a341ceb296cffee332cfac360af60b690c63a1797166294ae5482043cb51ce48dc6fc1fde6516c3d097326d6345808417e972

Download Submit
C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat

Filesize
251B

MD5
fe7f4826cbbe9b0f6e671f69f665bf54

SHA1
e10704afa6789e7fb5c632cf472e26a75087c80d

SHA256
2f2849c4596e190b84df5199cf7fee4d48a8fd6490707d827d75fb6160014c06

SHA512
850beeeacc6c970327bc17f6c89a0fb70b05deff09df07c631f2138ce3d3dd93f9630e029da90e4ac662ccceafd2c803433d842c8a9afa714a4f5e057c5cc98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5DAC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat

Filesize
251B

MD5
d708c547ea5564ce24ec16bceb90c499

SHA1
d02fa2dc6b454a0b1b0dfe924d1c8cc02713ac06

SHA256
ce90b8f6fe42c66f781c21db17d03c8d7f67b933d290574931a812c23d0c7ea7

SHA512
dfac7750e6a05747f0cce47b9af3fe9f320e7aa9694989289b6e6b38c3185909beb594afb9128cb6156bb0968e1aa9e38bc18fdefa1dda5fa5be143ef2e7ad6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5DCE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAbDQTaMdk.bat

Filesize
251B

MD5
e0b29a34bfd3f417422c66f92e1a1ec6

SHA1
0762166e2f7d9e499473420591cc24db682583c4

SHA256
554067114f0bb4b3a49801d3cb822a249153ba796eaf4f3cf5f1669edbfd4e57

SHA512
8d93eecc303a163a1f36248aa951fb2f21fba913a6368c22a357e060824e3f5dc82f007953ffe9db78bb9c38dada63df95b2af29fb1bf15cfa1d5089b40dd9c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat

Filesize
251B

MD5
41f053c6cdb98cf812426f3930fc503f

SHA1
c2eb09d3a72f8651d033fa7c0af61f8f874908c2

SHA256
2aeb081d2f1b6ab61e9d489c70fc5e834888a3c888fea60cd2ad605d2f2b0ee6

SHA512
683c2ec60b4a1c5a16742748f652e49c8cde1f930d862cc55434acc37c8c897388877b0337cba570ad215ed16ba14daa7fc24c0d1c14491662aaef6aa6d0c87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat

Filesize
251B

MD5
fbc904f1ab9d246d4eacdb22cc19496b

SHA1
a0242eac159a4c690de7b62fac2b01e7f58e06d9

SHA256
92b6ebfb0f78033ca0a9820a8f42aaf2f5c90032aa446eb5f57dfc74da70427c

SHA512
c1e624d27eca7059ac0c25488d136752384eca02213e13aec89400981b003fdc39cdd087bad46c7733836dc7512d461b39c4fbfe6d47fb304e1a281371b4e3bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat

Filesize
251B

MD5
2c2fc5a89a739f273eeef065f182fb66

SHA1
3b6bf523e5fce0ea6f1639f3a942ffea617878a9

SHA256
3c6b38d8bc1762187482b2828616710f9d837c1ca86f472ad14d4608b286f1a3

SHA512
7fc4d894da72c62faf0afab84543d2537014fef2be3b99c41f7bc7f6d0dcc6b8423107f2127d91d4492acc6967db939999995a00c9348c854e54b403472ed63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat

Filesize
251B

MD5
54ddf0c468318752ab514ae8d3c3db6c

SHA1
966ef6118dbe1fcd42fdc461fa1286bcc026893c

SHA256
8e890e3d2a96109f90796067b117370166a7d065a709bbc9f89e9cc75068b2bf

SHA512
e14ae1882e3c7c861607e76e063fa1f465db44a05746c6e789a57e623b9ef8850f3c01dd16e19bbbaaa6e25733743a0c4ab03616fdf9979b5e0fb919dcf66063

Download Submit
C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat

Filesize
251B

MD5
4eaa81915e4e3e14e6b35c645d7c957e

SHA1
f325926f1a339d81f1836d1d94a40ec7b4e2fd2c

SHA256
2272481a139683e4464cc0347aac670d67dfdbba829648e62436d07e8fee6b8a

SHA512
1f1c443e1d513280958894ce0a129c94b3f80da6345b7f7d63f1dd5561683b66282aac7b1f663965b7f0bab852df72f70dae539ffb0075925e7b84fe2df3aa49

Download Submit
C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat

Filesize
251B

MD5
be6a013f980928f5d149bf5e25d39db5

SHA1
24e9b7eb3a7d112d60ac5e61b8722754958e3793

SHA256
4e5bc6d3929b58a3dfa96fc86ecf2560cc8b6225569739743f9322b2db7e3faf

SHA512
6f887800a62cef658d6442e6ee43f76c4a117a4d61c37af8ee1e4d6eece0917c51f4e63ade0782dc2a37d19a9ebd1f160a12429d8bf7a59c678aaa6453e607b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b0ee53812408fe8679fa51d4c4b511ef

SHA1
fc8c8aadc626c5510ec83178a8ced349b181ac0e

SHA256
ccfdbed0c6698e45033d066fa7fe2861fc34c49895c6d3ee02e3e45f151e4295

SHA512
39ffa3b41dcc7c65234bd28c5efbaf85ad5da38d7462d33f4bbcbc8168d1d3e98a3678032f97c3e86725e1f8eb17f4a2a333622aa028e1ff4d3884a1cee658b9

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/304-223-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

Filesize
1.1MB

Download
memory/912-401-0x0000000000D80000-0x0000000000E90000-memory.dmp

Filesize
1.1MB

Download
memory/1748-159-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/1748-160-0x0000000002470000-0x0000000002478000-memory.dmp

Filesize
32KB

Download
memory/2304-640-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2304-639-0x0000000001020000-0x0000000001130000-memory.dmp

Filesize
1.1MB

Download
memory/2316-164-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2316-163-0x0000000000AF0000-0x0000000000C00000-memory.dmp

Filesize
1.1MB

Download
memory/2428-16-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/2428-14-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/2428-13-0x00000000008F0000-0x0000000000A00000-memory.dmp

Filesize
1.1MB

Download
memory/2428-15-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/2428-17-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/3044-461-0x0000000000F90000-0x00000000010A0000-memory.dmp

Filesize
1.1MB

Download
memory/3052-69-0x000000001B3E0000-0x000000001B6C2000-memory.dmp

Filesize
2.9MB

Download
memory/3052-70-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

Filesize
32KB

Download