dcrat | 2a0360f1b826b4a4b15db1ef21926d2736c463e8c596989553c0c5e9e05398d0

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_2a0360f1b826b4a4b15db1ef21926d2736c463e8c596989553c0c5e9e05398d0.exe
Size

1.3MB
MD5

2c81dd5262db1c0406ea991c7f87c9ac
SHA1

9f9a72fdf5e40a76399da39fc2b4cff8d96d0813
SHA256

2a0360f1b826b4a4b15db1ef21926d2736c463e8c596989553c0c5e9e05398d0
SHA512

0efbe9b2eb86761e91c4b30dad4a2c1199c3b76dc5d400e6b859cc34852c95625574520678d13d0ab0b429b87fb16e44f54340c8eb5ef4ec00b88104062602f5
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2828	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2828	schtasks.exe	35

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d3a-9.dat	dcrat
behavioral1/memory/2676-13-0x0000000001230000-0x0000000001340000-memory.dmp	dcrat
behavioral1/memory/2712-161-0x0000000000F40000-0x0000000001050000-memory.dmp	dcrat
behavioral1/memory/912-279-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat
behavioral1/memory/1980-339-0x0000000000BA0000-0x0000000000CB0000-memory.dmp	dcrat
behavioral1/memory/2616-400-0x00000000002D0000-0x00000000003E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3028	powershell.exe
1384	powershell.exe
1464	powershell.exe
2104	powershell.exe
1524	powershell.exe
2844	powershell.exe
2800	powershell.exe
3016	powershell.exe
2664	powershell.exe
2556	powershell.exe
1864	powershell.exe
1660	powershell.exe
896	powershell.exe
2404	powershell.exe
772	powershell.exe
2292	powershell.exe
2652	powershell.exe
2536	powershell.exe
596	powershell.exe
1596	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2676	DllCommonsvc.exe
2712	dwm.exe
1200	dwm.exe
912	dwm.exe
1980	dwm.exe
2616	dwm.exe
1868	dwm.exe
2120	dwm.exe
1964	dwm.exe
2316	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
2400	cmd.exe
2400	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
30	raw.githubusercontent.com
20	raw.githubusercontent.com
24	raw.githubusercontent.com
27	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\es-ES\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\System.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\en-US\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\es-ES\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\en-US\wininit.exe	DllCommonsvc.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\addins\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\addins\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\Offline Web Pages\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Offline Web Pages\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\ShellNew\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\ShellNew\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\de-DE\spoolsv.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2a0360f1b826b4a4b15db1ef21926d2736c463e8c596989553c0c5e9e05398d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
844	schtasks.exe
2192	schtasks.exe
2088	schtasks.exe
1716	schtasks.exe
1908	schtasks.exe
2824	schtasks.exe
3016	schtasks.exe
2224	schtasks.exe
1764	schtasks.exe
2724	schtasks.exe
1612	schtasks.exe
3044	schtasks.exe
848	schtasks.exe
1452	schtasks.exe
1484	schtasks.exe
1576	schtasks.exe
2528	schtasks.exe
2412	schtasks.exe
1800	schtasks.exe
2144	schtasks.exe
2908	schtasks.exe
2916	schtasks.exe
1812	schtasks.exe
1684	schtasks.exe
348	schtasks.exe
1588	schtasks.exe
2084	schtasks.exe
2696	schtasks.exe
1600	schtasks.exe
1960	schtasks.exe
2592	schtasks.exe
1376	schtasks.exe
2212	schtasks.exe
2352	schtasks.exe
2608	schtasks.exe
1732	schtasks.exe
1124	schtasks.exe
2928	schtasks.exe
2780	schtasks.exe
2796	schtasks.exe
444	schtasks.exe
1520	schtasks.exe
2996	schtasks.exe
1036	schtasks.exe
2988	schtasks.exe
2328	schtasks.exe
2032	schtasks.exe
1556	schtasks.exe
1984	schtasks.exe
876	schtasks.exe
2716	schtasks.exe
808	schtasks.exe
2744	schtasks.exe
3036	schtasks.exe
836	schtasks.exe
1608	schtasks.exe
1704	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2676	DllCommonsvc.exe
2676	DllCommonsvc.exe
2676	DllCommonsvc.exe
2676	DllCommonsvc.exe
2676	DllCommonsvc.exe
2676	DllCommonsvc.exe
2676	DllCommonsvc.exe
2844	powershell.exe
772	powershell.exe
1524	powershell.exe
2292	powershell.exe
2556	powershell.exe
1596	powershell.exe
2800	powershell.exe
1660	powershell.exe
2404	powershell.exe
1464	powershell.exe
3016	powershell.exe
2652	powershell.exe
596	powershell.exe
1864	powershell.exe
1384	powershell.exe
2664	powershell.exe
896	powershell.exe
2104	powershell.exe
3028	powershell.exe
2536	powershell.exe
2712	dwm.exe
1200	dwm.exe
912	dwm.exe
1980	dwm.exe
2616	dwm.exe
1868	dwm.exe
2120	dwm.exe
1964	dwm.exe
2316	dwm.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	DllCommonsvc.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	596	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	2712	dwm.exe
Token: SeDebugPrivilege	1200	dwm.exe
Token: SeDebugPrivilege	912	dwm.exe
Token: SeDebugPrivilege	1980	dwm.exe
Token: SeDebugPrivilege	2616	dwm.exe
Token: SeDebugPrivilege	1868	dwm.exe
Token: SeDebugPrivilege	2120	dwm.exe
Token: SeDebugPrivilege	1964	dwm.exe
Token: SeDebugPrivilege	2316	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2280	1992	JaffaCakes118_2a0360f1b826b4a4b15db1ef21926d2736c463e8c596989553c0c5e9e05398d0.exe	31
PID 1992 wrote to memory of 2280	1992	JaffaCakes118_2a0360f1b826b4a4b15db1ef21926d2736c463e8c596989553c0c5e9e05398d0.exe	31
PID 1992 wrote to memory of 2280	1992	JaffaCakes118_2a0360f1b826b4a4b15db1ef21926d2736c463e8c596989553c0c5e9e05398d0.exe	31
PID 1992 wrote to memory of 2280	1992	JaffaCakes118_2a0360f1b826b4a4b15db1ef21926d2736c463e8c596989553c0c5e9e05398d0.exe	31
PID 2280 wrote to memory of 2400	2280	WScript.exe	32
PID 2280 wrote to memory of 2400	2280	WScript.exe	32
PID 2280 wrote to memory of 2400	2280	WScript.exe	32
PID 2280 wrote to memory of 2400	2280	WScript.exe	32
PID 2400 wrote to memory of 2676	2400	cmd.exe	34
PID 2400 wrote to memory of 2676	2400	cmd.exe	34
PID 2400 wrote to memory of 2676	2400	cmd.exe	34
PID 2400 wrote to memory of 2676	2400	cmd.exe	34
PID 2676 wrote to memory of 2664	2676	DllCommonsvc.exe	93
PID 2676 wrote to memory of 2664	2676	DllCommonsvc.exe	93
PID 2676 wrote to memory of 2664	2676	DllCommonsvc.exe	93
PID 2676 wrote to memory of 2104	2676	DllCommonsvc.exe	94
PID 2676 wrote to memory of 2104	2676	DllCommonsvc.exe	94
PID 2676 wrote to memory of 2104	2676	DllCommonsvc.exe	94
PID 2676 wrote to memory of 2556	2676	DllCommonsvc.exe	95
PID 2676 wrote to memory of 2556	2676	DllCommonsvc.exe	95
PID 2676 wrote to memory of 2556	2676	DllCommonsvc.exe	95
PID 2676 wrote to memory of 2844	2676	DllCommonsvc.exe	97
PID 2676 wrote to memory of 2844	2676	DllCommonsvc.exe	97
PID 2676 wrote to memory of 2844	2676	DllCommonsvc.exe	97
PID 2676 wrote to memory of 2536	2676	DllCommonsvc.exe	98
PID 2676 wrote to memory of 2536	2676	DllCommonsvc.exe	98
PID 2676 wrote to memory of 2536	2676	DllCommonsvc.exe	98
PID 2676 wrote to memory of 2652	2676	DllCommonsvc.exe	100
PID 2676 wrote to memory of 2652	2676	DllCommonsvc.exe	100
PID 2676 wrote to memory of 2652	2676	DllCommonsvc.exe	100
PID 2676 wrote to memory of 2404	2676	DllCommonsvc.exe	102
PID 2676 wrote to memory of 2404	2676	DllCommonsvc.exe	102
PID 2676 wrote to memory of 2404	2676	DllCommonsvc.exe	102
PID 2676 wrote to memory of 1524	2676	DllCommonsvc.exe	103
PID 2676 wrote to memory of 1524	2676	DllCommonsvc.exe	103
PID 2676 wrote to memory of 1524	2676	DllCommonsvc.exe	103
PID 2676 wrote to memory of 896	2676	DllCommonsvc.exe	104
PID 2676 wrote to memory of 896	2676	DllCommonsvc.exe	104
PID 2676 wrote to memory of 896	2676	DllCommonsvc.exe	104
PID 2676 wrote to memory of 772	2676	DllCommonsvc.exe	105
PID 2676 wrote to memory of 772	2676	DllCommonsvc.exe	105
PID 2676 wrote to memory of 772	2676	DllCommonsvc.exe	105
PID 2676 wrote to memory of 1464	2676	DllCommonsvc.exe	106
PID 2676 wrote to memory of 1464	2676	DllCommonsvc.exe	106
PID 2676 wrote to memory of 1464	2676	DllCommonsvc.exe	106
PID 2676 wrote to memory of 2800	2676	DllCommonsvc.exe	108
PID 2676 wrote to memory of 2800	2676	DllCommonsvc.exe	108
PID 2676 wrote to memory of 2800	2676	DllCommonsvc.exe	108
PID 2676 wrote to memory of 3016	2676	DllCommonsvc.exe	110
PID 2676 wrote to memory of 3016	2676	DllCommonsvc.exe	110
PID 2676 wrote to memory of 3016	2676	DllCommonsvc.exe	110
PID 2676 wrote to memory of 1864	2676	DllCommonsvc.exe	111
PID 2676 wrote to memory of 1864	2676	DllCommonsvc.exe	111
PID 2676 wrote to memory of 1864	2676	DllCommonsvc.exe	111
PID 2676 wrote to memory of 596	2676	DllCommonsvc.exe	112
PID 2676 wrote to memory of 596	2676	DllCommonsvc.exe	112
PID 2676 wrote to memory of 596	2676	DllCommonsvc.exe	112
PID 2676 wrote to memory of 1596	2676	DllCommonsvc.exe	113
PID 2676 wrote to memory of 1596	2676	DllCommonsvc.exe	113
PID 2676 wrote to memory of 1596	2676	DllCommonsvc.exe	113
PID 2676 wrote to memory of 3028	2676	DllCommonsvc.exe	114
PID 2676 wrote to memory of 3028	2676	DllCommonsvc.exe	114
PID 2676 wrote to memory of 3028	2676	DllCommonsvc.exe	114
PID 2676 wrote to memory of 2292	2676	DllCommonsvc.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2a0360f1b826b4a4b15db1ef21926d2736c463e8c596989553c0c5e9e05398d0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2a0360f1b826b4a4b15db1ef21926d2736c463e8c596989553c0c5e9e05398d0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\es-ES\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iAtmbO7y8o.bat"
        5⤵
        
        PID:2364
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1528
      - C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"
        7⤵
        
        PID:1676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1524
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gMBHdlpNUB.bat"
        9⤵
        
        PID:2224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3000
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat"
        11⤵
        
        PID:2200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2816
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cwtcXGf4Cf.bat"
        13⤵
        
        PID:2052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1740
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat"
        15⤵
        
        PID:2124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2500
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat"
        17⤵
        
        PID:2928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2612
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlraSVrJxn.bat"
        19⤵
        
        PID:3020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:704
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SvvYNrLnHE.bat"
        21⤵
        
        PID:2996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3024
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat"
        23⤵
        
        PID:2148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Application Data\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\de-DE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\es-ES\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\en-US\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Favorites\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Favorites\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Favorites\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\addins\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\addins\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\addins\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Offline Web Pages\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellNew\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ShellNew\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellNew\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e645bbebbfcb946b5bfc9c926772ea42

SHA1
00894262be60e78391e99d97ab055df6888d6638

SHA256
a04048c4151e986d789e39bf2e72179c92805a06e1720c2a911b1f460d0a5427

SHA512
308c1c3dde22ee1647f84a7a31c0487a3c3076e0af110ca6cf645676c1477f4aa9f7ca077f663ea339dca993bdf04194bf71ad3f62f02756927c2e5d4ad98de4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c2fd9875d3ba8b1a34af47824544a33

SHA1
0a510388f171d3b98c487d67dc9fcb9641389bce

SHA256
d3fb767a299961306f8558f501a668f4f94b518600c78d3a010024ec1aad1183

SHA512
983d2bc2d5dfa18189a20ea02c77daec2c81999f7d4fd7571b7c7875b5c470dbd375113f23cfeba55ab797211fe2c8cbfa1291f07acc6e45171ed1b79c54ac61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a3499634e231031db822f38c72695ff

SHA1
0a707dcd6bf3438c953e551092f50101565d9995

SHA256
5568a238b1fc76b651db8a0d3e311e5f43f0caf192fb60370b25ee0ac1431e63

SHA512
10ccfb66d481371e33ef75c85499d01c230e956929d39c63ffb35b24ba5831ffb8b5fc6f51dd33082836d1e50e1a4f7f7a988befa4d166667d6adc0116e955e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b76a433bf33910539910bbf2f2f91734

SHA1
a56e85aa0c50317a8671331767d20ed51136016b

SHA256
03e5ce653c8d3d0198855934318ea5a7873e35c2b05d4a5906940309e96ce090

SHA512
a65ddf265ad397579e9ef9b0a1913308fc39a8478acdbb36fca86c7dbea72b2b55d777fabd40fd01fb37593e8d3268a9e86cc88862dffe0b82cf40a1a9245982

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6db5817b561c90a74f8f5257f76a056c

SHA1
3a07ed0f842d82ac7739c98ea84cae13280174df

SHA256
304655421de07dbec50570697a7ee343d07e45d2c036ceadf0d2b893f72f29dd

SHA512
04f3ea394bec22cee56b888389869c94d98f6402fcbbf055652319f1dfdacb502f30fac1e6dcd9a75ff28063009d12e5e29e8e874752694a1d607f9edc406dfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b65482a7021eeb9a09b036936db797f

SHA1
cd08964d457e5bb47123d07f081b7ddcae2c3bf1

SHA256
71562ad3a7acda3a5385beb7331e72071a2db93c6bf8b772252d95c4f380409d

SHA512
e8bba7d06544606519141f9b28439546ad7497565451f218db65bf9ec8c759d1df5a1da9c36a0114479e0db46adf2b05c29dca0a0cd59623ebceee725f8debc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48bb6a3dd880eb8f324b83b2429dc7d1

SHA1
5f67883f05095e26de42ddf54ca3a4037b6f911a

SHA256
d38176e6c453d7bad04a044f581dfe7a1bb16f1395fce768154061f9dd17603b

SHA512
09eae06137291c40866206429ccd47e5388e38a6c3d7da717a2c6f81c0c3075f88b8db88c46f1dd8473ac80e79151fa76085d69548f719b5811b745985301cfc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc912f997db3abc7db077907051361af

SHA1
4dca8f52ac71c5526701a942430f705d46240cac

SHA256
d2b76e7fcfa40f9a8da8158c08d1b42a5a68397ce2b2cf49115cd75b88e767a2

SHA512
ec2ab05173497c9cc6375b773545c195ea4319cc6115dc01b653fd40cd02d813ddaa80b2f90d03807b5fb0b60a31ceaa098b7c55623f9dcad7f6183b4308ef7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5FFD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat

Filesize
221B

MD5
368daf71a75a3f8b015ba56838d6957a

SHA1
962c681eea8612d71f6dc5638ec126d187c80a83

SHA256
97155b427132713dd8edc008ef727954a2039edd615d21b7ffdf22925e69d715

SHA512
29edb081be7e760af478378e11c6d51a2d375bd01fd9a92a28bd3ca9f0373149b9e1088bd55b9e72a17898f22de859886c0d8a834e2b21b482e5ad90b9bf0273

Download Submit
C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat

Filesize
221B

MD5
720adf5bbe502ba60b1f65788ce32049

SHA1
134e03fbe34e85b2354524f0adc4d748e62f27b2

SHA256
ea9da4a54d2ffb548163ad2328742ee307646d474d89beec92faaefb9ee0aa8c

SHA512
ceb56f307a2c1c6e71d789b540f991e723e24c79fef587011ad133dd81a7fcd476a7e02344a1e3ec252dde95b7651dc6056a65de0c9e7e8bd82af301016f54be

Download Submit
C:\Users\Admin\AppData\Local\Temp\SvvYNrLnHE.bat

Filesize
221B

MD5
0b16d9ab8ceffa014715fda6b307b42a

SHA1
0c3b95f4b0fcb3d0ed1539a7445abf566bda5c10

SHA256
250a27fc6f4b5a90a1b1feed62f57bd7b0453036f153dc7b8e5bc21309c33357

SHA512
ef13dd5a31423e66cc3a0e1d3ea01e5b0880278e313cc7288812e54ad2634e1be6b5be291c5a057b202a8d55d1121c544ce0c453041357bfa559bb408a74f89f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar601F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwtcXGf4Cf.bat

Filesize
221B

MD5
b162277ba7ddc4ef12f69b0d1b7f0a33

SHA1
4e1a66e265ce53fc189fd520559d2c3458c53679

SHA256
48ca6ad9ad98a086bd27e5b9a1b22903ca3831641c0ed39a69ba4c277d765fb1

SHA512
1eb3a277752dfe49731bb1d7c527b0b9fc1ed5374f94b5af44c818238a6a22af754872e35d4af3bdd4440941eb37d17adba8a02878fa611b0061498b8daeeb5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMBHdlpNUB.bat

Filesize
221B

MD5
a9b0a44e1dd73ce636a55cbe2a8524fc

SHA1
82fc525165206cc7214827ea44c2f95926f146c6

SHA256
24b53426af97c5806760f63d70a475c26d0d9364c2dd78406a22ab2d9cc513ce

SHA512
49e18d956471f3966fbb797885b4eb21161d107556ba0dc1ed7bbf6e9b0ca133cd69ec17ac32920c843b78504b7ba3141ce5d6a0eccbec64e0e8a27f53ef67a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat

Filesize
221B

MD5
5f800fb56a31c78cee86017d4040dd17

SHA1
6016464451e51034b98b8cb5cab9c87eeebb23c7

SHA256
3ccfa6a5b3ab3025050f3f0a7d660c84c01187b5cac06ea34c71894e1d156975

SHA512
ebea511bdc6afe1296252859b69330cbaea453dc232fa5ef7749310ee028833f0e8d71efa8b981349a190c30853e09a9ec13f5014d86fe7ed0b5c811c923a33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat

Filesize
221B

MD5
7b435147bf95eff3513c685cfdcb64da

SHA1
cfbe76ad2c5c532b2b40f77d827bf22d162f01d0

SHA256
bd88c80a02b56b7e950f4255059c894bd22362401fc5672f54460973c23a9bb7

SHA512
87ef403a0fa324f48a1f5be861eb385c4d0760e27ca7a366af7a2d688a38891e4d41a052931e7c63f5b604a373b1f7db99efe1f5aa2ccc41baf149a70754242d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAtmbO7y8o.bat

Filesize
221B

MD5
ea428e0b37ba8a3b8aef3027bf5d571f

SHA1
234b99735d43be9a37323de22077da55fe94d6fc

SHA256
a2fcf0c1a15a9e40a1d8904151fca0703ffb402fbbf9141968a34b82b43ca743

SHA512
469869cc75dd02e6b442726ff0399518cc328168e6133980bdeefe88841001d7470f5930b031dc5de4e3ee8a42eb58d9533ea021be4247b8d11387dbaaaec02b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat

Filesize
221B

MD5
a02c9a8e2568003c0bd7fec7be0f6067

SHA1
d56c93b75fde5b189b780c110dfb85b0c24b4b06

SHA256
7c4db3d55865c28227f4729dfaf8cca3e835f33deb8c40b21932c485f5211375

SHA512
fb3e7800c9e83473498a17ad036b67ab0cba9a3039f5f76332d2b41871024b02f18a2d0f193fe1f1973330086401df07c79e9a91323f9f7af3480272d02a9a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlraSVrJxn.bat

Filesize
221B

MD5
70fb69591f624a43c423080e05aac948

SHA1
a1a5ac20afbf41601f9ca9ee7abf6896c72cf5ba

SHA256
3fd6d975c0a48398baf509aedb41ee5410d332fd7aaf8fcfd89c2e1c2122e119

SHA512
3e1b5f442d07d562d90ea43f40cb40016b697e5af43b1b3fbc8d1f05c6e9172e84029beda36b18dca73eeab5ccdb87c090ab038e7a453569da2a021b87a495a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b461452f289a1498ebf0e19f6914e837

SHA1
96c26f296ec79e74f2784fcd589947507795cedf

SHA256
0ce673fdbb81835ab051fe398679d1221c542a625f27da190823153b7fb7a874

SHA512
74abc7fe63b8133d79402d4144682676fc30a62ef683002f04963d4c2c6371876edabdef452ab2a059f4bf39c3c518ab7952fd29698787a1fea818b5dfaebe6f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/912-279-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download
memory/1980-340-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/1980-339-0x0000000000BA0000-0x0000000000CB0000-memory.dmp

Filesize
1.1MB

Download
memory/2120-519-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2316-638-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2616-400-0x00000000002D0000-0x00000000003E0000-memory.dmp

Filesize
1.1MB

Download
memory/2676-13-0x0000000001230000-0x0000000001340000-memory.dmp

Filesize
1.1MB

Download
memory/2676-14-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2676-17-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2676-16-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2676-15-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/2712-161-0x0000000000F40000-0x0000000001050000-memory.dmp

Filesize
1.1MB

Download
memory/2844-65-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2844-71-0x0000000002050000-0x0000000002058000-memory.dmp

Filesize
32KB

Download