dcrat | e98f7df82939eb4e51630fedfab86f1f8ef700260b4f0fb3d7b50e64ade0425a

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e98f7df82939eb4e51630fedfab86f1f8ef700260b4f0fb3d7b50e64ade0425a.exe
Size

1.3MB
MD5

3487d3970062c21803e2f796b5f50422
SHA1

54f6685c8dd10241ee5876d4a8b536fac3eed5c8
SHA256

e98f7df82939eb4e51630fedfab86f1f8ef700260b4f0fb3d7b50e64ade0425a
SHA512

e7e503d94fbf463a801b53393515782e7f36a0a508a32cb8f9be217d1e8c1ae0edc8b46c09f8c8c4b6bb5737314ac1effc6be7dcc149ef20c69e9649f76bdf1f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2844	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000019608-9.dat	dcrat
behavioral1/memory/2864-13-0x0000000001300000-0x0000000001410000-memory.dmp	dcrat
behavioral1/memory/1952-82-0x0000000000840000-0x0000000000950000-memory.dmp	dcrat
behavioral1/memory/2804-223-0x0000000000E00000-0x0000000000F10000-memory.dmp	dcrat
behavioral1/memory/2656-283-0x0000000000E90000-0x0000000000FA0000-memory.dmp	dcrat
behavioral1/memory/3004-343-0x0000000000EF0000-0x0000000001000000-memory.dmp	dcrat
behavioral1/memory/3044-404-0x0000000000F40000-0x0000000001050000-memory.dmp	dcrat
behavioral1/memory/2556-523-0x00000000011B0000-0x00000000012C0000-memory.dmp	dcrat
behavioral1/memory/2064-642-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/768-702-0x0000000000D20000-0x0000000000E30000-memory.dmp	dcrat
behavioral1/memory/1292-762-0x0000000000F80000-0x0000000001090000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2720	powershell.exe
2124	powershell.exe
2064	powershell.exe
1988	powershell.exe
2244	powershell.exe
2092	powershell.exe
2548	powershell.exe
2464	powershell.exe
1592	powershell.exe
1524	powershell.exe
2540	powershell.exe
656	powershell.exe
1352	powershell.exe
2752	powershell.exe
444	powershell.exe
1520	powershell.exe
2768	powershell.exe
3040	powershell.exe
2128	powershell.exe
2280	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2864	DllCommonsvc.exe
1952	lsass.exe
2804	lsass.exe
2656	lsass.exe
3004	lsass.exe
3044	lsass.exe
1704	lsass.exe
2556	lsass.exe
1956	lsass.exe
2064	lsass.exe
768	lsass.exe
1292	lsass.exe
1500	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2980	cmd.exe
2980	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
22	raw.githubusercontent.com
32	raw.githubusercontent.com
39	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
19	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com
35	raw.githubusercontent.com

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\de-DE\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\de-DE\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\69ddcba757bf72	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\AppPatch\en-US\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\AppPatch\en-US\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..cywmdmapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7b2161174528342b\DllCommonsvc.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e98f7df82939eb4e51630fedfab86f1f8ef700260b4f0fb3d7b50e64ade0425a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2140	schtasks.exe
340	schtasks.exe
1868	schtasks.exe
2344	schtasks.exe
1748	schtasks.exe
2288	schtasks.exe
2932	schtasks.exe
532	schtasks.exe
2712	schtasks.exe
3012	schtasks.exe
1940	schtasks.exe
2108	schtasks.exe
2976	schtasks.exe
2144	schtasks.exe
1180	schtasks.exe
1064	schtasks.exe
2464	schtasks.exe
2544	schtasks.exe
576	schtasks.exe
1948	schtasks.exe
1972	schtasks.exe
2120	schtasks.exe
2372	schtasks.exe
1188	schtasks.exe
1612	schtasks.exe
3068	schtasks.exe
2704	schtasks.exe
3060	schtasks.exe
1744	schtasks.exe
1708	schtasks.exe
548	schtasks.exe
2248	schtasks.exe
1680	schtasks.exe
3048	schtasks.exe
2472	schtasks.exe
556	schtasks.exe
2060	schtasks.exe
2432	schtasks.exe
1968	schtasks.exe
2252	schtasks.exe
2764	schtasks.exe
1496	schtasks.exe
2408	schtasks.exe
2168	schtasks.exe
2148	schtasks.exe
2208	schtasks.exe
1072	schtasks.exe
872	schtasks.exe
2720	schtasks.exe
1408	schtasks.exe
2900	schtasks.exe
1672	schtasks.exe
2772	schtasks.exe
1292	schtasks.exe
1924	schtasks.exe
2888	schtasks.exe
2004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2864	DllCommonsvc.exe
2864	DllCommonsvc.exe
2864	DllCommonsvc.exe
2064	powershell.exe
2124	powershell.exe
2244	powershell.exe
1520	powershell.exe
656	powershell.exe
3040	powershell.exe
1592	powershell.exe
2128	powershell.exe
1988	powershell.exe
2548	powershell.exe
2464	powershell.exe
1524	powershell.exe
2752	powershell.exe
1952	lsass.exe
2720	powershell.exe
2092	powershell.exe
2280	powershell.exe
1352	powershell.exe
2768	powershell.exe
2540	powershell.exe
444	powershell.exe
2804	lsass.exe
2656	lsass.exe
3004	lsass.exe
3044	lsass.exe
1704	lsass.exe
2556	lsass.exe
1956	lsass.exe
2064	lsass.exe
768	lsass.exe
1292	lsass.exe
1500	lsass.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	DllCommonsvc.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	1952	lsass.exe
Token: SeDebugPrivilege	656	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	2804	lsass.exe
Token: SeDebugPrivilege	2656	lsass.exe
Token: SeDebugPrivilege	3004	lsass.exe
Token: SeDebugPrivilege	3044	lsass.exe
Token: SeDebugPrivilege	1704	lsass.exe
Token: SeDebugPrivilege	2556	lsass.exe
Token: SeDebugPrivilege	1956	lsass.exe
Token: SeDebugPrivilege	2064	lsass.exe
Token: SeDebugPrivilege	768	lsass.exe
Token: SeDebugPrivilege	1292	lsass.exe
Token: SeDebugPrivilege	1500	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2096	2004	JaffaCakes118_e98f7df82939eb4e51630fedfab86f1f8ef700260b4f0fb3d7b50e64ade0425a.exe	30
PID 2004 wrote to memory of 2096	2004	JaffaCakes118_e98f7df82939eb4e51630fedfab86f1f8ef700260b4f0fb3d7b50e64ade0425a.exe	30
PID 2004 wrote to memory of 2096	2004	JaffaCakes118_e98f7df82939eb4e51630fedfab86f1f8ef700260b4f0fb3d7b50e64ade0425a.exe	30
PID 2004 wrote to memory of 2096	2004	JaffaCakes118_e98f7df82939eb4e51630fedfab86f1f8ef700260b4f0fb3d7b50e64ade0425a.exe	30
PID 2096 wrote to memory of 2980	2096	WScript.exe	31
PID 2096 wrote to memory of 2980	2096	WScript.exe	31
PID 2096 wrote to memory of 2980	2096	WScript.exe	31
PID 2096 wrote to memory of 2980	2096	WScript.exe	31
PID 2980 wrote to memory of 2864	2980	cmd.exe	33
PID 2980 wrote to memory of 2864	2980	cmd.exe	33
PID 2980 wrote to memory of 2864	2980	cmd.exe	33
PID 2980 wrote to memory of 2864	2980	cmd.exe	33
PID 2864 wrote to memory of 2768	2864	DllCommonsvc.exe	93
PID 2864 wrote to memory of 2768	2864	DllCommonsvc.exe	93
PID 2864 wrote to memory of 2768	2864	DllCommonsvc.exe	93
PID 2864 wrote to memory of 2092	2864	DllCommonsvc.exe	94
PID 2864 wrote to memory of 2092	2864	DllCommonsvc.exe	94
PID 2864 wrote to memory of 2092	2864	DllCommonsvc.exe	94
PID 2864 wrote to memory of 1524	2864	DllCommonsvc.exe	96
PID 2864 wrote to memory of 1524	2864	DllCommonsvc.exe	96
PID 2864 wrote to memory of 1524	2864	DllCommonsvc.exe	96
PID 2864 wrote to memory of 2548	2864	DllCommonsvc.exe	98
PID 2864 wrote to memory of 2548	2864	DllCommonsvc.exe	98
PID 2864 wrote to memory of 2548	2864	DllCommonsvc.exe	98
PID 2864 wrote to memory of 1520	2864	DllCommonsvc.exe	100
PID 2864 wrote to memory of 1520	2864	DllCommonsvc.exe	100
PID 2864 wrote to memory of 1520	2864	DllCommonsvc.exe	100
PID 2864 wrote to memory of 2752	2864	DllCommonsvc.exe	102
PID 2864 wrote to memory of 2752	2864	DllCommonsvc.exe	102
PID 2864 wrote to memory of 2752	2864	DllCommonsvc.exe	102
PID 2864 wrote to memory of 2720	2864	DllCommonsvc.exe	103
PID 2864 wrote to memory of 2720	2864	DllCommonsvc.exe	103
PID 2864 wrote to memory of 2720	2864	DllCommonsvc.exe	103
PID 2864 wrote to memory of 2244	2864	DllCommonsvc.exe	106
PID 2864 wrote to memory of 2244	2864	DllCommonsvc.exe	106
PID 2864 wrote to memory of 2244	2864	DllCommonsvc.exe	106
PID 2864 wrote to memory of 1352	2864	DllCommonsvc.exe	107
PID 2864 wrote to memory of 1352	2864	DllCommonsvc.exe	107
PID 2864 wrote to memory of 1352	2864	DllCommonsvc.exe	107
PID 2864 wrote to memory of 1988	2864	DllCommonsvc.exe	108
PID 2864 wrote to memory of 1988	2864	DllCommonsvc.exe	108
PID 2864 wrote to memory of 1988	2864	DllCommonsvc.exe	108
PID 2864 wrote to memory of 2124	2864	DllCommonsvc.exe	109
PID 2864 wrote to memory of 2124	2864	DllCommonsvc.exe	109
PID 2864 wrote to memory of 2124	2864	DllCommonsvc.exe	109
PID 2864 wrote to memory of 2064	2864	DllCommonsvc.exe	110
PID 2864 wrote to memory of 2064	2864	DllCommonsvc.exe	110
PID 2864 wrote to memory of 2064	2864	DllCommonsvc.exe	110
PID 2864 wrote to memory of 444	2864	DllCommonsvc.exe	111
PID 2864 wrote to memory of 444	2864	DllCommonsvc.exe	111
PID 2864 wrote to memory of 444	2864	DllCommonsvc.exe	111
PID 2864 wrote to memory of 2464	2864	DllCommonsvc.exe	112
PID 2864 wrote to memory of 2464	2864	DllCommonsvc.exe	112
PID 2864 wrote to memory of 2464	2864	DllCommonsvc.exe	112
PID 2864 wrote to memory of 2280	2864	DllCommonsvc.exe	113
PID 2864 wrote to memory of 2280	2864	DllCommonsvc.exe	113
PID 2864 wrote to memory of 2280	2864	DllCommonsvc.exe	113
PID 2864 wrote to memory of 656	2864	DllCommonsvc.exe	114
PID 2864 wrote to memory of 656	2864	DllCommonsvc.exe	114
PID 2864 wrote to memory of 656	2864	DllCommonsvc.exe	114
PID 2864 wrote to memory of 2128	2864	DllCommonsvc.exe	116
PID 2864 wrote to memory of 2128	2864	DllCommonsvc.exe	116
PID 2864 wrote to memory of 2128	2864	DllCommonsvc.exe	116
PID 2864 wrote to memory of 3040	2864	DllCommonsvc.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e98f7df82939eb4e51630fedfab86f1f8ef700260b4f0fb3d7b50e64ade0425a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e98f7df82939eb4e51630fedfab86f1f8ef700260b4f0fb3d7b50e64ade0425a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\en-US\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\fr-FR\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\de-DE\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat"
        6⤵
        
        PID:2064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2288
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat"
        8⤵
        
        PID:2976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2376
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lg1oIatdTn.bat"
        10⤵
        
        PID:1800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2516
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNnEytbzjv.bat"
        12⤵
        
        PID:2924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2228
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat"
        14⤵
        
        PID:1880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2972
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"
        16⤵
        
        PID:1848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1972
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"
        18⤵
        
        PID:2060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1512
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat"
        20⤵
        
        PID:1744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1528
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x1DfgQ9qXa.bat"
        22⤵
        
        PID:2720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2732
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eG7Plib0M1.bat"
        24⤵
        
        PID:1920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2004
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GRgsn2v6O3.bat"
        26⤵
        
        PID:2416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2372
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\AppPatch\en-US\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\AppPatch\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\AppPatch\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\de-DE\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Music\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Recorded TV\Sample Media\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Recorded TV\Sample Media\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\NetHood\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\NetHood\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\NetHood\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3d6717dad0ee0f86f1afe0a9db55092

SHA1
db99783a94b57fc72bd555d23a0df48aae38e88b

SHA256
8bbbcb78fa5fbb84d437abc8d745a5ea993165f42bfdfff6416d8e4eed87d509

SHA512
28adbf0e6b6569b4a88e4f8cb191258795a7f5900890bf1bcb6c75722b62ece62e5a4321333d6f5143c7d00ebb936d41dee41db958dc9a2605c8aa8550207c86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
049e9c7a3a0a2a25a2c7fe4a76421b02

SHA1
02a4641bf2639b86168a3544be847e1410eb39ac

SHA256
58cf93dfac68125bae6ad0261647a455ae101301692c97582b32a94ef5ecaa0a

SHA512
948f889fc5bdf3b38309e457d7b807ed913a47075910afe46a740b9ec37b930fb8f5bdea8a7eeb56ec325a644627888ac93a59848a475ace1e1efeabaf24fb08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4ae4debc92c7d7b7c511ec8d84f8ab0

SHA1
cc0815d81c1ffaaf6095016cea522dc5de040dff

SHA256
77728b23391b44aad738900d8c986eecda1dbd8e53dcc1e1face7bceaee093ba

SHA512
014f3c84b9767846aed31bbc3137d2012d43b567838dde15cd10919955518314bb6d9d706481d6fb81e71c60e4b6f731d7cac36aebe47e43541be9765f77752f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdddda35542e4d1a9fd6bb4e56059eea

SHA1
fe4865fb24e658877ceaa11c3fbe8c0b68da91ec

SHA256
a0422ea520a3ee64836ae6327daadbe945b14413e65c8ecfef72e90ffe5055e7

SHA512
5b7520af16329c281467272e89273d982b3d3f1ec4e1699f866e380810cdb2dbd48054276c6b95300e9e7b05fafca05581a51c10b8050340f56ecfcf23094330

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85c0af1b50a1552a60f1c927f24227cd

SHA1
cba6e928e84607039c2f7c552b9bddd0ce391f3b

SHA256
c4db42cd9fd4bab712bd7be2c09a7e529873af1573cd6e6373983e25c0302964

SHA512
0fc032e68cdb2d2ff7d4a317d57eaaffb1ca8a3e42efe8c8501910606198479decad19b53dbc72a973fabfe8f70cd4529fc3cb32244d340de56450c02ccf2df1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db234ef5a4b8f7fbcb5f39f98aa5c34f

SHA1
c844034cf21a681b8c42cdc5e1c7a7dae8a3234d

SHA256
cf70be22dcf66b415bbcdca27e5f7895a5e131e45939b0f36cbad3a26a9c6813

SHA512
2d3381c996c7bf99533c67ddbb22d25731f1c40245cfb31fa445cb5b2788254eb782915e4b05e46dc6e36b256ce48ec76e211f23f63eb81b5a940bbbdc494925

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ff0bb2a147843b2d33f69d0a9ab9be9

SHA1
6e7c25f245ab7a26fd1fbfe1bc3522afae644832

SHA256
7900ae738dd36948cb9c885e81471778f4d93c7f9ffb343c9d896a5612fd24d8

SHA512
04ec2d17fbb2e53c28e1585d559daeae6ba9ea7ff04d1753bb9ef268715785217ccac9d3a622483cb905a1b3e099c3999bda5aa8548d5823a539ea2c73873710

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ee3d959566b9c77f86c4fbf49b77cdf

SHA1
fd3661509b2045c0af2a0c9b3c2aca41907545b8

SHA256
158078827b019e2bc288399abeae92c281e55a8a3bc7dd36b2d702282ed9742a

SHA512
03832c399835f8cadaec348252933cc18d613d30bcd41c279cb14140d911128c35332f04b8c945658f09dcfb67e0223a4986132e88f9ce5018f096b164548c14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a33a5f6472c0f77af5441bc2e5794cf6

SHA1
0e0b317cb9062b007af8f939453be594506a4b29

SHA256
800003552313e180272d202e5b09da0b198fb7f622464d820a3fe815590b3f5e

SHA512
ac53df398a25ee098638eaa78795a4fc9b16029c3d5408214a95a1d6e904eb5f2bd382e5f2fd7c1ea1c49c69f0f570555981fe6da0335029016d94775777e17e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33b6e6ab7ed490cc22ea832f7d73498b

SHA1
3cd73a3d7d152e51b5ceee4d399cfb70d4581914

SHA256
67e241e3f7362999cdf7213256f869b9906e06d36bc18f2fac47c5ca75d7416a

SHA512
2bb4ac997073557b0afdfaeab52e33dc2d5ac1a7b4ee7fe93f1087a9238857e596526ab9151f000dc1faef481fc00e66fa7a1bb96ded3a6862e6fee57172d460

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat

Filesize
237B

MD5
94eedf8a4cf0e10a22d60eb7afbccb64

SHA1
041a21451202cf359246ebd4fa3b0ab44f050217

SHA256
d5ef96961a79a73ddff558be3e3cb93b59f528828253c51bc85ced8c7ac2d503

SHA512
99fe2257b555e94a366fef5da37ce4b26bc65e75dbb3d6c061a659a8cb6ff443d041c93992f381f94c925342344c645d7763d347f38075a7113e5694d430bbeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC5F0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat

Filesize
237B

MD5
cd12128674910c3f149fc24e6d87abe0

SHA1
4c9770e274ca6ffd0e470bb3f47d12028852507c

SHA256
411703c4dc662d9831be4c510b0b01096b613f318f921aec8dfcfff1be87a0aa

SHA512
3ffc783a89dda3b32e9fff268d7fa86b105509548415dae68c61999940f185024c5a7f57771d676e09fd5104a288dbd0bf0dd0be9c0b9c3b91a367f99d4bfe68

Download Submit
C:\Users\Admin\AppData\Local\Temp\GRgsn2v6O3.bat

Filesize
237B

MD5
64384d248e4355216d44b2bbd1429702

SHA1
f1bfe80c6780625f49c36fd413a9297550cff064

SHA256
3fd234303cdf57871e7e14a3e087dee209e3b815840aaef07e4ee41ce1ad5904

SHA512
475aba8460753d710a536cd03e380538ab5dadce1ca320246890e907d020c396f8110234fef2d240abbae72c9bb12bb4e8d6d7d78fe54a1c254e6dfffc219fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SNnEytbzjv.bat

Filesize
237B

MD5
42bd7757e12e3a245aa9c29315a12cb5

SHA1
cfa05166579d3071ec8c26a192315c6622dd3aed

SHA256
2f2a19544059d2e78eb695f71e232f392213e66096cc6d415f0584f33bfdcf0e

SHA512
5d830ab951b1f1599c472837a4febe1f1d89d85f54dbfb469981a4c8a92da54cdd788a295775de1006e5ddbb6161462ef0ba0342248b672f96959d52a711b753

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC631.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eG7Plib0M1.bat

Filesize
237B

MD5
83251c81cc3eda99f0c6861af1d8365b

SHA1
5c0d4f5ab72a96bdccbba1404483b0c932e94fcb

SHA256
fe464a2fc7a41fffa8d002d06632db66be0ad0acf1338923a136f58839c471a1

SHA512
9ea99e83888981591187432a0b479213624b870d6eae12905971d1c5760cdc00673ec3151eb6b9aa32af0acb3c7eaa6e1a20a1741d13c37d0e8ed4670544c80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat

Filesize
237B

MD5
b0cba017f1a193d30e2c124e2b5dd738

SHA1
f05caf56195c10aa8e84fae91745d3a0a91817a3

SHA256
b87138f237ab4e8f308a11378e7419be72ec87e85ff9c3f1b0030fa35e527610

SHA512
1a72d8a2446efc3275efdb7232eaa5f46d56f64550d53a0e1fc50cc7c9dddfb36f8f3408acba32fe75d73e6febbab3299b267b4474274cd9990f1ffd7ad0d393

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat

Filesize
237B

MD5
6ee13dcdfdd9f338dc78282ad11b4e3b

SHA1
25fdfcf8545fdadf63d9fef537c2a75535997a9d

SHA256
33283ed2403e03e768a8813ac22e9f0a611fb0795ef244fe6759592c7aa9b713

SHA512
68387bcfd198aa987b1a51b1b4765425c235559d3531c54519382330fbb6d13a5cf718830d9397350fbd9985dc09c3ff12be830440a1351d572bd6531ea989d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat

Filesize
237B

MD5
79f044b791b49e2c4716c7bfd67e8bed

SHA1
7f443352444bb890ac802ca87d55c5dfdbcec03e

SHA256
d90b89eb86f62665d32e117c9e2cb22262f607f30bc8283a17aeea236c5ebee4

SHA512
370377fb9a38eee26608694247f4b0e4ede402b018d8c61a50a5477a2ee7adee30796f4641e396b7669a212365aaa1c1057b916e068e3e99d804578dd370b4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lg1oIatdTn.bat

Filesize
237B

MD5
2883e022ec6bc2724a717d86563c6200

SHA1
bdb5f1f55cf506ade244b605505900c7130497f2

SHA256
c6399e192a6ac7e52e14098103cdb0b9858ea6a12812c39cd16c0465d168028f

SHA512
8ff06cdb681d1fc18b07d53b69c95bc654718576a141fd2eaf2442983838274282952790d25b0fb7109643dd4de6787e0d9fff8e9f1bb78c394bb5f793c28d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat

Filesize
237B

MD5
7d072768ab3901411e9ba91f2dcd4b2c

SHA1
9f47c4d5ab4802ab2ae53c580a5050f3b15e917d

SHA256
e2ff3f0a57e2d132b074f45073fed031e94ca7e0acc3e6211481c9167de463d8

SHA512
70402f8cab02be96f9ae7ff8a6534067be9fad8268f5f25b56dd0edf792b7df6133965cb75299c64b01df6c4575dae9c3f20e72b0e428a97d4c30bf01f95a7b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1DfgQ9qXa.bat

Filesize
237B

MD5
458587fbcab0f98522e2913ff79fa0dd

SHA1
b1ce404ad25d2c794e52bc6901562503e49bc28f

SHA256
df5021739273f7947ed8f80062f42175ffb8af41b5622dafb51ac9754eca4282

SHA512
df507b87431623ddc947ed7b71d6bbeaae20b518723e3193f5a0bdf45f43a2cbafac57fd413332ae4d147523339b0f6f02aa96c417d5e3ac57c9f12abed2f062

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e438fa11f73f99d28817e2f92c3acd81

SHA1
e3406d09c21a1a4f92cd1135c871a71d91bd2c16

SHA256
d1ec5f109498d7b40c3c48b25a444d6d831ec3a73c72b0d7aeb6813c3d22e533

SHA512
b7c0b9198fcafb5bd5975f2e96930a464e897f413373c2443a41618e130ece13d9f9b63a32a936efdb4e84878f0e8d680b6516e6e13d6c4b9c4294c3c7650a78

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/768-702-0x0000000000D20000-0x0000000000E30000-memory.dmp

Filesize
1.1MB

Download
memory/1292-762-0x0000000000F80000-0x0000000001090000-memory.dmp

Filesize
1.1MB

Download
memory/1952-82-0x0000000000840000-0x0000000000950000-memory.dmp

Filesize
1.1MB

Download
memory/2064-642-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/2064-84-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2124-80-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2556-523-0x00000000011B0000-0x00000000012C0000-memory.dmp

Filesize
1.1MB

Download
memory/2656-283-0x0000000000E90000-0x0000000000FA0000-memory.dmp

Filesize
1.1MB

Download
memory/2804-223-0x0000000000E00000-0x0000000000F10000-memory.dmp

Filesize
1.1MB

Download
memory/2864-17-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2864-16-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2864-15-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2864-14-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2864-13-0x0000000001300000-0x0000000001410000-memory.dmp

Filesize
1.1MB

Download
memory/3004-344-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/3004-343-0x0000000000EF0000-0x0000000001000000-memory.dmp

Filesize
1.1MB

Download
memory/3044-404-0x0000000000F40000-0x0000000001050000-memory.dmp

Filesize
1.1MB

Download