dcrat | d1af484960a840d5a065088b4ae9f58685c63579e25d10d15f7e03b0a4df0b47

Analysis

max time kernel
147s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d1af484960a840d5a065088b4ae9f58685c63579e25d10d15f7e03b0a4df0b47.exe
Size

1.3MB
MD5

f0a203f685cfee3f037f12f0741e6bb6
SHA1

87ac7a29ace52aae54b85120578df73d0557bba8
SHA256

d1af484960a840d5a065088b4ae9f58685c63579e25d10d15f7e03b0a4df0b47
SHA512

d3fb1273a28dc5e232cb01333ed2015e4d7787816aaec6a3bc7ee5089cd9bc225b694e6287e9c36488d9802310cfb6a31dbbacb2d644a01022fa15ea7156225e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2760	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d0e-9.dat	dcrat
behavioral1/memory/2248-13-0x0000000001320000-0x0000000001430000-memory.dmp	dcrat
behavioral1/memory/1816-164-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat
behavioral1/memory/2836-224-0x0000000001000000-0x0000000001110000-memory.dmp	dcrat
behavioral1/memory/2800-345-0x0000000001070000-0x0000000001180000-memory.dmp	dcrat
behavioral1/memory/2664-465-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat
behavioral1/memory/1920-525-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat
behavioral1/memory/2880-585-0x0000000000D10000-0x0000000000E20000-memory.dmp	dcrat
behavioral1/memory/1536-704-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2652	powershell.exe
2840	powershell.exe
2776	powershell.exe
2744	powershell.exe
3056	powershell.exe
2756	powershell.exe
3004	powershell.exe
1116	powershell.exe
2664	powershell.exe
2512	powershell.exe
2788	powershell.exe
2672	powershell.exe
2692	powershell.exe
2800	powershell.exe
2856	powershell.exe
2244	powershell.exe
1936	powershell.exe
2808	powershell.exe
2872	powershell.exe
1932	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2248	DllCommonsvc.exe
1816	explorer.exe
2836	explorer.exe
484	explorer.exe
2800	explorer.exe
568	explorer.exe
2664	explorer.exe
1920	explorer.exe
2880	explorer.exe
1560	explorer.exe
1536	explorer.exe
2908	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2924	cmd.exe
2924	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
36	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\en-US\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\ja-JP\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\ja-JP\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\en-US\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\System.exe	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Windows\tracing\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\tracing\101b941d020240	DllCommonsvc.exe
File created	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\24dbde2999530e	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\audiodg.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d1af484960a840d5a065088b4ae9f58685c63579e25d10d15f7e03b0a4df0b47.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
896	schtasks.exe
2804	schtasks.exe
2100	schtasks.exe
2812	schtasks.exe
2880	schtasks.exe
2444	schtasks.exe
3048	schtasks.exe
1564	schtasks.exe
1788	schtasks.exe
1588	schtasks.exe
2472	schtasks.exe
1408	schtasks.exe
2432	schtasks.exe
2308	schtasks.exe
2908	schtasks.exe
2372	schtasks.exe
3036	schtasks.exe
1464	schtasks.exe
2680	schtasks.exe
2108	schtasks.exe
1216	schtasks.exe
568	schtasks.exe
2892	schtasks.exe
2596	schtasks.exe
576	schtasks.exe
1952	schtasks.exe
1096	schtasks.exe
600	schtasks.exe
1476	schtasks.exe
1532	schtasks.exe
2016	schtasks.exe
2336	schtasks.exe
1664	schtasks.exe
2972	schtasks.exe
2068	schtasks.exe
2268	schtasks.exe
2052	schtasks.exe
2092	schtasks.exe
1632	schtasks.exe
2264	schtasks.exe
2664	schtasks.exe
468	schtasks.exe
912	schtasks.exe
2364	schtasks.exe
2280	schtasks.exe
1808	schtasks.exe
2156	schtasks.exe
1644	schtasks.exe
1904	schtasks.exe
2040	schtasks.exe
1928	schtasks.exe
1676	schtasks.exe
2868	schtasks.exe
2992	schtasks.exe
2084	schtasks.exe
1444	schtasks.exe
264	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2248	DllCommonsvc.exe
2248	DllCommonsvc.exe
2248	DllCommonsvc.exe
2248	DllCommonsvc.exe
2248	DllCommonsvc.exe
2248	DllCommonsvc.exe
2248	DllCommonsvc.exe
2872	powershell.exe
2856	powershell.exe
2788	powershell.exe
1116	powershell.exe
2664	powershell.exe
2744	powershell.exe
1936	powershell.exe
2840	powershell.exe
2808	powershell.exe
3056	powershell.exe
2652	powershell.exe
3004	powershell.exe
1932	powershell.exe
2692	powershell.exe
2512	powershell.exe
2244	powershell.exe
2800	powershell.exe
2776	powershell.exe
2672	powershell.exe
2756	powershell.exe
1816	explorer.exe
2836	explorer.exe
484	explorer.exe
2800	explorer.exe
568	explorer.exe
2664	explorer.exe
1920	explorer.exe
2880	explorer.exe
1560	explorer.exe
1536	explorer.exe
2908	explorer.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	DllCommonsvc.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	1816	explorer.exe
Token: SeDebugPrivilege	2836	explorer.exe
Token: SeDebugPrivilege	484	explorer.exe
Token: SeDebugPrivilege	2800	explorer.exe
Token: SeDebugPrivilege	568	explorer.exe
Token: SeDebugPrivilege	2664	explorer.exe
Token: SeDebugPrivilege	1920	explorer.exe
Token: SeDebugPrivilege	2880	explorer.exe
Token: SeDebugPrivilege	1560	explorer.exe
Token: SeDebugPrivilege	1536	explorer.exe
Token: SeDebugPrivilege	2908	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 1652	1792	JaffaCakes118_d1af484960a840d5a065088b4ae9f58685c63579e25d10d15f7e03b0a4df0b47.exe	30
PID 1792 wrote to memory of 1652	1792	JaffaCakes118_d1af484960a840d5a065088b4ae9f58685c63579e25d10d15f7e03b0a4df0b47.exe	30
PID 1792 wrote to memory of 1652	1792	JaffaCakes118_d1af484960a840d5a065088b4ae9f58685c63579e25d10d15f7e03b0a4df0b47.exe	30
PID 1792 wrote to memory of 1652	1792	JaffaCakes118_d1af484960a840d5a065088b4ae9f58685c63579e25d10d15f7e03b0a4df0b47.exe	30
PID 1652 wrote to memory of 2924	1652	WScript.exe	31
PID 1652 wrote to memory of 2924	1652	WScript.exe	31
PID 1652 wrote to memory of 2924	1652	WScript.exe	31
PID 1652 wrote to memory of 2924	1652	WScript.exe	31
PID 2924 wrote to memory of 2248	2924	cmd.exe	33
PID 2924 wrote to memory of 2248	2924	cmd.exe	33
PID 2924 wrote to memory of 2248	2924	cmd.exe	33
PID 2924 wrote to memory of 2248	2924	cmd.exe	33
PID 2248 wrote to memory of 2512	2248	DllCommonsvc.exe	92
PID 2248 wrote to memory of 2512	2248	DllCommonsvc.exe	92
PID 2248 wrote to memory of 2512	2248	DllCommonsvc.exe	92
PID 2248 wrote to memory of 2744	2248	DllCommonsvc.exe	93
PID 2248 wrote to memory of 2744	2248	DllCommonsvc.exe	93
PID 2248 wrote to memory of 2744	2248	DllCommonsvc.exe	93
PID 2248 wrote to memory of 2856	2248	DllCommonsvc.exe	94
PID 2248 wrote to memory of 2856	2248	DllCommonsvc.exe	94
PID 2248 wrote to memory of 2856	2248	DllCommonsvc.exe	94
PID 2248 wrote to memory of 2872	2248	DllCommonsvc.exe	95
PID 2248 wrote to memory of 2872	2248	DllCommonsvc.exe	95
PID 2248 wrote to memory of 2872	2248	DllCommonsvc.exe	95
PID 2248 wrote to memory of 2244	2248	DllCommonsvc.exe	96
PID 2248 wrote to memory of 2244	2248	DllCommonsvc.exe	96
PID 2248 wrote to memory of 2244	2248	DllCommonsvc.exe	96
PID 2248 wrote to memory of 2788	2248	DllCommonsvc.exe	97
PID 2248 wrote to memory of 2788	2248	DllCommonsvc.exe	97
PID 2248 wrote to memory of 2788	2248	DllCommonsvc.exe	97
PID 2248 wrote to memory of 2672	2248	DllCommonsvc.exe	98
PID 2248 wrote to memory of 2672	2248	DllCommonsvc.exe	98
PID 2248 wrote to memory of 2672	2248	DllCommonsvc.exe	98
PID 2248 wrote to memory of 3056	2248	DllCommonsvc.exe	99
PID 2248 wrote to memory of 3056	2248	DllCommonsvc.exe	99
PID 2248 wrote to memory of 3056	2248	DllCommonsvc.exe	99
PID 2248 wrote to memory of 2776	2248	DllCommonsvc.exe	100
PID 2248 wrote to memory of 2776	2248	DllCommonsvc.exe	100
PID 2248 wrote to memory of 2776	2248	DllCommonsvc.exe	100
PID 2248 wrote to memory of 2808	2248	DllCommonsvc.exe	101
PID 2248 wrote to memory of 2808	2248	DllCommonsvc.exe	101
PID 2248 wrote to memory of 2808	2248	DllCommonsvc.exe	101
PID 2248 wrote to memory of 2692	2248	DllCommonsvc.exe	102
PID 2248 wrote to memory of 2692	2248	DllCommonsvc.exe	102
PID 2248 wrote to memory of 2692	2248	DllCommonsvc.exe	102
PID 2248 wrote to memory of 2652	2248	DllCommonsvc.exe	103
PID 2248 wrote to memory of 2652	2248	DllCommonsvc.exe	103
PID 2248 wrote to memory of 2652	2248	DllCommonsvc.exe	103
PID 2248 wrote to memory of 2756	2248	DllCommonsvc.exe	104
PID 2248 wrote to memory of 2756	2248	DllCommonsvc.exe	104
PID 2248 wrote to memory of 2756	2248	DllCommonsvc.exe	104
PID 2248 wrote to memory of 2840	2248	DllCommonsvc.exe	105
PID 2248 wrote to memory of 2840	2248	DllCommonsvc.exe	105
PID 2248 wrote to memory of 2840	2248	DllCommonsvc.exe	105
PID 2248 wrote to memory of 1932	2248	DllCommonsvc.exe	106
PID 2248 wrote to memory of 1932	2248	DllCommonsvc.exe	106
PID 2248 wrote to memory of 1932	2248	DllCommonsvc.exe	106
PID 2248 wrote to memory of 1936	2248	DllCommonsvc.exe	107
PID 2248 wrote to memory of 1936	2248	DllCommonsvc.exe	107
PID 2248 wrote to memory of 1936	2248	DllCommonsvc.exe	107
PID 2248 wrote to memory of 3004	2248	DllCommonsvc.exe	108
PID 2248 wrote to memory of 3004	2248	DllCommonsvc.exe	108
PID 2248 wrote to memory of 3004	2248	DllCommonsvc.exe	108
PID 2248 wrote to memory of 1116	2248	DllCommonsvc.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d1af484960a840d5a065088b4ae9f58685c63579e25d10d15f7e03b0a4df0b47.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d1af484960a840d5a065088b4ae9f58685c63579e25d10d15f7e03b0a4df0b47.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\en-US\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\ja-JP\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J8q6ywaLQJ.bat"
        5⤵
        
        PID:300
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2560
      - C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat"
        7⤵
        
        PID:2380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2148
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat"
        9⤵
        
        PID:1624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2948
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat"
        11⤵
        
        PID:2728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2528
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat"
        13⤵
        
        PID:2828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2164
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat"
        15⤵
        
        PID:2892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2388
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat"
        17⤵
        
        PID:1412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:620
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\etpQuxQFPn.bat"
        19⤵
        
        PID:2040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:584
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat"
        21⤵
        
        PID:2148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2156
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat"
        23⤵
        
        PID:1144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2676
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p9sA7N8NGm.bat"
        25⤵
        
        PID:1832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2500
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\en-US\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\tracing\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\ja-JP\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79948b5aeae89406d21b38af7af61bb6

SHA1
f5a8ca82486112c183b0039409a7da94100d8be4

SHA256
5bc04bcf81da8c5b9e6b89202fc45e9132e4dc462260151b69a79f120a7fec32

SHA512
8b50be33a1a9163c1ba8a2ad4df8a01e00253c5392ff01401358c0cbafdf6ede00726c8c467f18b3909a2ce14242228a8cc23220baca7604aca3e415b7204b40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a214b6c73a30c9c589fc07356ffd1fbe

SHA1
013dcc958d32c5e929e6dcc142adb31dd8ff4787

SHA256
3be9f3a306dc269f17d05efc507309732eaa378f51e55eef5d371a84f953642b

SHA512
52c0a9e3f7dd79641f522eb9079352982d7025832df1d32774643db4be81d52f8c408ca0ee681d6e46cb48ab1a82c15a97f794a1bdce1cf62fc4239627c6555a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51199b306f6d2fd0d814fe339ab02925

SHA1
272956bbe017b119f9c42740308ce6d70330e33e

SHA256
da7352052e901db92237736749346a8261922c3a781e30d77bfcc7c247e0c754

SHA512
eb264c05a6ba3146834ec573dab4bdbd8d6a4f875061e5f4ab16335c4f9f9363517f18242b19901608be9876689bf759dec9772badf66208c2b088edd6c22137

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc3eee0dc838ad4cf3df58e78c292780

SHA1
b5b87e1f3f2dcad2985de28c1c0fd63f7f97ba3b

SHA256
14a01f21eb878c7ec67a86b9ac6f831036a5f118113595cc5a99b9df4258f0c8

SHA512
4a5a8b3f5e109ab83e96930d3380e152739d203accc2a4d19d95e030c9d9735688582b3cc01921270443b94e074c5e48fcb62e9d2b85688dca1b0d48af95fbb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cf87f9330b8335ca9ee548df04619c5

SHA1
f1208d583da086047d6f731b22fddb6e946ddc08

SHA256
a63673ad6068cae591782e550205eeb3d261866821bcd8833c25272a5146e340

SHA512
bc91d0a516c48409a753682b0cc3e56b788ae17a57499ab59de03992504d09d2b2ccce80e243779b7de426bf2d31d24bc8eaaf611d6b5c93acb92d52b1e6d4cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbb5cc89687e4e0d327e4609443cdcc1

SHA1
199f266aa4218f14cf0d85fb37c7989347f2fc58

SHA256
f13418481a1d583ad96a9f54dec80e009a21b76e63dcc773d4849f364439add3

SHA512
d7fe7121c754bbbe1b365f9b0800740fcf6abde79b1e8725a91d2bdfcde805d8c161df6f3e88889415147157ed42fa3d2b7ea3dd3c32fb2d95dc920286de4235

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5912072edd696fdc0fa29d8fda6c84bc

SHA1
4aa2e23e7d79602eb0ae94a31a4ed08128057b0b

SHA256
0f6afeff79653e92414c84a97e01e96c58a157e90383cf5d160feb1efe592e64

SHA512
c794f7bead3a3dbc5f9554090587dc9c209efadbcc5f5f51c46136683f232009020df032d0df40bea7fa8c853e905bbae56cd304f9c8c7c6d5ae5fcb60390862

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e041b9bc84b5df90c0db12844c4e4b48

SHA1
34eb206201a8f8fea6ad235d33586fd22bdad547

SHA256
1b71025cbf54bd55b9c674fd41d80ded8da8abaa1fd48392956e2fb525de863c

SHA512
d4ac786bb08521e35b29404bbb59bf0e7a42cce668657d39021736b78e9bbd46e4d8ff809005ccd1f160a67e3fb7a0869f5fde9a77e1eb5bc4350d7205572ae0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c91b5c74c2d8b07e696e55059187954

SHA1
72893780c5da4ae5f3423456bbfe97b270b3ea3f

SHA256
7e7171080ab93ec0130f35b7a30b2027472dc3427742c6b491eee82f0e69f166

SHA512
7ed18fa5214b5f725786cd4cc2474d581f3ba94f84381ebe358f79ea3099883679c0d556b485ce6ecd93855c1855382363bab983d2466e03645c3783e8df30fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat

Filesize
195B

MD5
0a694f09210e654de3d5e45d80ad08ad

SHA1
1f1810777db34fa44f8d060dfc6c851ab9cfe5ce

SHA256
6c3f93b51eabc3189adad228b98d63f1e6584e4bf5d05b72008e18358fe43fc9

SHA512
4cf061e8330990c84b58ff1072aa5fa34e63ef00038ca045cd227fa1d5a50676ff437c4c7ff89d1722b25eb9568a909fc598ef683972cbfd476c4961d8709485

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCDCC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\J8q6ywaLQJ.bat

Filesize
195B

MD5
b5d0a15c66b54ddf1d3c459f3a3d7ab3

SHA1
5d0b0ece370c1d0595f0d509890c0bc61714959a

SHA256
f2957ea9bcb687cadd76ebce4f9f697c2780548ed4c2cc3bce06c4d7e02e7721

SHA512
ff8291bff10a1bc348be96264d9f891d65e1f08007893f1b6a1c3e68c52428e45bb29ca2799a93669fd760610a1b1e078706899c9a3f4b94c20faff027190111

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCDEE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\etpQuxQFPn.bat

Filesize
195B

MD5
2e97bd662beb8f14d6443916efbeb9c7

SHA1
7bc8bbfc93110a505f61b47851ecaae12b094d52

SHA256
674dbbc064318dbaf2a1ba4781c91a4e80ee17397f6dca0bbb0b05564c58adc7

SHA512
1cfa5009b83447cf1db707a51de2d36703de6f91cc78f95df833deb5b13247e397139ba219c9f31187eb4c44f2345ca135f389c2c822377255f6c81eeb42489e

Download Submit
C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat

Filesize
195B

MD5
e438da10ec899b4cb8ffc2db0d88e267

SHA1
b493c299b13155cab74b826db6e24f11b4a237e0

SHA256
8d519009bf72e9d322caf00b2d49c3b602b465f5161c0177f0f5c9cc7649874c

SHA512
4eb453fb1b22f56fa1b8b6c1cff81620d6b40d63582c954dc4831ebd00932ea66b98bd42c07ee3dd7de334ec7899bd2996701136a82716c7c9e3f30b18bd92c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat

Filesize
195B

MD5
e630595cd874e63ff6e5f723037f0acc

SHA1
279cb252e0280804f6dd7f5fbc1e6dfeb140bc5b

SHA256
0b952c9b6fcaa593d3029dad8888dbe207a0b77343ece0442116c8a93b490560

SHA512
a6c03afb98b4ee4e50040fd9c6dda2f660e151cd610a4b39bb14c3286adece1757a7dd6daf8690c4660bf410e9a8294b23b6f9b4aaf1056ad9a7f045c75ecd7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\p9sA7N8NGm.bat

Filesize
195B

MD5
ee8cc788a60790dacc106c794ec3e2da

SHA1
43e71e645e9029f651832353bc483fa2f81561f0

SHA256
7ed00ae43b06146bfd5cb751d746ab54fd95c16cfa4c00976a59b64be288a7dd

SHA512
d40453ba4f3f26e810d5f8b51b7ee46a04bc25caf43433beb2baf591b9d53bdd6bd9fe956118544462eb121b77f30adb726a11b5d6dfc18897eeeedd712c9c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat

Filesize
195B

MD5
ebba1271a7bdc9c5561f0aa34dc7078d

SHA1
52b62ffd9e4cb5930ed32fd5f44699a920ca0bf2

SHA256
1667dffcc73f9c02a606219b1153bdc2461952060cfa1388fb4db5d29b802b62

SHA512
35b96202fec5e764bdfaef88b0a101f7745ac6459335c11bfc3880d2555e8ae25e429a542fce47a6f562f5d125007ad40fbd63ad66eaa9d8da18a81e6b097838

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat

Filesize
195B

MD5
26cb98b39719908b2f3514c51bde1120

SHA1
eda00917c7f37cae06724d7d22aa04ccf13f3a70

SHA256
cdcfddae948ab1054323563bd64d9da9130b00ae33c4913347d6b0618a0fd9b6

SHA512
69894498804e80c3e0f08fa1f448410ab9194a404df822fbf3f09b7a210254d11660c60bd82519d94566fd21255843e9d06ccf82fe5c1fdd6125605b0767adcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat

Filesize
195B

MD5
9bfb083e7a6fe5503f6699e0379c4642

SHA1
b7d4eb6294c3870667ebea2d1031ead663c15b61

SHA256
7829ef9c0afae3073fa67d11539a7007e0e41f50aaf3d6e6c37196bc070d0717

SHA512
237ce2d4d07fa3f7581dc682d1973bc3130180878df7d86f88532622fc34ac63fccc8ecafaed61ebb1789357057102993fb8a8ba1fadb1bb9b99fd24c5845ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat

Filesize
195B

MD5
b3bd97c323f9b395b1268abd58d81458

SHA1
3fb7d903f89ab02cb9da9d25420edde2060152bb

SHA256
b568daf81a11eb8c87b838362da449a115cb34d8fa755b6f3c40573ec68c9f19

SHA512
bf551b3b497d2a807772a1e4efc98abd7fc1a37c0e466ab86045749c6561d7f2c2b1291135b5742b2fb8041b2d62f379d285a0d6cc1fb91ad08803bffe69bad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat

Filesize
195B

MD5
9970d0dcbd7e19d8b82a0a54120f5201

SHA1
5683d0f9f8fafc4e58bbddff0018cc92f5c56f94

SHA256
60419d4d85e4a4e7865c7dc3b3a634d1ac1a18cf58a3152d4921c81f62f59ff5

SHA512
63e11150576a97e75e1c1682a53d23afa8d08e5c5d371af49cfa284ca9eaf3ff78c0c161f09fdc2d120cddee35a487c6b0f8fec32a026761d7683ecd837fbf2b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
59c486c8651d70ef287a6d283862cfbd

SHA1
4fa522fc502d2ee62a0e4945594195b12ef97e14

SHA256
b059f04b4897925c1a2c07403800e99f7686f632f90d070fa9bfc2825fb9156a

SHA512
94273f6aa01a74271663e0e6d92c3172ea0363552f69e1512b0f7adf3bc9745002054d0aa11a38f0cba0dfe595214b537c4c2262293b0817b81605a81f665d40

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/484-285-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1536-704-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/1536-705-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1816-164-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download
memory/1816-165-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1920-525-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download
memory/2248-16-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2248-15-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2248-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2248-13-0x0000000001320000-0x0000000001430000-memory.dmp

Filesize
1.1MB

Download
memory/2248-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2664-465-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download
memory/2800-346-0x0000000000980000-0x0000000000992000-memory.dmp

Filesize
72KB

Download
memory/2800-345-0x0000000001070000-0x0000000001180000-memory.dmp

Filesize
1.1MB

Download
memory/2836-225-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2836-224-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/2872-70-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2872-69-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2880-585-0x0000000000D10000-0x0000000000E20000-memory.dmp

Filesize
1.1MB

Download