dcrat | 5d859e6e67e8fb880b72b5b99facb0686c0824a666bb148226c520136d35552e

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5d859e6e67e8fb880b72b5b99facb0686c0824a666bb148226c520136d35552e.exe
Size

1.3MB
MD5

5fea7c98422d6c014871e66d6ce023f4
SHA1

20651c78e1016c2745969a2cf616f225d864652f
SHA256

5d859e6e67e8fb880b72b5b99facb0686c0824a666bb148226c520136d35552e
SHA512

956e91e189a91cd7f04a051f788a475acbad17d6396544869ecc53259a4fe0f4c2b2b7943330f6d56fbb4dff52a95debba476887dcb51230ac5c73e735dd1002
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 63 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2800	schtasks.exe	33

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000019394-9.dat	dcrat
behavioral1/memory/2768-13-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat
behavioral1/memory/880-141-0x0000000000E30000-0x0000000000F40000-memory.dmp	dcrat
behavioral1/memory/1664-415-0x0000000000F90000-0x00000000010A0000-memory.dmp	dcrat
behavioral1/memory/2700-475-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/996-535-0x00000000012F0000-0x0000000001400000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 23 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2416	powershell.exe
2516	powershell.exe
568	powershell.exe
1868	powershell.exe
2300	powershell.exe
1216	powershell.exe
2316	powershell.exe
2016	powershell.exe
2280	powershell.exe
320	powershell.exe
2404	powershell.exe
1564	powershell.exe
2320	powershell.exe
1468	powershell.exe
2028	powershell.exe
996	powershell.exe
1624	powershell.exe
1720	powershell.exe
2924	powershell.exe
1748	powershell.exe
1712	powershell.exe
612	powershell.exe
960	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2768	DllCommonsvc.exe
2120	DllCommonsvc.exe
880	Idle.exe
2396	Idle.exe
692	Idle.exe
1720	Idle.exe
1664	Idle.exe
2700	Idle.exe
996	Idle.exe
1764	Idle.exe
2168	Idle.exe
2664	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2940	cmd.exe
2940	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
25	raw.githubusercontent.com
15	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\ja-JP\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\ja-JP\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\c5b4cb5e9653cc	DllCommonsvc.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\sppsvc.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Fonts\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Fonts\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\Boot\Fonts\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\PLA\Rules\fr-FR\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Media\Afternoon\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\Speech\Engines\Lexicon\de-DE\smss.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\PLA\Rules\fr-FR\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\PLA\Rules\fr-FR\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Windows\Media\Afternoon\smss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5d859e6e67e8fb880b72b5b99facb0686c0824a666bb148226c520136d35552e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 63 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1764	schtasks.exe
2520	schtasks.exe
820	schtasks.exe
1212	schtasks.exe
2364	schtasks.exe
1628	schtasks.exe
948	schtasks.exe
2812	schtasks.exe
2736	schtasks.exe
1640	schtasks.exe
2388	schtasks.exe
2744	schtasks.exe
2628	schtasks.exe
2276	schtasks.exe
2108	schtasks.exe
1372	schtasks.exe
2544	schtasks.exe
1692	schtasks.exe
692	schtasks.exe
2752	schtasks.exe
3004	schtasks.exe
2400	schtasks.exe
1808	schtasks.exe
2172	schtasks.exe
3064	schtasks.exe
2528	schtasks.exe
936	schtasks.exe
2352	schtasks.exe
2680	schtasks.exe
2204	schtasks.exe
1280	schtasks.exe
1260	schtasks.exe
2664	schtasks.exe
2156	schtasks.exe
280	schtasks.exe
1584	schtasks.exe
2452	schtasks.exe
1076	schtasks.exe
280	schtasks.exe
2248	schtasks.exe
1308	schtasks.exe
1872	schtasks.exe
2068	schtasks.exe
2628	schtasks.exe
2876	schtasks.exe
2100	schtasks.exe
584	schtasks.exe
2984	schtasks.exe
2460	schtasks.exe
1008	schtasks.exe
1780	schtasks.exe
316	schtasks.exe
2200	schtasks.exe
2036	schtasks.exe
2948	schtasks.exe
1784	schtasks.exe
2636	schtasks.exe
2448	schtasks.exe
1732	schtasks.exe
1356	schtasks.exe
1872	schtasks.exe
2192	schtasks.exe
2896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2768	DllCommonsvc.exe
2768	DllCommonsvc.exe
2768	DllCommonsvc.exe
2768	DllCommonsvc.exe
2768	DllCommonsvc.exe
320	powershell.exe
2516	powershell.exe
1712	powershell.exe
2280	powershell.exe
2028	powershell.exe
2320	powershell.exe
1468	powershell.exe
996	powershell.exe
568	powershell.exe
2404	powershell.exe
2016	powershell.exe
1748	powershell.exe
612	powershell.exe
960	powershell.exe
2120	DllCommonsvc.exe
2120	DllCommonsvc.exe
2120	DllCommonsvc.exe
2924	powershell.exe
2316	powershell.exe
1624	powershell.exe
1868	powershell.exe
2416	powershell.exe
2300	powershell.exe
1564	powershell.exe
880	Idle.exe
1720	powershell.exe
1216	powershell.exe
2396	Idle.exe
692	Idle.exe
1720	Idle.exe
1664	Idle.exe
2700	Idle.exe
996	Idle.exe
1764	Idle.exe
2168	Idle.exe
2664	Idle.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	DllCommonsvc.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	612	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	2120	DllCommonsvc.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	880	Idle.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	2396	Idle.exe
Token: SeDebugPrivilege	692	Idle.exe
Token: SeDebugPrivilege	1720	Idle.exe
Token: SeDebugPrivilege	1664	Idle.exe
Token: SeDebugPrivilege	2700	Idle.exe
Token: SeDebugPrivilege	996	Idle.exe
Token: SeDebugPrivilege	1764	Idle.exe
Token: SeDebugPrivilege	2168	Idle.exe
Token: SeDebugPrivilege	2664	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2228	1996	JaffaCakes118_5d859e6e67e8fb880b72b5b99facb0686c0824a666bb148226c520136d35552e.exe	29
PID 1996 wrote to memory of 2228	1996	JaffaCakes118_5d859e6e67e8fb880b72b5b99facb0686c0824a666bb148226c520136d35552e.exe	29
PID 1996 wrote to memory of 2228	1996	JaffaCakes118_5d859e6e67e8fb880b72b5b99facb0686c0824a666bb148226c520136d35552e.exe	29
PID 1996 wrote to memory of 2228	1996	JaffaCakes118_5d859e6e67e8fb880b72b5b99facb0686c0824a666bb148226c520136d35552e.exe	29
PID 2228 wrote to memory of 2940	2228	WScript.exe	30
PID 2228 wrote to memory of 2940	2228	WScript.exe	30
PID 2228 wrote to memory of 2940	2228	WScript.exe	30
PID 2228 wrote to memory of 2940	2228	WScript.exe	30
PID 2940 wrote to memory of 2768	2940	cmd.exe	32
PID 2940 wrote to memory of 2768	2940	cmd.exe	32
PID 2940 wrote to memory of 2768	2940	cmd.exe	32
PID 2940 wrote to memory of 2768	2940	cmd.exe	32
PID 2768 wrote to memory of 1748	2768	DllCommonsvc.exe	73
PID 2768 wrote to memory of 1748	2768	DllCommonsvc.exe	73
PID 2768 wrote to memory of 1748	2768	DllCommonsvc.exe	73
PID 2768 wrote to memory of 1712	2768	DllCommonsvc.exe	74
PID 2768 wrote to memory of 1712	2768	DllCommonsvc.exe	74
PID 2768 wrote to memory of 1712	2768	DllCommonsvc.exe	74
PID 2768 wrote to memory of 960	2768	DllCommonsvc.exe	75
PID 2768 wrote to memory of 960	2768	DllCommonsvc.exe	75
PID 2768 wrote to memory of 960	2768	DllCommonsvc.exe	75
PID 2768 wrote to memory of 612	2768	DllCommonsvc.exe	77
PID 2768 wrote to memory of 612	2768	DllCommonsvc.exe	77
PID 2768 wrote to memory of 612	2768	DllCommonsvc.exe	77
PID 2768 wrote to memory of 2016	2768	DllCommonsvc.exe	79
PID 2768 wrote to memory of 2016	2768	DllCommonsvc.exe	79
PID 2768 wrote to memory of 2016	2768	DllCommonsvc.exe	79
PID 2768 wrote to memory of 2028	2768	DllCommonsvc.exe	80
PID 2768 wrote to memory of 2028	2768	DllCommonsvc.exe	80
PID 2768 wrote to memory of 2028	2768	DllCommonsvc.exe	80
PID 2768 wrote to memory of 2516	2768	DllCommonsvc.exe	82
PID 2768 wrote to memory of 2516	2768	DllCommonsvc.exe	82
PID 2768 wrote to memory of 2516	2768	DllCommonsvc.exe	82
PID 2768 wrote to memory of 2320	2768	DllCommonsvc.exe	84
PID 2768 wrote to memory of 2320	2768	DllCommonsvc.exe	84
PID 2768 wrote to memory of 2320	2768	DllCommonsvc.exe	84
PID 2768 wrote to memory of 1468	2768	DllCommonsvc.exe	85
PID 2768 wrote to memory of 1468	2768	DllCommonsvc.exe	85
PID 2768 wrote to memory of 1468	2768	DllCommonsvc.exe	85
PID 2768 wrote to memory of 2280	2768	DllCommonsvc.exe	86
PID 2768 wrote to memory of 2280	2768	DllCommonsvc.exe	86
PID 2768 wrote to memory of 2280	2768	DllCommonsvc.exe	86
PID 2768 wrote to memory of 320	2768	DllCommonsvc.exe	87
PID 2768 wrote to memory of 320	2768	DllCommonsvc.exe	87
PID 2768 wrote to memory of 320	2768	DllCommonsvc.exe	87
PID 2768 wrote to memory of 996	2768	DllCommonsvc.exe	89
PID 2768 wrote to memory of 996	2768	DllCommonsvc.exe	89
PID 2768 wrote to memory of 996	2768	DllCommonsvc.exe	89
PID 2768 wrote to memory of 568	2768	DllCommonsvc.exe	91
PID 2768 wrote to memory of 568	2768	DllCommonsvc.exe	91
PID 2768 wrote to memory of 568	2768	DllCommonsvc.exe	91
PID 2768 wrote to memory of 2404	2768	DllCommonsvc.exe	95
PID 2768 wrote to memory of 2404	2768	DllCommonsvc.exe	95
PID 2768 wrote to memory of 2404	2768	DllCommonsvc.exe	95
PID 2768 wrote to memory of 952	2768	DllCommonsvc.exe	101
PID 2768 wrote to memory of 952	2768	DllCommonsvc.exe	101
PID 2768 wrote to memory of 952	2768	DllCommonsvc.exe	101
PID 952 wrote to memory of 1380	952	cmd.exe	104
PID 952 wrote to memory of 1380	952	cmd.exe	104
PID 952 wrote to memory of 1380	952	cmd.exe	104
PID 952 wrote to memory of 2120	952	cmd.exe	105
PID 952 wrote to memory of 2120	952	cmd.exe	105
PID 952 wrote to memory of 2120	952	cmd.exe	105
PID 2120 wrote to memory of 1564	2120	DllCommonsvc.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d859e6e67e8fb880b72b5b99facb0686c0824a666bb148226c520136d35552e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d859e6e67e8fb880b72b5b99facb0686c0824a666bb148226c520136d35552e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Contacts\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bf23IQruF2.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:952
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1380
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Rules\fr-FR\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\es-ES\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Afternoon\smss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\ja-JP\explorer.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\smss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Users\Public\Desktop\Idle.exe
        
        "C:\Users\Public\Desktop\Idle.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat"
        8⤵
        
        PID:2632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2480
        
        C:\Users\Public\Desktop\Idle.exe
        
        "C:\Users\Public\Desktop\Idle.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VlbjwdcMOl.bat"
        10⤵
        
        PID:1300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:916
        
        C:\Users\Public\Desktop\Idle.exe
        
        "C:\Users\Public\Desktop\Idle.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat"
        12⤵
        
        PID:2148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:640
        
        C:\Users\Public\Desktop\Idle.exe
        
        "C:\Users\Public\Desktop\Idle.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat"
        14⤵
        
        PID:1588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2932
        
        C:\Users\Public\Desktop\Idle.exe
        
        "C:\Users\Public\Desktop\Idle.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QtXcZTVakC.bat"
        16⤵
        
        PID:2924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2016
        
        C:\Users\Public\Desktop\Idle.exe
        
        "C:\Users\Public\Desktop\Idle.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat"
        18⤵
        
        PID:2908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1928
        
        C:\Users\Public\Desktop\Idle.exe
        
        "C:\Users\Public\Desktop\Idle.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat"
        20⤵
        
        PID:584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2680
        
        C:\Users\Public\Desktop\Idle.exe
        
        "C:\Users\Public\Desktop\Idle.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UucX7bnqC8.bat"
        22⤵
        
        PID:2384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2408
        
        C:\Users\Public\Desktop\Idle.exe
        
        "C:\Users\Public\Desktop\Idle.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat"
        24⤵
        
        PID:580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1976
        
        C:\Users\Public\Desktop\Idle.exe
        
        "C:\Users\Public\Desktop\Idle.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Contacts\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Contacts\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Public\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Public\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\Rules\fr-FR\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Rules\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Afternoon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Media\Afternoon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Media\Afternoon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\ja-JP\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Desktop\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9480b2a19c23bde38e33d19825234fce

SHA1
6d60f0e46fdad5d10bc3964094797ca268c1e8af

SHA256
b9bbe44f3a29788d6f05ce37ee6c0d452cb5c62e5f9bbaba35167fb3403d1ebb

SHA512
5976fa474bf0aeeb6dee62ddf10c681440303f0a54b2c752701b7e8168846cde65b95d7c5b0ee465efe9cccc5988d71915a011507061f5b6306cee761053d924

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9536cb810d8307b813ae841ec6e31640

SHA1
65b47d0e3127e710f51273ca281206fb764434ad

SHA256
14a3ee567da35c403606e558ac662386e44cc7f09070416d8e0f0d4a0ccbf253

SHA512
8af5aeafdc66107e5d6efce5bc85af39a87fc5768752d827e16b0df798b01f01ddd74f7cf77f6816c2c3b66ebe1f09068386706d190364068da9179171859d67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
194b20d0a879bac7dbdc3a53cfe77896

SHA1
66633e10f56c96b26e4ca36e89cf690d587b11e6

SHA256
10865191193924076b3f2829e621095099ac70f18b1bd88c26b1ff4daf31bf6c

SHA512
54f84198f2b7572294f38d12b2db9b30d744cad9e69612f95733cbd66c38611701bf217f93cd3e3e762f0167489f095bc7b87a31d424ad3e0a21fce5ac5897e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acc799e038e3cbf1a0b25c93c7e32f62

SHA1
01ad98d5259224c6d9449a2eb9995cbb84b408e9

SHA256
19d2323a563f04ab58048f5e7b270d128bcabc484dcb9582340ce14481e876d1

SHA512
d0caa15b367d3bb698377ae32a6d986813f9218553b829203fe43f6fd706a1bde7bc437742ad5dde27713424bbd3af6d546b9cf6a0681d1fe974cfbd571ac126

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aed2d2ce7fbda83a2e007eed28a1d202

SHA1
c8beba9e26e527f58ca896d9de0ad4dfc68172f8

SHA256
e97f45765b647263c8bf4489ca03f8cc35d9e8d0bcc49a4607608685c2a53544

SHA512
1d5296ae2af388c2845e3246a4c4f49ee562aef9056f4ff5d50f96fe8de18bd6340132c59f75a9b73551451474272dadb9ed1011e6e7a0185dc8cf1065e4d985

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f349a9ac55ff7530f03ca7268b10e9fb

SHA1
4e2bb72a2b9408778c8fedc2e4a95247536612e6

SHA256
7cbc66d5a9fdacecffbbd4ef920e1b581a0b0650884cba4b7f06bee8703138aa

SHA512
a9f71f158ca9517d8c3741f8b799f958de4bcc7265900905969cd53cfdbc26823be002abde90ed216f6d580909411b2dbd60d7d45a2ba06e7c723ecdd543101f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54eab8846c94eb3070b942c3e75cd2ac

SHA1
e23c9a6cb2a1fb8b4114c605ab7cfeee6336e949

SHA256
c2f993f952cd8557dd99a276298b8c02aad4e88457a76a515f8a55eefd9162d4

SHA512
d70b68ae097bc9891c8ca09fcea60c5cc6177f20bb090c71dd3afc8a6cc11dbbe9e708c06dc86a7a346de6a2594547f0897d5ce5e7c1cf8c4d9829e7f00d1529

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31bd95ff618766052004e3175fb87fab

SHA1
7ac1c847275a2e273a8fa55f78044df266a106f6

SHA256
e954c2d393ac7c0bc4cf8130a6794bf02ee0d8e85f7e6992804f3589ca3f5c0b

SHA512
1a2f362684f911fb44fd6ef2cafe750d4f6c9003a14ddb9434d9149a7e643ab79d6906d755927b4d8507f42984ceb4dca171a4ee5de3d762573b26c8d2255b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf23IQruF2.bat

Filesize
199B

MD5
f2be317e568a070391b7d94fda1038bb

SHA1
b21e38b4e122b374511ac27b5fadf98d504441c7

SHA256
f4bc23aed98abd88e6df7dca83e8ed7ff5554f6d35966c3af7d5499aa45049b6

SHA512
63feda7e353e96ef3ad4bf5e486e58d0aa392e92bdf60b2e06d7a13e9d0de0f7c3a0865da1cb7b032ef029aa2316677b2db29516b6773acd0977cdc93dae39e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat

Filesize
197B

MD5
8b717b23f14640859e91de5ed50199c7

SHA1
bf189b18650bedf671bcc4a3431b75d8c4aa502b

SHA256
965894209052d3860ff9232c234207e9920e377fad97a4aaf94b6bc05e18a9b2

SHA512
5af80179be038923edd0c4c04ae4cc2dfcc198f765f9127e2bf22db55dd2e2f288c6398a1344dacc4221942dd04cbb4690891c87645d082cb7d36a4473afdd5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE014.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat

Filesize
197B

MD5
edfdac7ba7b510867d0650111dd88cce

SHA1
ca713a36539a4ceaa4597d840ec91f88ae0b7179

SHA256
5411d3fc338c2537a78291c2aa7151e17957ae5a02bb5e03728fc5b9ceecd4cc

SHA512
2a9c6dbf49ca42b11272f8c96553664870381421ef229cdb7e1f7bab86d320686ecafae49295fcab2bdf3d9fe9c4e8cd8c692bdbba161e9e5075fc3b2130132f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat

Filesize
197B

MD5
657adb47456079711eaef141427e75cd

SHA1
0b94eaaa252da8ae99b1eb62efea76bb81a7dd91

SHA256
ca0a90d909c11d11e752dd5868bfacc57630d83f87bfa6f0d9b7ab7755b2c46c

SHA512
ecee25c42046a4f8860acf247b17bd3f4fe51d62b8465d0ee9882eb0f3cc3e45e346f0861ee4e67fbf8acbfd3d0592b4fa11e25f66b18152b42975c391d03cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat

Filesize
197B

MD5
fb4527adcbaa817c3ee483e9adf00bab

SHA1
8f49c72e8f5aaa1fe33c75bb78ef5b0df0f97106

SHA256
dbc3553ac582c566b6ea0ba2f6e43700033c5014e1320ffe39800d6fa54a4a02

SHA512
517d1fb7b49236c8fd83cab22e709a75135c0b03548045665dfbc268b43ac9b08213eba5fb5b4f21fb2f8300d675571627ccc2ca2a2ad37cf118cca886db081f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QtXcZTVakC.bat

Filesize
197B

MD5
0c534f1cbc9bcf893c2a1578953a4f15

SHA1
612118c877ddbda6cad25cca00188058a70335ba

SHA256
6fcfcffd75734c86c9d55ef8ab0be124704f7fd2758b56cf7c36f48d7ce84aad

SHA512
2cfe6c8791ac5e3f87849f906631fe67fec058cc97543bf870813a70079ed5e596c8eebcaca356c61312a5ab06eb9b3aba8d06829251da7d5a565f260ffee4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE065.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UucX7bnqC8.bat

Filesize
197B

MD5
65ed8877d3c4a496a759c16ecf3ecceb

SHA1
c5941305a31fd7e0ab63dcc7aa05af18782cc80e

SHA256
cc5bf20828305f2c945ebd6c6d4c7446a41d79f7eaadefe765049bfca2fc8b5f

SHA512
fff6a28bd29c79d49dd8ab17e27f1d08a9569f9883173610f0c402e935e47c7cd7939e22da371ab2e66d4ee6da674a92fc4a70e59a3e4cdd0bbf00a4c6481173

Download Submit
C:\Users\Admin\AppData\Local\Temp\VlbjwdcMOl.bat

Filesize
197B

MD5
b5b8a58e50e930cb829071f07f140604

SHA1
e30f3810fefa2f7d2af3d0a67736fad7c3bbb14e

SHA256
e2c58928a934cf86aa53fecb07be2e194087ee578647a76a81a2ad31440773e5

SHA512
e5576c481e03f2ea7cc62d8fd7e5a8d27a2905cbf1d7c9e407c26bb9f3aa828b4498a04a5428adaedeca0419685aaf36e6879f9e2f78367bd7c9e8e26b3ce2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat

Filesize
197B

MD5
e94ba6e224a70fe89444766366f82e74

SHA1
c907c7941141802b99e657e2f98d5f571eb7e14d

SHA256
875c377f5262aa3f3f588c10d3fc4a1d59e877cb36992863b00f08b925249481

SHA512
afa14e7c436de4ac3ebb8545a8b85b5493c86fceff1dd7d210e6d6c0687878ab5db27b02e77defaf82080ca6a978491432ee4e21b503b1490b42bfbd613caef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat

Filesize
197B

MD5
de613429e234e9cbb340d78cc20ac09d

SHA1
c653b2cbdace625c4ee29c79f1c55b722a49d911

SHA256
22cea788b8255564f1221f3b03c618af8198b38eab542db8f5d70ee507a6a09c

SHA512
087c782ffc2a25c44b158563f9950477442df921044cb06f9b84f5e603ccfdecb3fd97baab26f14116619f8030a4fadfec14e3228fc38812296a3fcf4d254427

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f82214e3b0dcdfb2da12cb276b393635

SHA1
dbb8e2091e57fa5529f96535e84ec17034af8143

SHA256
4714bb9e009c1ebc7b877fcb78d131489b6c5d9e1e0531c301815202641b5365

SHA512
b512ccbe498638211718c8feb422a613a2f2a24c5837398c0b2007bf04bb5a1abf1db97ad82376ac0eeee5813730c9f493e02beaa0e94d1d311c848332ce85c2

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/880-141-0x0000000000E30000-0x0000000000F40000-memory.dmp

Filesize
1.1MB

Download
memory/996-535-0x00000000012F0000-0x0000000001400000-memory.dmp

Filesize
1.1MB

Download
memory/996-536-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/1664-415-0x0000000000F90000-0x00000000010A0000-memory.dmp

Filesize
1.1MB

Download
memory/1748-112-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/2120-115-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2516-113-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/2700-475-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/2768-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2768-16-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2768-14-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2768-13-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/2768-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2924-143-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2924-142-0x000000001B3B0000-0x000000001B692000-memory.dmp

Filesize
2.9MB

Download