dcrat | e7d29f866df43567f62796d9294bbb0fb1fb533a75bc491854b9aedcb097a260

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e7d29f866df43567f62796d9294bbb0fb1fb533a75bc491854b9aedcb097a260.exe
Size

1.3MB
MD5

775f6ec14690fbfc81b83bdd3b56f806
SHA1

8efdebdec727ef151b3c14de10f7af6590459fac
SHA256

e7d29f866df43567f62796d9294bbb0fb1fb533a75bc491854b9aedcb097a260
SHA512

d25d920e20c7753fa6d85a3ce2551c52753eaf4203fefe3ce9bbc3f9e3dda9b3f2228b0cb68d486c2c28d7da2c95dad80334d782f2587768778434c84e17b24b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	1764	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	1764	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015694-9.dat	dcrat
behavioral1/memory/2684-13-0x00000000013B0000-0x00000000014C0000-memory.dmp	dcrat
behavioral1/memory/1760-62-0x0000000000860000-0x0000000000970000-memory.dmp	dcrat
behavioral1/memory/1672-207-0x0000000000F50000-0x0000000001060000-memory.dmp	dcrat
behavioral1/memory/2228-327-0x00000000010E0000-0x00000000011F0000-memory.dmp	dcrat
behavioral1/memory/1520-387-0x0000000000280000-0x0000000000390000-memory.dmp	dcrat
behavioral1/memory/1548-447-0x0000000000870000-0x0000000000980000-memory.dmp	dcrat
behavioral1/memory/1924-508-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat
behavioral1/memory/1044-627-0x00000000003A0000-0x00000000004B0000-memory.dmp	dcrat
behavioral1/memory/2896-687-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/1532-748-0x0000000000C20000-0x0000000000D30000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2996	powershell.exe
2220	powershell.exe
2068	powershell.exe
2792	powershell.exe
2396	powershell.exe
2992	powershell.exe
2348	powershell.exe
2228	powershell.exe
2732	powershell.exe
2060	powershell.exe
2624	powershell.exe
2056	powershell.exe
2600	powershell.exe
2972	powershell.exe
2400	powershell.exe
644	powershell.exe
2864	powershell.exe
1732	powershell.exe
2536	powershell.exe
2868	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2684	DllCommonsvc.exe
1760	Idle.exe
1672	Idle.exe
2348	Idle.exe
2228	Idle.exe
1520	Idle.exe
1548	Idle.exe
1924	Idle.exe
2220	Idle.exe
1044	Idle.exe
2896	Idle.exe
1532	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2904	cmd.exe
2904	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
33	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
25	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
29	raw.githubusercontent.com
40	raw.githubusercontent.com

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\ja-JP\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\Templates\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\ja-JP\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\Templates\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\ja-JP\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\ja-JP\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\6ccacd8608530f	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Resources\Themes\Aero\ja-JP\audiodg.exe	DllCommonsvc.exe
File created	C:\Windows\Resources\Themes\Aero\ja-JP\42af1c969fbb7b	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e7d29f866df43567f62796d9294bbb0fb1fb533a75bc491854b9aedcb097a260.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
884	schtasks.exe
2416	schtasks.exe
2620	schtasks.exe
1232	schtasks.exe
480	schtasks.exe
1356	schtasks.exe
1976	schtasks.exe
1720	schtasks.exe
2192	schtasks.exe
2012	schtasks.exe
2876	schtasks.exe
2716	schtasks.exe
3012	schtasks.exe
1988	schtasks.exe
1600	schtasks.exe
2260	schtasks.exe
1352	schtasks.exe
2980	schtasks.exe
1144	schtasks.exe
2300	schtasks.exe
1956	schtasks.exe
2744	schtasks.exe
640	schtasks.exe
2892	schtasks.exe
2680	schtasks.exe
2204	schtasks.exe
2312	schtasks.exe
2500	schtasks.exe
1716	schtasks.exe
1616	schtasks.exe
3056	schtasks.exe
1864	schtasks.exe
2032	schtasks.exe
2624	schtasks.exe
848	schtasks.exe
2812	schtasks.exe
3008	schtasks.exe
1136	schtasks.exe
464	schtasks.exe
1924	schtasks.exe
1664	schtasks.exe
2512	schtasks.exe
3060	schtasks.exe
2824	schtasks.exe
2328	schtasks.exe
1108	schtasks.exe
2852	schtasks.exe
2544	schtasks.exe
1476	schtasks.exe
2444	schtasks.exe
1868	schtasks.exe
664	schtasks.exe
2028	schtasks.exe
1940	schtasks.exe
688	schtasks.exe
1288	schtasks.exe
656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2684	DllCommonsvc.exe
2684	DllCommonsvc.exe
2684	DllCommonsvc.exe
2684	DllCommonsvc.exe
2684	DllCommonsvc.exe
2400	powershell.exe
644	powershell.exe
2220	powershell.exe
2536	powershell.exe
2868	powershell.exe
2992	powershell.exe
1732	powershell.exe
2396	powershell.exe
2792	powershell.exe
2624	powershell.exe
2732	powershell.exe
2348	powershell.exe
2864	powershell.exe
2060	powershell.exe
2996	powershell.exe
2972	powershell.exe
2600	powershell.exe
2228	powershell.exe
2056	powershell.exe
2068	powershell.exe
1760	Idle.exe
1672	Idle.exe
2348	Idle.exe
2228	Idle.exe
1520	Idle.exe
1548	Idle.exe
1924	Idle.exe
2220	Idle.exe
1044	Idle.exe
2896	Idle.exe
1532	Idle.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	DllCommonsvc.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	1760	Idle.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	1672	Idle.exe
Token: SeDebugPrivilege	2348	Idle.exe
Token: SeDebugPrivilege	2228	Idle.exe
Token: SeDebugPrivilege	1520	Idle.exe
Token: SeDebugPrivilege	1548	Idle.exe
Token: SeDebugPrivilege	1924	Idle.exe
Token: SeDebugPrivilege	2220	Idle.exe
Token: SeDebugPrivilege	1044	Idle.exe
Token: SeDebugPrivilege	2896	Idle.exe
Token: SeDebugPrivilege	1532	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2436	3028	JaffaCakes118_e7d29f866df43567f62796d9294bbb0fb1fb533a75bc491854b9aedcb097a260.exe	30
PID 3028 wrote to memory of 2436	3028	JaffaCakes118_e7d29f866df43567f62796d9294bbb0fb1fb533a75bc491854b9aedcb097a260.exe	30
PID 3028 wrote to memory of 2436	3028	JaffaCakes118_e7d29f866df43567f62796d9294bbb0fb1fb533a75bc491854b9aedcb097a260.exe	30
PID 3028 wrote to memory of 2436	3028	JaffaCakes118_e7d29f866df43567f62796d9294bbb0fb1fb533a75bc491854b9aedcb097a260.exe	30
PID 2436 wrote to memory of 2904	2436	WScript.exe	31
PID 2436 wrote to memory of 2904	2436	WScript.exe	31
PID 2436 wrote to memory of 2904	2436	WScript.exe	31
PID 2436 wrote to memory of 2904	2436	WScript.exe	31
PID 2904 wrote to memory of 2684	2904	cmd.exe	33
PID 2904 wrote to memory of 2684	2904	cmd.exe	33
PID 2904 wrote to memory of 2684	2904	cmd.exe	33
PID 2904 wrote to memory of 2684	2904	cmd.exe	33
PID 2684 wrote to memory of 2792	2684	DllCommonsvc.exe	92
PID 2684 wrote to memory of 2792	2684	DllCommonsvc.exe	92
PID 2684 wrote to memory of 2792	2684	DllCommonsvc.exe	92
PID 2684 wrote to memory of 2868	2684	DllCommonsvc.exe	93
PID 2684 wrote to memory of 2868	2684	DllCommonsvc.exe	93
PID 2684 wrote to memory of 2868	2684	DllCommonsvc.exe	93
PID 2684 wrote to memory of 2600	2684	DllCommonsvc.exe	94
PID 2684 wrote to memory of 2600	2684	DllCommonsvc.exe	94
PID 2684 wrote to memory of 2600	2684	DllCommonsvc.exe	94
PID 2684 wrote to memory of 1732	2684	DllCommonsvc.exe	95
PID 2684 wrote to memory of 1732	2684	DllCommonsvc.exe	95
PID 2684 wrote to memory of 1732	2684	DllCommonsvc.exe	95
PID 2684 wrote to memory of 2536	2684	DllCommonsvc.exe	96
PID 2684 wrote to memory of 2536	2684	DllCommonsvc.exe	96
PID 2684 wrote to memory of 2536	2684	DllCommonsvc.exe	96
PID 2684 wrote to memory of 2972	2684	DllCommonsvc.exe	97
PID 2684 wrote to memory of 2972	2684	DllCommonsvc.exe	97
PID 2684 wrote to memory of 2972	2684	DllCommonsvc.exe	97
PID 2684 wrote to memory of 2228	2684	DllCommonsvc.exe	98
PID 2684 wrote to memory of 2228	2684	DllCommonsvc.exe	98
PID 2684 wrote to memory of 2228	2684	DllCommonsvc.exe	98
PID 2684 wrote to memory of 2732	2684	DllCommonsvc.exe	99
PID 2684 wrote to memory of 2732	2684	DllCommonsvc.exe	99
PID 2684 wrote to memory of 2732	2684	DllCommonsvc.exe	99
PID 2684 wrote to memory of 644	2684	DllCommonsvc.exe	100
PID 2684 wrote to memory of 644	2684	DllCommonsvc.exe	100
PID 2684 wrote to memory of 644	2684	DllCommonsvc.exe	100
PID 2684 wrote to memory of 2396	2684	DllCommonsvc.exe	101
PID 2684 wrote to memory of 2396	2684	DllCommonsvc.exe	101
PID 2684 wrote to memory of 2396	2684	DllCommonsvc.exe	101
PID 2684 wrote to memory of 2996	2684	DllCommonsvc.exe	102
PID 2684 wrote to memory of 2996	2684	DllCommonsvc.exe	102
PID 2684 wrote to memory of 2996	2684	DllCommonsvc.exe	102
PID 2684 wrote to memory of 2992	2684	DllCommonsvc.exe	103
PID 2684 wrote to memory of 2992	2684	DllCommonsvc.exe	103
PID 2684 wrote to memory of 2992	2684	DllCommonsvc.exe	103
PID 2684 wrote to memory of 2220	2684	DllCommonsvc.exe	104
PID 2684 wrote to memory of 2220	2684	DllCommonsvc.exe	104
PID 2684 wrote to memory of 2220	2684	DllCommonsvc.exe	104
PID 2684 wrote to memory of 2400	2684	DllCommonsvc.exe	105
PID 2684 wrote to memory of 2400	2684	DllCommonsvc.exe	105
PID 2684 wrote to memory of 2400	2684	DllCommonsvc.exe	105
PID 2684 wrote to memory of 2864	2684	DllCommonsvc.exe	106
PID 2684 wrote to memory of 2864	2684	DllCommonsvc.exe	106
PID 2684 wrote to memory of 2864	2684	DllCommonsvc.exe	106
PID 2684 wrote to memory of 2068	2684	DllCommonsvc.exe	107
PID 2684 wrote to memory of 2068	2684	DllCommonsvc.exe	107
PID 2684 wrote to memory of 2068	2684	DllCommonsvc.exe	107
PID 2684 wrote to memory of 2624	2684	DllCommonsvc.exe	109
PID 2684 wrote to memory of 2624	2684	DllCommonsvc.exe	109
PID 2684 wrote to memory of 2624	2684	DllCommonsvc.exe	109
PID 2684 wrote to memory of 2060	2684	DllCommonsvc.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e7d29f866df43567f62796d9294bbb0fb1fb533a75bc491854b9aedcb097a260.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e7d29f866df43567f62796d9294bbb0fb1fb533a75bc491854b9aedcb097a260.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\Templates\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\Aero\ja-JP\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\ja-JP\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\ja-JP\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Program Files (x86)\Microsoft.NET\Idle.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Idle.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9IAAZSZGIv.bat"
        6⤵
        
        PID:1792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1828
        
        C:\Program Files (x86)\Microsoft.NET\Idle.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Idle.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat"
        8⤵
        
        PID:2300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2024
        
        C:\Program Files (x86)\Microsoft.NET\Idle.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Idle.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kz6bOuYaab.bat"
        10⤵
        
        PID:1724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2680
        
        C:\Program Files (x86)\Microsoft.NET\Idle.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Idle.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat"
        12⤵
        
        PID:1384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2116
        
        C:\Program Files (x86)\Microsoft.NET\Idle.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Idle.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PeSwWR6joe.bat"
        14⤵
        
        PID:2604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1876
        
        C:\Program Files (x86)\Microsoft.NET\Idle.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Idle.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat"
        16⤵
        
        PID:820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3028
        
        C:\Program Files (x86)\Microsoft.NET\Idle.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Idle.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat"
        18⤵
        
        PID:1736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:480
        
        C:\Program Files (x86)\Microsoft.NET\Idle.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Idle.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat"
        20⤵
        
        PID:1600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1096
        
        C:\Program Files (x86)\Microsoft.NET\Idle.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Idle.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WOs9W2tFAs.bat"
        22⤵
        
        PID:2420
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:264
        
        C:\Program Files (x86)\Microsoft.NET\Idle.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Idle.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat"
        24⤵
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1480
        
        C:\Program Files (x86)\Microsoft.NET\Idle.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Idle.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat"
        26⤵
        
        PID:1868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\Templates\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\Templates\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Templates\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\Resources\Themes\Aero\ja-JP\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\ja-JP\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\Themes\Aero\ja-JP\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\ja-JP\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\ja-JP\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\Sample Music\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\Sample Music\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default\NetHood\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\NetHood\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Default\NetHood\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\ja-JP\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4862d0e5ace6726feabb4a694dcb0173

SHA1
09f359a541d7e136c18abf4676551ca619d65909

SHA256
61e1cec883cb8fe4f67179df18a77b09ec80cd51da941c1054910f799c2e35da

SHA512
1ba0745d80455b0e6cce6ead79aa6e05530a80135e08183e285de6b9de2dd10f05b75942f56663ab814886aded8e4a4fb0fad6245da528dd4b2a83bcc0d16412

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7af89f2dcf3fd5326d4f4b5ee510186

SHA1
b623844e95b7265e9363e93f04594b5e8fa7657c

SHA256
bc012d416666d7cae78de20f194e01c13ddfbcb1eec7605aff7d5e4b91877753

SHA512
b53b55f00b9472f46532410d50eaea3684cf3bdb18efeebfa4230a13e5b2f3ad7b0bde793f4a7313af02c69d2c51fb0150dc6e60a3c2707bb1f78e3c09d3f50b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca8bbc92c42c226acde5a25d8d41f151

SHA1
ff49b7f31ceaf7ee25908be992cd3f8e2f16da38

SHA256
7348f0a1d87d704a996881c2a53f201f3948e860655963797a2e4a64852d5fa0

SHA512
d83b92ab5680a51abc3b8f3917cb92e9fb0a682f73537fe053cdd703d40a52d4990ce0c3fb3df5b1e8e8e9cb16235f9b015771327fcc38c2902c002418c78a17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b634f02cf378282e5460bed3e5abc44e

SHA1
4d3e1f02adbe788f7b5f4f7eeedbf97444dacfda

SHA256
3b894bd094dba46c4e01dac5a4647737807043e7ca86ee3ccb254f7a64d262ba

SHA512
069cac15cc5762ca5bce55af6d9900f4854fa9e202d980f98485b20d31ff6578286d4de532a32c5b922c32f73a0052a9ac1bb409efb40fe2dc11730f99459bb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1744121588841d0b4efdf5250f6f0a3

SHA1
cc20b25601557ad7969efdb1e93e5b04f2ec1272

SHA256
a2bd2a4718d2ae6f4a2e20c9c95df13042f3688a64268397bfba1a8c19992f7f

SHA512
f44b6a2c2be5784f8c133e1ff6287891a2f9d5e38c9fa8a3a6ff0b9068149dad0c20bcffdcea3ecfcd922cb56401722624f1d039d469807f56136a64eb108845

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ced89496a53ccf6c840cdc26b58ba3e

SHA1
d656f34b215537aa156ed5ff233d2ffbb3f82208

SHA256
490c5d89340c4d1b497e5a2f7286d87e9d982e92d531314ed6d1c0ad094a232f

SHA512
076b44dc7a778d7ae4f625225f376ef1a0c10dcf9a878cec765996cc844c8e639d827b739b64a941f05cec6bfc4b14a9b8ab6c6265e7cf950ffc51e64a6f706f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f20dd24f1743f6fb10b3ccd0951570fa

SHA1
5d5be532b3714ef6565bad1501ee895010170851

SHA256
c5cfa6620910ef0bf7c00756fde6cb02fc9dd039a9784e6c14647fc1c83de0c0

SHA512
b0428dfaebf6f1bd8d349a03ff8fb9b2e06c0c4506ad17219c2d81f270f1482aa5ada827dfef79252e98df62750b40b6ce06b6647283f91aeb171720e4cb89aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
848d61ff9f1f98eb14c5d66be4ef8b8e

SHA1
1839dcdb667e84a29c2fb2fbe89867f4d43b4a96

SHA256
eb093755fff80bc56066e3f1763051a0ca2e6ce86a50c0391943ff468977efd2

SHA512
693a2baa95475b845af983027f21f63e0e449c96065d0e3cd3bda6dcf14d99efe4db8f00868dc6a16aafc8bf8bf6f0c55dc8f73d9a388c22eeaf19b6992bf5f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a521e41ea405da092edbb903af0a1911

SHA1
ac5ddbdf6c7a183940fed5497f13dbdc5d9c332b

SHA256
84541c509778fde07a8885f59c170aa02b0f3dbac993fd5f7e2780ac4c0b91ae

SHA512
bdabeb175b6c3dd5870d136f8f1d108e2cf9b808cb09ac6373ebe509bbae93c6bdfa59beb06f86a9e3cd86539a986b5d48f17f0ac2fc60889d4a494478762b43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a497ddd6c531bb2a7372376e22f0349

SHA1
06271478c1b2725df7e8a6f9fa43026674fb6b11

SHA256
b9889b04174b77e2944311b56aa84cdac8dc15bd61d582da094e2ea22f37e997

SHA512
8a06e5cb03202daa41073ca9e5a9f9f39da9e89eea279ae8e1826f8155c78c85ec140bdaa09a2cf60b169c3a6d50f5fac09d21522c87b978048bb43f99784910

Download Submit
C:\Users\Admin\AppData\Local\Temp\9IAAZSZGIv.bat

Filesize
210B

MD5
b971d018890a967855783749452b9434

SHA1
ddcc57a5cceed4e6f55d2c62a9427be14d2fb3ee

SHA256
24f8ae11094398b3ab3a147a7aadff6c72f37be339c1b942b186f89997dc3bf0

SHA512
8c5b9ef01bb3c0d459696990995b695e2d7dceb112d92e27d29aed524fbcb07cd522563c3f8e16ba82186bf32ddb2106d5d750c663601f8779dcd4f2815c1e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCDBD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat

Filesize
210B

MD5
07bb8bfe949959f0c36a5471ef48e09b

SHA1
3fdbf8402223fa699bd69be6e6f41d6d173d9154

SHA256
df2b11197d3308d7932efd60ec5051fac3c0dc1fca79f6fa3570d54719439689

SHA512
ffb63b72a819348e8d0a52d5c8db2bc9ac3756a3bcff032666a59eef9ed7d34faa33f3bb644ba2f541bec62a061830030f25c3308fba908e8b2e4729e4c9f73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat

Filesize
210B

MD5
4247ac54a17405f76937be00547e4da8

SHA1
4bf90d42c1362fb9cefd1ede0386b3c367a9e073

SHA256
2307a05b0442ed16e97e982f49d416e99e561fda44adb5af0a6349a86a7eacc5

SHA512
b177a8caf77375e662cc5bce5e4dd21c19e28a7a17a5c9bd2841efbd90c46fac1477f40bc2d1d7f1fea7f4d90574f94cc8b29b27f7647d4bcf294c8b444c4acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat

Filesize
210B

MD5
20a16733f25e7b43c0dbab723f838a7e

SHA1
edc25a669601a4df9b91fe6ed46a9907a0809749

SHA256
9e6c27f9aa4ad7dccddfa4f8dd357f0516b70a260806f9a129285e67e4d2e86c

SHA512
11b60b10c17feb63bbf8e755f24832150d65d5c62b227d55f96c2b5009b6338d4fbb6582f8803dc0cfe7e171df07ee9c6adeb88b421204acc34a0bfabab7e0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kz6bOuYaab.bat

Filesize
210B

MD5
47c636e7d766c6ee1cbed0aecd9231af

SHA1
e8db7a045913ee15f98d19c53ef96ac3d2b0a205

SHA256
59162690eb2773c6ec2441c21222bdc7f5ea530de00f476c48ad5ad63cbe7d6e

SHA512
10a51146991b438a8fdbf3ec2f96b7fc135908e6396442dacc96b89e0f99c7d9df87fc7e4e09a15095a5918c494bf5f6ce0771e3878b9d057ca61811555f4424

Download Submit
C:\Users\Admin\AppData\Local\Temp\PeSwWR6joe.bat

Filesize
210B

MD5
81575d6e9dd885674bee2673248149d1

SHA1
d46b1f413639a7b36efdcd9aaf17ae782b9419d3

SHA256
5ebb56513faa0e1a452679fa0586e2bf10cecc84fe6c092c302c1f6b2adeb26c

SHA512
228f526023f479402e7b201d54aff21b957e7c9c869b3ac2422f78b7e81c766933eadc8844f33cdb939494ee6a886cdd964bd1710e3b7e6d562bfa92e1491c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat

Filesize
210B

MD5
d8d1e0e322288e1144d95a05a55d43da

SHA1
2890c8e503cb08dbbeee9d70a46e22af9a2137ec

SHA256
a2962a953e46973d2d15efa468a070f69fe297c5884c840acb77a3841b9b044a

SHA512
3fbf5529e52a2eadf9b6ee022b1ff7a7478fbf76735fad949015b7adc3ab857c8faffc2b70e99d2f7c32adb9edbffb9285f89f3c11d5ac7d5e6d301a36024d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCDCF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOs9W2tFAs.bat

Filesize
210B

MD5
58670e5a4b0b9a6200e77aa63ea69ad3

SHA1
72204c74ca9e6c34afcc9edc846cba0779bbeaa4

SHA256
a94b37c1b88d7b6c35e17006d04096d13baa4cec88abecf946ddee4477fcf51b

SHA512
ca0ec178d4813a9361c7ec2dfbf31c7598fb9e72d9e6790f65937d453a7c830aa121146bbd99005bbc405dbfaf565a47b61060ed57379616af2521633d9d963e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat

Filesize
210B

MD5
cc138dd7c6fa24d120337de2227362fd

SHA1
e865864828ec121038ba49321e938d5b02176390

SHA256
674339e81ad0add093163be1960fe38838f310fba68a97e6cb306b1ed4d14338

SHA512
b241426c8c60104db59149e5a521f738b250f864d8b7eca7f896ff6395840afb80512e3ed1f718749481e5a58db043b545a2c0fd7c5cf5255ff65236410ed546

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat

Filesize
210B

MD5
95affaf9374d9feef16b482afe5e9293

SHA1
c5c79d59acc66b2ca38ac05f19551239d888f869

SHA256
854aa1d1cb1d486993e32590ca86f270f976a70086cdc56888ef6d27e06fa55d

SHA512
7ae6fa871871f33cef075e97cd17e6c794114412109e51a2b98573a09b563dd1f475622ffd00c1fb2beb751ea2601f5a8234e01e9c9ac45d8495080d6754cbf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat

Filesize
210B

MD5
3037a4648ef36c0ff21ce3d3dc81cf11

SHA1
f1db423419eebda9285dc08ff8cbc71e6c28639d

SHA256
7f6ed8057ce46f97a725a054e431e5299e4b2c96ccd14eaf8325690379a528c9

SHA512
7bd480ce4667be751f367816e8162be997257a8a22cc9977ef1bead638ccadc597d4f3e2e7d57d8158ba442bd84fea02cd92ef27b706409d3cb704482e4e4fbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0c2b0d1ae83e0d8e298882fcef4c9c47

SHA1
b8f57499c60467c36fc159c7b770807e74b63e72

SHA256
0936e892137f9ecb5be23b88db5eedd96fe6c844da4d1ba7bf52250b54b1e12c

SHA512
f111f7e0f980256915bf3090569d3fa05ddf07257dd34ca86b6acbd71fc1bc6192697e4d78fb9972e6e2579a2a5d33bb5fe04ef836422fa0dbd63c1c01faf067

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/644-72-0x00000000020C0000-0x00000000020C8000-memory.dmp

Filesize
32KB

Download
memory/1044-627-0x00000000003A0000-0x00000000004B0000-memory.dmp

Filesize
1.1MB

Download
memory/1520-387-0x0000000000280000-0x0000000000390000-memory.dmp

Filesize
1.1MB

Download
memory/1532-748-0x0000000000C20000-0x0000000000D30000-memory.dmp

Filesize
1.1MB

Download
memory/1548-448-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/1548-447-0x0000000000870000-0x0000000000980000-memory.dmp

Filesize
1.1MB

Download
memory/1672-208-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1672-207-0x0000000000F50000-0x0000000001060000-memory.dmp

Filesize
1.1MB

Download
memory/1760-62-0x0000000000860000-0x0000000000970000-memory.dmp

Filesize
1.1MB

Download
memory/1924-508-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download
memory/2228-327-0x00000000010E0000-0x00000000011F0000-memory.dmp

Filesize
1.1MB

Download
memory/2536-71-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2684-15-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2684-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2684-13-0x00000000013B0000-0x00000000014C0000-memory.dmp

Filesize
1.1MB

Download
memory/2684-16-0x0000000000150000-0x000000000015C000-memory.dmp

Filesize
48KB

Download
memory/2684-17-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/2896-688-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2896-687-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download