dcrat | 00468a71a95f0a61f8af1762a7c45616b2db7cd1036cbd7fdb33581525a75234

Analysis

max time kernel
145s
max time network
141s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_00468a71a95f0a61f8af1762a7c45616b2db7cd1036cbd7fdb33581525a75234.exe
Size

1.3MB
MD5

40ed7a3b204850947cbac92ce58496d4
SHA1

68069a7de465c9ac55b8750c0eefac6155257ac5
SHA256

00468a71a95f0a61f8af1762a7c45616b2db7cd1036cbd7fdb33581525a75234
SHA512

05fc1e074d4ddc303d2b5f279996f4bf0c23cf9ebd6e45fc0b7f6d7fc1285aeba6a0f68cb0e1f21c519f11ea9fe07580b67b1d03bd4066b3a3486441fe20a74d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2624	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000018b68-9.dat	dcrat
behavioral1/memory/2808-13-0x0000000000190000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/1248-164-0x0000000000860000-0x0000000000970000-memory.dmp	dcrat
behavioral1/memory/2384-224-0x0000000000C50000-0x0000000000D60000-memory.dmp	dcrat
behavioral1/memory/2376-284-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/1564-403-0x0000000000F80000-0x0000000001090000-memory.dmp	dcrat
behavioral1/memory/2844-463-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/2388-523-0x0000000000FA0000-0x00000000010B0000-memory.dmp	dcrat
behavioral1/memory/2224-642-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/1368-702-0x0000000000FC0000-0x00000000010D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2380	powershell.exe
2008	powershell.exe
2768	powershell.exe
2140	powershell.exe
2848	powershell.exe
2996	powershell.exe
2904	powershell.exe
1748	powershell.exe
2312	powershell.exe
2220	powershell.exe
2372	powershell.exe
1912	powershell.exe
2384	powershell.exe
2824	powershell.exe
2884	powershell.exe
3024	powershell.exe
1796	powershell.exe
1072	powershell.exe
1632	powershell.exe
1960	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2808	DllCommonsvc.exe
1248	WmiPrvSE.exe
2384	WmiPrvSE.exe
2376	WmiPrvSE.exe
2076	WmiPrvSE.exe
1564	WmiPrvSE.exe
2844	WmiPrvSE.exe
2388	WmiPrvSE.exe
2920	WmiPrvSE.exe
2224	WmiPrvSE.exe
1368	WmiPrvSE.exe
2160	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2708	cmd.exe
2708	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
16	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
29	raw.githubusercontent.com
33	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\es-ES\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\es-ES\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\dwm.exe	DllCommonsvc.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Prefetch\ReadyBoot\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Prefetch\ReadyBoot\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Links\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Links\b75386f1303e64	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\schemas\TSWorkSpace\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\security\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\security\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\dllhost.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\ModemLogs\dllhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_00468a71a95f0a61f8af1762a7c45616b2db7cd1036cbd7fdb33581525a75234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2308	schtasks.exe
1312	schtasks.exe
772	schtasks.exe
1708	schtasks.exe
2564	schtasks.exe
1208	schtasks.exe
1692	schtasks.exe
2328	schtasks.exe
1640	schtasks.exe
2960	schtasks.exe
2852	schtasks.exe
2188	schtasks.exe
2168	schtasks.exe
1620	schtasks.exe
2536	schtasks.exe
1268	schtasks.exe
292	schtasks.exe
1644	schtasks.exe
892	schtasks.exe
2360	schtasks.exe
1940	schtasks.exe
1864	schtasks.exe
2388	schtasks.exe
1928	schtasks.exe
1944	schtasks.exe
1800	schtasks.exe
2752	schtasks.exe
2756	schtasks.exe
1688	schtasks.exe
1192	schtasks.exe
1248	schtasks.exe
2228	schtasks.exe
1516	schtasks.exe
836	schtasks.exe
2604	schtasks.exe
556	schtasks.exe
2956	schtasks.exe
1036	schtasks.exe
768	schtasks.exe
2284	schtasks.exe
2232	schtasks.exe
2268	schtasks.exe
1428	schtasks.exe
2064	schtasks.exe
1912	schtasks.exe
2180	schtasks.exe
2192	schtasks.exe
2508	schtasks.exe
2816	schtasks.exe
1796	schtasks.exe
2892	schtasks.exe
2340	schtasks.exe
2136	schtasks.exe
3032	schtasks.exe
580	schtasks.exe
2068	schtasks.exe
2804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2808	DllCommonsvc.exe
2808	DllCommonsvc.exe
2808	DllCommonsvc.exe
2808	DllCommonsvc.exe
2808	DllCommonsvc.exe
2380	powershell.exe
2008	powershell.exe
3024	powershell.exe
1748	powershell.exe
1796	powershell.exe
2996	powershell.exe
1632	powershell.exe
2384	powershell.exe
2312	powershell.exe
1072	powershell.exe
2848	powershell.exe
1912	powershell.exe
2140	powershell.exe
2884	powershell.exe
2372	powershell.exe
2220	powershell.exe
1960	powershell.exe
2768	powershell.exe
2824	powershell.exe
2904	powershell.exe
1248	WmiPrvSE.exe
2384	WmiPrvSE.exe
2376	WmiPrvSE.exe
2076	WmiPrvSE.exe
1564	WmiPrvSE.exe
2844	WmiPrvSE.exe
2388	WmiPrvSE.exe
2920	WmiPrvSE.exe
2224	WmiPrvSE.exe
1368	WmiPrvSE.exe
2160	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	DllCommonsvc.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1248	WmiPrvSE.exe
Token: SeDebugPrivilege	2384	WmiPrvSE.exe
Token: SeDebugPrivilege	2376	WmiPrvSE.exe
Token: SeDebugPrivilege	2076	WmiPrvSE.exe
Token: SeDebugPrivilege	1564	WmiPrvSE.exe
Token: SeDebugPrivilege	2844	WmiPrvSE.exe
Token: SeDebugPrivilege	2388	WmiPrvSE.exe
Token: SeDebugPrivilege	2920	WmiPrvSE.exe
Token: SeDebugPrivilege	2224	WmiPrvSE.exe
Token: SeDebugPrivilege	1368	WmiPrvSE.exe
Token: SeDebugPrivilege	2160	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2756	2640	JaffaCakes118_00468a71a95f0a61f8af1762a7c45616b2db7cd1036cbd7fdb33581525a75234.exe	30
PID 2640 wrote to memory of 2756	2640	JaffaCakes118_00468a71a95f0a61f8af1762a7c45616b2db7cd1036cbd7fdb33581525a75234.exe	30
PID 2640 wrote to memory of 2756	2640	JaffaCakes118_00468a71a95f0a61f8af1762a7c45616b2db7cd1036cbd7fdb33581525a75234.exe	30
PID 2640 wrote to memory of 2756	2640	JaffaCakes118_00468a71a95f0a61f8af1762a7c45616b2db7cd1036cbd7fdb33581525a75234.exe	30
PID 2756 wrote to memory of 2708	2756	WScript.exe	31
PID 2756 wrote to memory of 2708	2756	WScript.exe	31
PID 2756 wrote to memory of 2708	2756	WScript.exe	31
PID 2756 wrote to memory of 2708	2756	WScript.exe	31
PID 2708 wrote to memory of 2808	2708	cmd.exe	33
PID 2708 wrote to memory of 2808	2708	cmd.exe	33
PID 2708 wrote to memory of 2808	2708	cmd.exe	33
PID 2708 wrote to memory of 2808	2708	cmd.exe	33
PID 2808 wrote to memory of 1748	2808	DllCommonsvc.exe	92
PID 2808 wrote to memory of 1748	2808	DllCommonsvc.exe	92
PID 2808 wrote to memory of 1748	2808	DllCommonsvc.exe	92
PID 2808 wrote to memory of 1072	2808	DllCommonsvc.exe	93
PID 2808 wrote to memory of 1072	2808	DllCommonsvc.exe	93
PID 2808 wrote to memory of 1072	2808	DllCommonsvc.exe	93
PID 2808 wrote to memory of 2312	2808	DllCommonsvc.exe	94
PID 2808 wrote to memory of 2312	2808	DllCommonsvc.exe	94
PID 2808 wrote to memory of 2312	2808	DllCommonsvc.exe	94
PID 2808 wrote to memory of 1632	2808	DllCommonsvc.exe	95
PID 2808 wrote to memory of 1632	2808	DllCommonsvc.exe	95
PID 2808 wrote to memory of 1632	2808	DllCommonsvc.exe	95
PID 2808 wrote to memory of 1960	2808	DllCommonsvc.exe	96
PID 2808 wrote to memory of 1960	2808	DllCommonsvc.exe	96
PID 2808 wrote to memory of 1960	2808	DllCommonsvc.exe	96
PID 2808 wrote to memory of 2220	2808	DllCommonsvc.exe	97
PID 2808 wrote to memory of 2220	2808	DllCommonsvc.exe	97
PID 2808 wrote to memory of 2220	2808	DllCommonsvc.exe	97
PID 2808 wrote to memory of 2768	2808	DllCommonsvc.exe	98
PID 2808 wrote to memory of 2768	2808	DllCommonsvc.exe	98
PID 2808 wrote to memory of 2768	2808	DllCommonsvc.exe	98
PID 2808 wrote to memory of 2384	2808	DllCommonsvc.exe	100
PID 2808 wrote to memory of 2384	2808	DllCommonsvc.exe	100
PID 2808 wrote to memory of 2384	2808	DllCommonsvc.exe	100
PID 2808 wrote to memory of 2140	2808	DllCommonsvc.exe	101
PID 2808 wrote to memory of 2140	2808	DllCommonsvc.exe	101
PID 2808 wrote to memory of 2140	2808	DllCommonsvc.exe	101
PID 2808 wrote to memory of 2824	2808	DllCommonsvc.exe	102
PID 2808 wrote to memory of 2824	2808	DllCommonsvc.exe	102
PID 2808 wrote to memory of 2824	2808	DllCommonsvc.exe	102
PID 2808 wrote to memory of 3024	2808	DllCommonsvc.exe	103
PID 2808 wrote to memory of 3024	2808	DllCommonsvc.exe	103
PID 2808 wrote to memory of 3024	2808	DllCommonsvc.exe	103
PID 2808 wrote to memory of 1796	2808	DllCommonsvc.exe	104
PID 2808 wrote to memory of 1796	2808	DllCommonsvc.exe	104
PID 2808 wrote to memory of 1796	2808	DllCommonsvc.exe	104
PID 2808 wrote to memory of 2884	2808	DllCommonsvc.exe	105
PID 2808 wrote to memory of 2884	2808	DllCommonsvc.exe	105
PID 2808 wrote to memory of 2884	2808	DllCommonsvc.exe	105
PID 2808 wrote to memory of 2996	2808	DllCommonsvc.exe	107
PID 2808 wrote to memory of 2996	2808	DllCommonsvc.exe	107
PID 2808 wrote to memory of 2996	2808	DllCommonsvc.exe	107
PID 2808 wrote to memory of 2904	2808	DllCommonsvc.exe	108
PID 2808 wrote to memory of 2904	2808	DllCommonsvc.exe	108
PID 2808 wrote to memory of 2904	2808	DllCommonsvc.exe	108
PID 2808 wrote to memory of 2848	2808	DllCommonsvc.exe	109
PID 2808 wrote to memory of 2848	2808	DllCommonsvc.exe	109
PID 2808 wrote to memory of 2848	2808	DllCommonsvc.exe	109
PID 2808 wrote to memory of 2372	2808	DllCommonsvc.exe	110
PID 2808 wrote to memory of 2372	2808	DllCommonsvc.exe	110
PID 2808 wrote to memory of 2372	2808	DllCommonsvc.exe	110
PID 2808 wrote to memory of 2380	2808	DllCommonsvc.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_00468a71a95f0a61f8af1762a7c45616b2db7cd1036cbd7fdb33581525a75234.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_00468a71a95f0a61f8af1762a7c45616b2db7cd1036cbd7fdb33581525a75234.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\NetworkService\Links\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\es-ES\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\plugins\services_discovery\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AaMk9KZjbK.bat"
        5⤵
        
        PID:1804
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:892
      - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat"
        7⤵
        
        PID:1712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:760
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat"
        9⤵
        
        PID:1632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:828
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat"
        11⤵
        
        PID:2888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2304
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat"
        13⤵
        
        PID:308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2420
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat"
        15⤵
        
        PID:1136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:920
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat"
        17⤵
        
        PID:2232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1312
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat"
        19⤵
        
        PID:2064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2608
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat"
        21⤵
        
        PID:1620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1952
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat"
        23⤵
        
        PID:2092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1984
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat"
        25⤵
        
        PID:2328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1484
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ModemLogs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\ModemLogs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Application Data\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Application Data\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Application Data\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\security\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\security\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\security\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\ServiceProfiles\NetworkService\Links\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\Links\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\NetworkService\Links\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\es-ES\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\plugins\services_discovery\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\services_discovery\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\plugins\services_discovery\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81795d6a21a65a44a5dcc7cc143c9a1c

SHA1
10195518b8f2b886a37bd96fa10d69e2a721223d

SHA256
06595af805392b84dd273a5d9b5f0783c20abd7e3ae6e7ac31731d653ae60044

SHA512
58b524047f6c7410ea40424a17b5e9d0d6dacf62031dfb3feb6070f433aa1e073ee6c3b14c9eb78b9982f83b7c64d300375ba2e1ec3abf120116fb104194e42b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
464c12cf4540fc3b753b81538addb5ad

SHA1
7ffadd1e08111d33bfee81cbc18d6d085a523a2b

SHA256
7c5c4e1601b30fb4ef357ad4207805f8e390bd3718f94e76fd875a49e6e0cb1d

SHA512
0164f21e028f41e12cc43e822d9aa488835de943658a04a4aec9f2f851f4663e061418b792d75c751f98dd8388bc796bf31cdbef1c7ebe06aaf9828a53eb4d09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34ba16584872202fc769921675e53a98

SHA1
67c15e04616da74089a87bc432f84d4f63997052

SHA256
0ab349f29820973baf6ab8ab42a1f4415bc9f78512f7fc450e2a697cd1e1b6cd

SHA512
9ff9420bf200a7f01a110cb9d103e8da4d12aedc9d21a12b278c57181f2207dddf57fb567929d910cedbe35351baa36aa1be19d5ba5b82529bd649c0e3939700

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89b64f5fb84c571b009532b965b3c732

SHA1
5db98d73492e25feb7ab1ff22272028a853291ea

SHA256
842be60a1bfca0acff9545ec88a8ec05785f50a7f0f8433336ec5c0ee2c84ace

SHA512
a36b7f9b7fc9dab3ebfdf43cab92b329347bb2730c2cc8910d3568f110394f041607c3803dd44b01bc06f65b9236ffe83d5d772ea5b4ce75270d2ab03195389d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85df65b9ddae241825de8ea201528a44

SHA1
b9c77928f2a731ca146b5b2fe064b11732318d2d

SHA256
697d30c9c31de304f7f0c240be1d5dd5c9d534533cbf1070445a6b7e6fbb41ff

SHA512
e6179a746562ca31e84d226218850a86308022ba2b5004ba5bbabb5db11e1637e712cfc7622caa27be4141387f60a74ecfa919cff27b254f02c2b2903476b04f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4b637f2b4b4791eaa39839c8a7a80c2

SHA1
d69ea81733320954b20e99850359b94f00d0ae4c

SHA256
902043b57276887123e7b478d4e6e13e141c6f4ea4b2bad1579aed4bcbbabab1

SHA512
71fbd6b1575a7027e574c0bfc018ab072d42c4dff523b4502ffd54c7a24c0234921d1369cbd4db29fc6c487592ebb16c7ed588ea8310d67382303f45ed83f15d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2168aa44469a211bcacda7d566b6040

SHA1
06df835ccf6dc11fb23c264b45dac692ca73ca42

SHA256
389814a0e86b574b3ded77d3f72af6bddcaa202afde53a52514515dc0a4dca13

SHA512
26537e79e3410f6953744a54c2a5fcdc438faa1028cc08fde66d6328e7dcc2a2a21669279166783e7591e53ef1f4ba0c1820937e9c8b667af6cea9776f44cd72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3f6095610f8718c1b77cf0b656b16cd

SHA1
a81323d20c3e69d48e875f15bba1aee6435db7e2

SHA256
2ba789aa3945993e89749bc3788021d37d046fde3d55e5f1bf3614141648a5b1

SHA512
88086895cd20db7663bedf7c6d6bc13c43c2b4fdd4ab15e8711d9d138a4a77dff99b75dfb2c083f3b5842a1f5994988baa0df86594df34c096762aa715253712

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9185cffc4e4f148f93337eb4ff1c6de

SHA1
934afb60e6db3e4f5ef33437004532d43dd8ac3c

SHA256
dbafd1b47a1320973a52c08ae38e0eed58ec0a665d70deaf8d43721599281c60

SHA512
2f2d43b3599381fc983903071f6c529bf6cfe0ec54ebe5e8e41b473e8fd1b5c4d48136636f413370f5c841c7e81d48ea1e54cc20ddd5dd32e22a565897fb3d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat

Filesize
240B

MD5
4679213c1b72b57e1a23b3d3eb9ae49c

SHA1
16603eb76b3fe309f35ccd8169559ef7734d763a

SHA256
a085a104139824f5d3cd2bcb4fd457600420bedc761d313a3448251f6bd30e0b

SHA512
2d184548d5644a46efa93e05e7d2e2696823b159156da1cea13d079c69bf5e1f21f34160d0a9761386df93d43e8352cc72139fbc0e933ae458bce6c8b97602ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat

Filesize
240B

MD5
6e954245efb2a00f7d0bd5f3de92514b

SHA1
66646f5b8ba18c4e99dcef7bd57b07c25a6740e9

SHA256
1c41ddf07dff652ed59f80d18843d856d013caf50501f3cdbb2322f0a7149779

SHA512
d8d4352a4da7ee8b386c8854e0b989abd97ff578c86e40c262989e92e3088fa2c07ee1005b0310350cc926aeba2da9eb59399e65642a77b83a17845f341d74c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AaMk9KZjbK.bat

Filesize
240B

MD5
ed3c5be5e53ccd79fd0193ed6210bb59

SHA1
aee67572a4cb54e90688637d8af74033fc7f6c82

SHA256
e33715584e68641be979f94dac51c80ecdd4ba2850e36005ec042f96537c3ab8

SHA512
437a01b88ecff62c3c2a03e1849291c19418235f6ae89e9df404bb9907263636878499780bffae3de77e746b14e1c25c89a9ad53d805b8bb2db1571ccee4d149

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab959D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat

Filesize
240B

MD5
ad135c558249d66db3e6a9e7fa27fc9d

SHA1
77317bcb8419b039aa90190acbb9bc7a87d2839a

SHA256
c99615185ce9ac8fbf2f72be19b4a0c79f7f8a7a5ba06be088f0585a6c1045b1

SHA512
cb0fb40391b94d2eaeee462dd0e195b51845feb08e2ff1b973556acf58a2d08cfd3823ae63d4e4a4b54200ec99e8fa118811ee8251d3c65686655e09c5b8a4f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat

Filesize
240B

MD5
5fb18c13c80844eefa466e8552c93c56

SHA1
0f0fdeb45e856e7cd19af85614cc0f6d4a22dd30

SHA256
5f61c2677df2d33026731bc5d4e753199e134867c00d6df5c9ed430349ab5510

SHA512
4acc9353a228435168ed9fd6832dd442b7be6962c5fe2e80b07bb3ee4bc5dea4ad416ece524503c820b7f8ef6e4981584c7d8e9ea3f5333500831721b4ed0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat

Filesize
240B

MD5
49981b938c42bfa7c5f8baf4c2dc0983

SHA1
0dfb6f04ffbf28c1529edd3eee4f52486c95bc46

SHA256
d0ccb55921f9bedde0431c9d9cef56f00ea23fb2bd3330ab19526e10c9b76112

SHA512
5bdf9f2c1a90da60ef4679101d61c12684a20e25504d4391157f057d0dbd7b1a2ac39549044fa849e800eb91aee50dde7bb8f56fbe24092828cdd05f10eb0b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat

Filesize
240B

MD5
83387e51b064219d6c31ab7871f01a1e

SHA1
60790983cda631fcf460d08bec57eb74962b1641

SHA256
e7b27fa5d24dc21ea599e20f088364d44c73ff0e44fec4a0356a3cf6a06ca722

SHA512
fbcf02f510de35436aa5a8dfae5cbfb179790427822dc1811d8f6b649aa6321f9e917002fc29e43aae2e2435846835c47c40add134b64b90f83cf1c6fcd1ac00

Download Submit
C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat

Filesize
240B

MD5
55bd9be01c829e70b0160928475d4396

SHA1
7c7643b9b7e79ea1ed35acac48eed9b1b3f091ef

SHA256
cf7fa06a6c56022612432af9c7235520a602bae752ca4eaa7bbdcafce0134f68

SHA512
92ed8318753dac91ff3426b44590394f458a4b7c52dac47c063fda6f1a5a82640bcee0b25a9f0c2aae60e926e2724435667a9401f80fb72ece89c6002df7fe81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar95B0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat

Filesize
240B

MD5
94ca442dc5555559aca2578dbbedd502

SHA1
952faf1273c5868fb08b4b4931d2befd26f64082

SHA256
e7a81a075c716327af80df47374cc35487152a96eace3639885b5da92c988ea3

SHA512
006e6cc4b81e6b3ffc6d1e9c64cb36c877600b06bf777e2febd7bc626be27f5fe659a388f5c1a39b4f1a5e8d204cc9e9fe5aa2965d70469914138a9e7387c7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat

Filesize
240B

MD5
7ecb0550a3535d367a0bc13b622d8920

SHA1
1c446c211a71f8361c2873e426d780cc52f7b44a

SHA256
9de4363d12b8c5fccd293f0cad845d9e32ca8d2c9ac57af8bfa80435034c8461

SHA512
ad373848430b09ec43cb67c760f3a8cb84da26bbcaef9df3c10339bfd6d01d27d7ee54ebfd1aa8a4deb1d9a70f36d6f662e9a468bd084a2a836a20293464be62

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat

Filesize
240B

MD5
ecc1e9eea5bc9c6ffe33e0e33fdea22d

SHA1
5fa144d8221ed4a2f2035fc71a3239011e2b9d87

SHA256
64ab7d17b23cb8a13da5307bec20df7f505238c876a8213958ac9a4a97bfc114

SHA512
c012f48adbb17556e73d8d7ef3d2ebfa182724868d5d5c54418d32c7bbac4c0beb84abb902b2a3cb793552762899232e2561b6ef7a3839815d76cac613e02b31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0aa9ecfbe4012f1a196cb0e18a339d7f

SHA1
a4b072f0f8df8f7543983307ccec9be91b7d972f

SHA256
175e51c0a80f31d670e70bd55f74d2425e900e564d2b540870c0109e3059fb1e

SHA512
849c3b94be287281a982b85f0a5c30f4eb23b28adea751fc604c32282d0d6d78f258bbd6b3a8c782f01e249988431f059274c936cd4ebf0001ee5e31d975575c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1248-165-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1248-164-0x0000000000860000-0x0000000000970000-memory.dmp

Filesize
1.1MB

Download
memory/1368-702-0x0000000000FC0000-0x00000000010D0000-memory.dmp

Filesize
1.1MB

Download
memory/1564-403-0x0000000000F80000-0x0000000001090000-memory.dmp

Filesize
1.1MB

Download
memory/2224-642-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/2376-284-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/2380-87-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/2380-81-0x000000001B8A0000-0x000000001BB82000-memory.dmp

Filesize
2.9MB

Download
memory/2384-224-0x0000000000C50000-0x0000000000D60000-memory.dmp

Filesize
1.1MB

Download
memory/2388-523-0x0000000000FA0000-0x00000000010B0000-memory.dmp

Filesize
1.1MB

Download
memory/2808-17-0x000000001AA70000-0x000000001AA7C000-memory.dmp

Filesize
48KB

Download
memory/2808-16-0x0000000002080000-0x000000000208C000-memory.dmp

Filesize
48KB

Download
memory/2808-15-0x0000000002090000-0x000000000209C000-memory.dmp

Filesize
48KB

Download
memory/2808-14-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/2808-13-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download
memory/2844-463-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download