dcrat | 69bc8728fd068e74d06ed082241b7b36d11cbad1580ac5f107f8d1729429a470

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_69bc8728fd068e74d06ed082241b7b36d11cbad1580ac5f107f8d1729429a470.exe
Size

1.3MB
MD5

316eba8d3d28760500efc01611b9a597
SHA1

ccbcd4ce4034de5dc4336f072c5ee10d64b3858b
SHA256

69bc8728fd068e74d06ed082241b7b36d11cbad1580ac5f107f8d1729429a470
SHA512

f7043d9fa83de2a3dde410a9a24ad8693111de2258897271d9255033a9ea1fe62e6e90796f67942cdc115f63ccc2256bc4aa7d270b050edd66575d8e978a3776
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2820	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016c3d-9.dat	dcrat
behavioral1/memory/2304-13-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/3040-64-0x0000000001010000-0x0000000001120000-memory.dmp	dcrat
behavioral1/memory/1684-216-0x0000000001260000-0x0000000001370000-memory.dmp	dcrat
behavioral1/memory/3044-395-0x0000000000190000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/2528-455-0x00000000010A0000-0x00000000011B0000-memory.dmp	dcrat
behavioral1/memory/280-633-0x0000000000080000-0x0000000000190000-memory.dmp	dcrat
behavioral1/memory/2992-693-0x00000000008E0000-0x00000000009F0000-memory.dmp	dcrat
behavioral1/memory/2396-753-0x0000000000350000-0x0000000000460000-memory.dmp	dcrat
behavioral1/memory/2644-814-0x00000000008B0000-0x00000000009C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1120	powershell.exe
2712	powershell.exe
2672	powershell.exe
2736	powershell.exe
2628	powershell.exe
2724	powershell.exe
2740	powershell.exe
2596	powershell.exe
2664	powershell.exe
2780	powershell.exe
2680	powershell.exe
2828	powershell.exe
2580	powershell.exe
536	powershell.exe
2660	powershell.exe
2560	powershell.exe
2568	powershell.exe
2260	powershell.exe
2204	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2304	DllCommonsvc.exe
3040	winlogon.exe
1684	winlogon.exe
2844	winlogon.exe
1740	winlogon.exe
3044	winlogon.exe
2528	winlogon.exe
2660	winlogon.exe
2440	winlogon.exe
280	winlogon.exe
2992	winlogon.exe
2396	winlogon.exe
2644	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
2228	cmd.exe
2228	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
30	raw.githubusercontent.com
41	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
34	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\it-IT\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\75a57c1bdf437c	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\it-IT\6ccacd8608530f	DllCommonsvc.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\ModemLogs\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\Tasks\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\Setup\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\Setup\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\Tasks\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\lsass.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_69bc8728fd068e74d06ed082241b7b36d11cbad1580ac5f107f8d1729429a470.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1520	schtasks.exe
2212	schtasks.exe
2348	schtasks.exe
592	schtasks.exe
2292	schtasks.exe
2508	schtasks.exe
980	schtasks.exe
1524	schtasks.exe
1048	schtasks.exe
1156	schtasks.exe
1796	schtasks.exe
3004	schtasks.exe
1792	schtasks.exe
2924	schtasks.exe
708	schtasks.exe
1736	schtasks.exe
1292	schtasks.exe
2108	schtasks.exe
2160	schtasks.exe
2996	schtasks.exe
2400	schtasks.exe
2900	schtasks.exe
1252	schtasks.exe
3020	schtasks.exe
1528	schtasks.exe
2592	schtasks.exe
2932	schtasks.exe
1808	schtasks.exe
2120	schtasks.exe
2868	schtasks.exe
1988	schtasks.exe
1996	schtasks.exe
2904	schtasks.exe
2276	schtasks.exe
2844	schtasks.exe
2856	schtasks.exe
1956	schtasks.exe
784	schtasks.exe
2440	schtasks.exe
1920	schtasks.exe
2192	schtasks.exe
2012	schtasks.exe
1668	schtasks.exe
2176	schtasks.exe
2476	schtasks.exe
2272	schtasks.exe
268	schtasks.exe
2168	schtasks.exe
1916	schtasks.exe
1616	schtasks.exe
2544	schtasks.exe
2148	schtasks.exe
2800	schtasks.exe
1552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2304	DllCommonsvc.exe
2304	DllCommonsvc.exe
2304	DllCommonsvc.exe
2568	powershell.exe
2260	powershell.exe
2780	powershell.exe
2680	powershell.exe
2828	powershell.exe
2736	powershell.exe
2712	powershell.exe
1120	powershell.exe
3040	winlogon.exe
536	powershell.exe
2724	powershell.exe
2628	powershell.exe
2664	powershell.exe
2596	powershell.exe
2740	powershell.exe
2672	powershell.exe
2560	powershell.exe
2660	powershell.exe
2204	powershell.exe
2580	powershell.exe
1684	winlogon.exe
2844	winlogon.exe
1740	winlogon.exe
3044	winlogon.exe
2528	winlogon.exe
2660	winlogon.exe
2440	winlogon.exe
280	winlogon.exe
2992	winlogon.exe
2396	winlogon.exe
2644	winlogon.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	DllCommonsvc.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	3040	winlogon.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	1684	winlogon.exe
Token: SeDebugPrivilege	2844	winlogon.exe
Token: SeDebugPrivilege	1740	winlogon.exe
Token: SeDebugPrivilege	3044	winlogon.exe
Token: SeDebugPrivilege	2528	winlogon.exe
Token: SeDebugPrivilege	2660	winlogon.exe
Token: SeDebugPrivilege	2440	winlogon.exe
Token: SeDebugPrivilege	280	winlogon.exe
Token: SeDebugPrivilege	2992	winlogon.exe
Token: SeDebugPrivilege	2396	winlogon.exe
Token: SeDebugPrivilege	2644	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 1244	2276	JaffaCakes118_69bc8728fd068e74d06ed082241b7b36d11cbad1580ac5f107f8d1729429a470.exe	31
PID 2276 wrote to memory of 1244	2276	JaffaCakes118_69bc8728fd068e74d06ed082241b7b36d11cbad1580ac5f107f8d1729429a470.exe	31
PID 2276 wrote to memory of 1244	2276	JaffaCakes118_69bc8728fd068e74d06ed082241b7b36d11cbad1580ac5f107f8d1729429a470.exe	31
PID 2276 wrote to memory of 1244	2276	JaffaCakes118_69bc8728fd068e74d06ed082241b7b36d11cbad1580ac5f107f8d1729429a470.exe	31
PID 1244 wrote to memory of 2228	1244	WScript.exe	32
PID 1244 wrote to memory of 2228	1244	WScript.exe	32
PID 1244 wrote to memory of 2228	1244	WScript.exe	32
PID 1244 wrote to memory of 2228	1244	WScript.exe	32
PID 2228 wrote to memory of 2304	2228	cmd.exe	34
PID 2228 wrote to memory of 2304	2228	cmd.exe	34
PID 2228 wrote to memory of 2304	2228	cmd.exe	34
PID 2228 wrote to memory of 2304	2228	cmd.exe	34
PID 2304 wrote to memory of 2260	2304	DllCommonsvc.exe	90
PID 2304 wrote to memory of 2260	2304	DllCommonsvc.exe	90
PID 2304 wrote to memory of 2260	2304	DllCommonsvc.exe	90
PID 2304 wrote to memory of 2680	2304	DllCommonsvc.exe	91
PID 2304 wrote to memory of 2680	2304	DllCommonsvc.exe	91
PID 2304 wrote to memory of 2680	2304	DllCommonsvc.exe	91
PID 2304 wrote to memory of 2736	2304	DllCommonsvc.exe	92
PID 2304 wrote to memory of 2736	2304	DllCommonsvc.exe	92
PID 2304 wrote to memory of 2736	2304	DllCommonsvc.exe	92
PID 2304 wrote to memory of 2664	2304	DllCommonsvc.exe	94
PID 2304 wrote to memory of 2664	2304	DllCommonsvc.exe	94
PID 2304 wrote to memory of 2664	2304	DllCommonsvc.exe	94
PID 2304 wrote to memory of 2672	2304	DllCommonsvc.exe	95
PID 2304 wrote to memory of 2672	2304	DllCommonsvc.exe	95
PID 2304 wrote to memory of 2672	2304	DllCommonsvc.exe	95
PID 2304 wrote to memory of 2568	2304	DllCommonsvc.exe	97
PID 2304 wrote to memory of 2568	2304	DllCommonsvc.exe	97
PID 2304 wrote to memory of 2568	2304	DllCommonsvc.exe	97
PID 2304 wrote to memory of 2204	2304	DllCommonsvc.exe	98
PID 2304 wrote to memory of 2204	2304	DllCommonsvc.exe	98
PID 2304 wrote to memory of 2204	2304	DllCommonsvc.exe	98
PID 2304 wrote to memory of 2596	2304	DllCommonsvc.exe	99
PID 2304 wrote to memory of 2596	2304	DllCommonsvc.exe	99
PID 2304 wrote to memory of 2596	2304	DllCommonsvc.exe	99
PID 2304 wrote to memory of 2712	2304	DllCommonsvc.exe	100
PID 2304 wrote to memory of 2712	2304	DllCommonsvc.exe	100
PID 2304 wrote to memory of 2712	2304	DllCommonsvc.exe	100
PID 2304 wrote to memory of 2560	2304	DllCommonsvc.exe	101
PID 2304 wrote to memory of 2560	2304	DllCommonsvc.exe	101
PID 2304 wrote to memory of 2560	2304	DllCommonsvc.exe	101
PID 2304 wrote to memory of 2660	2304	DllCommonsvc.exe	102
PID 2304 wrote to memory of 2660	2304	DllCommonsvc.exe	102
PID 2304 wrote to memory of 2660	2304	DllCommonsvc.exe	102
PID 2304 wrote to memory of 2740	2304	DllCommonsvc.exe	103
PID 2304 wrote to memory of 2740	2304	DllCommonsvc.exe	103
PID 2304 wrote to memory of 2740	2304	DllCommonsvc.exe	103
PID 2304 wrote to memory of 2828	2304	DllCommonsvc.exe	104
PID 2304 wrote to memory of 2828	2304	DllCommonsvc.exe	104
PID 2304 wrote to memory of 2828	2304	DllCommonsvc.exe	104
PID 2304 wrote to memory of 536	2304	DllCommonsvc.exe	105
PID 2304 wrote to memory of 536	2304	DllCommonsvc.exe	105
PID 2304 wrote to memory of 536	2304	DllCommonsvc.exe	105
PID 2304 wrote to memory of 2724	2304	DllCommonsvc.exe	106
PID 2304 wrote to memory of 2724	2304	DllCommonsvc.exe	106
PID 2304 wrote to memory of 2724	2304	DllCommonsvc.exe	106
PID 2304 wrote to memory of 2580	2304	DllCommonsvc.exe	107
PID 2304 wrote to memory of 2580	2304	DllCommonsvc.exe	107
PID 2304 wrote to memory of 2580	2304	DllCommonsvc.exe	107
PID 2304 wrote to memory of 2780	2304	DllCommonsvc.exe	109
PID 2304 wrote to memory of 2780	2304	DllCommonsvc.exe	109
PID 2304 wrote to memory of 2780	2304	DllCommonsvc.exe	109
PID 2304 wrote to memory of 1120	2304	DllCommonsvc.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69bc8728fd068e74d06ed082241b7b36d11cbad1580ac5f107f8d1729429a470.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69bc8728fd068e74d06ed082241b7b36d11cbad1580ac5f107f8d1729429a470.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\it-IT\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\it-IT\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Program Files (x86)\Windows Media Player\winlogon.exe
        
        "C:\Program Files (x86)\Windows Media Player\winlogon.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\42uKfvaRom.bat"
        6⤵
        
        PID:1232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2996
        
        C:\Program Files (x86)\Windows Media Player\winlogon.exe
        
        "C:\Program Files (x86)\Windows Media Player\winlogon.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat"
        8⤵
        
        PID:1688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2432
        
        C:\Program Files (x86)\Windows Media Player\winlogon.exe
        
        "C:\Program Files (x86)\Windows Media Player\winlogon.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat"
        10⤵
        
        PID:2580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2384
        
        C:\Program Files (x86)\Windows Media Player\winlogon.exe
        
        "C:\Program Files (x86)\Windows Media Player\winlogon.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SK7IuFDp7o.bat"
        12⤵
        
        PID:2024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3060
        
        C:\Program Files (x86)\Windows Media Player\winlogon.exe
        
        "C:\Program Files (x86)\Windows Media Player\winlogon.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat"
        14⤵
        
        PID:2160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:756
        
        C:\Program Files (x86)\Windows Media Player\winlogon.exe
        
        "C:\Program Files (x86)\Windows Media Player\winlogon.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat"
        16⤵
        
        PID:1900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:868
        
        C:\Program Files (x86)\Windows Media Player\winlogon.exe
        
        "C:\Program Files (x86)\Windows Media Player\winlogon.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OZJpL0Zeaq.bat"
        18⤵
        
        PID:2304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1732
        
        C:\Program Files (x86)\Windows Media Player\winlogon.exe
        
        "C:\Program Files (x86)\Windows Media Player\winlogon.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat"
        20⤵
        
        PID:2448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2220
        
        C:\Program Files (x86)\Windows Media Player\winlogon.exe
        
        "C:\Program Files (x86)\Windows Media Player\winlogon.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat"
        22⤵
        
        PID:1540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1684
        
        C:\Program Files (x86)\Windows Media Player\winlogon.exe
        
        "C:\Program Files (x86)\Windows Media Player\winlogon.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat"
        24⤵
        
        PID:1704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2972
        
        C:\Program Files (x86)\Windows Media Player\winlogon.exe
        
        "C:\Program Files (x86)\Windows Media Player\winlogon.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat"
        26⤵
        
        PID:1988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2604
        
        C:\Program Files (x86)\Windows Media Player\winlogon.exe
        
        "C:\Program Files (x86)\Windows Media Player\winlogon.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Tasks\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Setup\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Setup\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\it-IT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ModemLogs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\ModemLogs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1361bddb91f834d237d781e8e13ef00

SHA1
3b92e64cb3e40c4505d661e8f0e08e88c772799c

SHA256
b48cd36c1a39511446189fcd1c8fc7c208b20b717a818d9ce0728efcb49de244

SHA512
e001f1ffcca3da082d8a3b5ef5d86137c41921ce032fa7258a910178ff51f442efe470963a5ca5f27c82132a827f22d065aba1c89f34f79c73f5aa24f644e49b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa2de15325bfff112cc033e43e4e0264

SHA1
505cc1bb1b51f7f7ec21f3bb78a0c7753ca2d7a6

SHA256
ba110512c9a41cc74211ea79ce969f7eb8d09274be7763cb3f67448bb113eb12

SHA512
2eee422e7c86c347eceb07c3a9eeb76916381cb859233148bd506fa009d0df70d83ed7b5cb34b6a7d4837a2c599f5431a5345d89505f548ffdbb78bed232d3f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31b49985d86c84eab5544546b247fffa

SHA1
afbbb54cc5532b4a7755ed871fcef07301b8a134

SHA256
837096ce543843396d1cff1534e6bd0003b9f1af2d1a7e916f08b646df39157a

SHA512
a7754b09b1003df391da2f41cd1d298b5bf9ad5e703925435e91048a0d7d86eee3f3b94a68a6f7cc66af82fa3fb5865432c8a0f3ee1ef39f4ae14e90464b2f6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc861f81d531f6b0ed49f490158aa48a

SHA1
8e23fa3a563fcfb3302dcba3ed43c898b7332fed

SHA256
02514ba24cc03f5f393934d1a39cc78cd6bf44f99bc27efdd869d6a2f78b0a42

SHA512
0336099895cfba9999fe288b8b6ba110b65791e97d123fe3c392d6035c3de2e70373dbb6c954e136c52332833934168e57bb01be68cac5191e272551cded16d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38ac0b391f6757b07ba74e80f6d8afb1

SHA1
cab74c621365dbbbe9a1c9c32fc69545303b899f

SHA256
b9227c483936ab605fb01e987373b3941d258c73dde810bb6ba2127f1fff866f

SHA512
e0e4308319a15a7ebbdb803327b2535e6c2cd0ae5645fa31d88210e48c47f25a821c80995cc2d4031713fa96bf4a37021891854cc02343582010fcc4fd41ce01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7153f0ca36a9e7b956c8442f376f119b

SHA1
895a7f18db4d8f44a89430e5291fcffe6b2780ca

SHA256
c12121b43bdae9e3639942c51da3958fc22181e7c6ac681ca98e67d0cab6b81c

SHA512
0885353e8414d6e6cd55b9c329c65425eb3b6a6f96f60e2d3ea8856cea1197daed4ca74343527059732b6d4ecbb119bfc21468071f6232c4df2c36a827ad2a83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45f2e5b1e0dbcbecc8aeb33f536c0ea9

SHA1
a59ed5703437b72fa47c093b26a063bb902a2b93

SHA256
002feac9df8ac6fd27536c25d2266c2d5183978d1258621034dac4e8953663a1

SHA512
548a6f75e40549b86809e0634ff007b1e8e32009a90e6b6c18841ce2c37b3c74eb4444cc1bdd6bfaf91c6147a075d64bff11ec61965cc028f971cb642cee1ce2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8abe5c98baa68a916f68841ab3fe1199

SHA1
0c05482ecaf2ce427bf32dbecb063c1cd0561265

SHA256
84b3f56b5c40ed7a102fa15c7adfbe7eaa99e2401342e229dc6e002214549290

SHA512
32b0ede322720977554fff44f22a370a014844da325f534eaa86fbde2793b5c01b0096736da53713131fb016f00b4fb2d5dceea57ab394db7debac586ebd7b7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c97b5d4f097ce15bdf202e7de3e8e96f

SHA1
3822743129c886b1472e54d842b04992e2ff1925

SHA256
94f25a3b872083cb56aaf5ec8185974691d233d7ee98c4385b9a8a62f1ef27d7

SHA512
d00167cd96d14a357c631d01832d601a904dc1259eeb401aaa82138d977b3008cb2592db75fc7b45b7ca713dbd31ca0f86061c4fdd22313b491936cb1a7e3f9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3bfbee3584cc7e51717b0f1d948bad20

SHA1
b09fa67667d19eae6b85e5c0cfc895c638dbd066

SHA256
a34e1ea46b2fbfe4a86d06c1e454a969e7c47e9525490e37e8545a467ac78d2a

SHA512
f23b57d88ae1059615da58e84256acb3335bc58d0434caf5d80ee5209f45bf9b0c320da825e95eb11c1ed132386e91b27b9efe12532e93450161e94959de2889

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat

Filesize
221B

MD5
a04c36231fdf91fd594f39320c31c76f

SHA1
af4ac9ffda5184d24896d57daa07b8fabd43d711

SHA256
4e6dd6121f37ea8294d51b13cdcdfa7068e18e0f7d659b0be7488105cddd5b11

SHA512
6eb417cd7244a60140ef11038f7f1bd2e2b578c4aef993cabd53b16b6ecbb77cc50988cfcb416bd18e1e9e5c30503a93982826886988f9e4340b96f73e4aea20

Download Submit
C:\Users\Admin\AppData\Local\Temp\42uKfvaRom.bat

Filesize
221B

MD5
e733cfaea165bbbe25236cdf3c2b7c63

SHA1
9c376f665a5afa9536560668d5634bd9abdd05af

SHA256
02ca8e5778c33ac17aff4ef63bf44056084abc8d7ba732e2b9f3a4e920a2d426

SHA512
377f8b16d5e03fd6b5b2a050e668ab67638180f59e4afa1d86a68461c83ff72d7c8f8b017ab731e43b61a197a1037c58b57a568627cb714951309bf0c0b93263

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat

Filesize
221B

MD5
b856e8c411404c85afa87d6117dd8ac5

SHA1
aa409a862c42a9727a4841f51c2f6ffc637c0784

SHA256
2d5e3fa7d100ca873ccca919c77cbdde341c62495a67fff6ee0c8e07f123aaf8

SHA512
e17ee5bbb1dd91339b20604949a05034f34cf9e09dc739138cfd0f521f27bc5bd08ec0c488937a8f1368fdaab86bd99cd48c41682fae5cb158eda4d887007fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1805.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat

Filesize
221B

MD5
4d62a4e55d9b37ba004243e3ddc85c0f

SHA1
4f942d8d868e1f2c2bf9e638869dc0e3e7561fe8

SHA256
b469521951a5dcc317ac64be3c6ba9fb3aa040e6791ffb51ffbddada66730b40

SHA512
a0d679d0980d664813cf975b43eeab13df7d63437bade5acc40168996fc683e250df6272562123e5a09e729311d39899bab079e78da0742b3dd16be7e28d77f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat

Filesize
221B

MD5
440e1d91616d4fbc6f22dfe2eb9976e5

SHA1
75b694fbb28c44f04190fe9d85384a8528ef34e8

SHA256
18b073008c040c5e0ed19dde4e1690e8bb9d1df10ca5f0d7f4ff3fb94baab2bc

SHA512
ae02c04135c53a9004143ea7c16660ca5ea0cf2f9c66050f90865b47b28c4509eca5561faafaadd0ac0fa988c12644efe89355d510bff42c00e1dadb8d93c4dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat

Filesize
221B

MD5
6f11498502cb415a184000026fe3b422

SHA1
908483530b98c8adc8d49ccfb0d247f50c4aad25

SHA256
aa9331493076f3b1ee7b246d19ed40859c98b2961e2b280a5b906122428ea63e

SHA512
94fc1c9ef8ebbf168a68befdc2534972ad764ceae5456181ee0e8e4c47150761e2fd88c905eece2dfe6553a0ba435b7f08e4d90350cbad3edfd7b964100c855b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OZJpL0Zeaq.bat

Filesize
221B

MD5
c22590531fd821e1b3050193d88df74f

SHA1
9133c2b9c698e2fb2d94c1701a6594d58c6302c4

SHA256
d066153ebda7d1c2ab79ab2ed757cabc871f504546a9de23e1e89166805bcc5d

SHA512
0ceb56e65c7ea2372b2de4c582d1aac7da065c881fb3682c868042680976e0efb4ff44b30fd7355a3a149e62920d78d4d96ba8e9ce83dd97609090cbbe2a7ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SK7IuFDp7o.bat

Filesize
221B

MD5
607a3ec1449a6b4b9ec40698abdcd3e1

SHA1
e612a7c312e832c60bf661d33d5023f34e8763db

SHA256
16f54a5b3504d749c76896dd4ca023056a8c5eb6178e740055faf82740839dd4

SHA512
3c19bd2f0a06b46560686932c41bea343526f802d49f95ff0fa962d5b6f46170323e9bd71198226746d0a9359c86d6ab2998ca62a226a182dbb354b0ea3b60b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1818.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat

Filesize
221B

MD5
403025090fbd85c795bcf6a3d023d6a3

SHA1
92a47832adfd75bbd02b4deebcd08a6194f8dde8

SHA256
1190793f6bc7c20c36d4120a054f3c9c7b915f209f17b47ba565b3594e2bd584

SHA512
c5a61849a8108de6b0193d5c48e93c16f862ccb409acda4ca9b0192497817b14ad046b8f960e4323c4e86d7d2b446673688e731f725ca3fef6c6fc5bf740d66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat

Filesize
221B

MD5
43864c92431b62774191059d27fd73f6

SHA1
ca57acfb6b36b0afb4f7d08e6828d11936cd47ce

SHA256
bdb174257e5f4c6a0d3f1aaf0e33812dc9c36bfcf469104acd288ae711d5f7dd

SHA512
e8dc9d05577103cc92f5bbcd44b66fa052696829ed1e345fb2e961736abfdf790bf0f50e81907541b52f99e42dce81abdb6a9290cfe3d0938fb65c196a78f722

Download Submit
C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat

Filesize
221B

MD5
708d6bf108eb5af7887b2eabd0acec09

SHA1
03cdaa3e61e73afa7d86488ad4b2811eea4cb2e3

SHA256
43269ec59239c0230a11663b058d8feee22669afa9c50c1411fb69071dc896f2

SHA512
af20afe6c067a473fe45d135f7a60a8fdc2e0895e83bb88bec7680beeefa1fc47fa3bf305b93089793eef67fe9ff38f4d67a24e982033f83b6fe95fdbf9d4cf3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4d241c12e30b2948ac1f5f7bec6c4a04

SHA1
201b3bb7d0c6e8e2578c2f348f9398f344429a65

SHA256
5b5a2405e4126a94e6d09ea5d20c856313b386a8b6d64ff577d5303d6cb10695

SHA512
3fc83ddd8aa4685f781a52794acc4e90a5c85d95b68ed3db59b64d7be54d6f9e59af2cc80d9ac991b3b804ad821c23727570dadbe2fa8088f123e222c2b8b34e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/280-633-0x0000000000080000-0x0000000000190000-memory.dmp

Filesize
1.1MB

Download
memory/1684-216-0x0000000001260000-0x0000000001370000-memory.dmp

Filesize
1.1MB

Download
memory/1740-335-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2260-70-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2304-13-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/2304-14-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2304-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2304-16-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2304-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2396-753-0x0000000000350000-0x0000000000460000-memory.dmp

Filesize
1.1MB

Download
memory/2396-754-0x00000000007E0000-0x00000000007F2000-memory.dmp

Filesize
72KB

Download
memory/2528-455-0x00000000010A0000-0x00000000011B0000-memory.dmp

Filesize
1.1MB

Download
memory/2568-71-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2644-814-0x00000000008B0000-0x00000000009C0000-memory.dmp

Filesize
1.1MB

Download
memory/2992-693-0x00000000008E0000-0x00000000009F0000-memory.dmp

Filesize
1.1MB

Download
memory/3040-64-0x0000000001010000-0x0000000001120000-memory.dmp

Filesize
1.1MB

Download
memory/3044-395-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download