dcrat | 9ae185d2b2a211e0bfebe0ff0451cd0a8c44fe9a75646226edf7b304ea7631f7

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9ae185d2b2a211e0bfebe0ff0451cd0a8c44fe9a75646226edf7b304ea7631f7.exe
Size

1.3MB
MD5

802a93755e5b4f0dd4c804d670cfed90
SHA1

f23db71a4e0dc897d11ee61d14aba4d38e08e85c
SHA256

9ae185d2b2a211e0bfebe0ff0451cd0a8c44fe9a75646226edf7b304ea7631f7
SHA512

2e93b2e4fcfe537e07656eb69e4f6e8151e099fa13d307eee53e6baf5b2ebb816a3e527e01274adfb17bf416401b79361ad6edfd34a3023563038cb4d96eabb4
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2548	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2548	schtasks.exe	35

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d2e-9.dat	dcrat
behavioral1/memory/2684-13-0x0000000001030000-0x0000000001140000-memory.dmp	dcrat
behavioral1/memory/1052-80-0x00000000012D0000-0x00000000013E0000-memory.dmp	dcrat
behavioral1/memory/1892-512-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat
behavioral1/memory/1664-631-0x0000000000090000-0x00000000001A0000-memory.dmp	dcrat
behavioral1/memory/1808-691-0x0000000000F20000-0x0000000001030000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2844	powershell.exe
2072	powershell.exe
2176	powershell.exe
1816	powershell.exe
1808	powershell.exe
1608	powershell.exe
2672	powershell.exe
2720	powershell.exe
2780	powershell.exe
2884	powershell.exe
1876	powershell.exe
1796	powershell.exe
1784	powershell.exe
2284	powershell.exe
2596	powershell.exe
320	powershell.exe
2140	powershell.exe
2960	powershell.exe
296	powershell.exe
680	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2684	DllCommonsvc.exe
1052	sppsvc.exe
2600	sppsvc.exe
1564	sppsvc.exe
2884	sppsvc.exe
552	sppsvc.exe
1596	sppsvc.exe
1892	sppsvc.exe
1584	sppsvc.exe
1664	sppsvc.exe
1808	sppsvc.exe
320	sppsvc.exe
2148	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2992	cmd.exe
2992	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
24	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
20	raw.githubusercontent.com
27	raw.githubusercontent.com
31	raw.githubusercontent.com
34	raw.githubusercontent.com
40	raw.githubusercontent.com
17	raw.githubusercontent.com

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\ja-JP\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\ja-JP\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\System\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\System\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\6ccacd8608530f	DllCommonsvc.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Panther\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\DigitalLocker\ja-JP\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\DigitalLocker\ja-JP\56085415360792	DllCommonsvc.exe
File created	C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Performance\WinSAT\DataStore\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\diagnostics\index\System.exe	DllCommonsvc.exe
File created	C:\Windows\Boot\Fonts\System.exe	DllCommonsvc.exe
File created	C:\Windows\Panther\conhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9ae185d2b2a211e0bfebe0ff0451cd0a8c44fe9a75646226edf7b304ea7631f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1464	schtasks.exe
2796	schtasks.exe
1080	schtasks.exe
2024	schtasks.exe
2524	schtasks.exe
840	schtasks.exe
2640	schtasks.exe
1884	schtasks.exe
1592	schtasks.exe
2936	schtasks.exe
2492	schtasks.exe
2180	schtasks.exe
1800	schtasks.exe
3004	schtasks.exe
2136	schtasks.exe
1940	schtasks.exe
288	schtasks.exe
2428	schtasks.exe
1856	schtasks.exe
1788	schtasks.exe
1280	schtasks.exe
1376	schtasks.exe
1688	schtasks.exe
2520	schtasks.exe
2620	schtasks.exe
2940	schtasks.exe
584	schtasks.exe
1164	schtasks.exe
744	schtasks.exe
1712	schtasks.exe
2208	schtasks.exe
2956	schtasks.exe
2004	schtasks.exe
2888	schtasks.exe
2132	schtasks.exe
2772	schtasks.exe
548	schtasks.exe
1784	schtasks.exe
844	schtasks.exe
2968	schtasks.exe
2484	schtasks.exe
2648	schtasks.exe
1632	schtasks.exe
2100	schtasks.exe
2096	schtasks.exe
708	schtasks.exe
2892	schtasks.exe
2928	schtasks.exe
692	schtasks.exe
1912	schtasks.exe
2044	schtasks.exe
2660	schtasks.exe
1276	schtasks.exe
600	schtasks.exe
1728	schtasks.exe
3064	schtasks.exe
1572	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 11 IoCs

pid	Process
2600	sppsvc.exe
1564	sppsvc.exe
2884	sppsvc.exe
552	sppsvc.exe
1596	sppsvc.exe
1892	sppsvc.exe
1584	sppsvc.exe
1664	sppsvc.exe
1808	sppsvc.exe
320	sppsvc.exe
2148	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2684	DllCommonsvc.exe
2844	powershell.exe
2596	powershell.exe
320	powershell.exe
680	powershell.exe
1784	powershell.exe
1876	powershell.exe
2780	powershell.exe
1816	powershell.exe
1608	powershell.exe
1796	powershell.exe
2176	powershell.exe
2720	powershell.exe
2072	powershell.exe
1808	powershell.exe
2284	powershell.exe
296	powershell.exe
2672	powershell.exe
2140	powershell.exe
2884	powershell.exe
2960	powershell.exe
1052	sppsvc.exe
2600	sppsvc.exe
1564	sppsvc.exe
2884	sppsvc.exe
552	sppsvc.exe
1596	sppsvc.exe
1892	sppsvc.exe
1584	sppsvc.exe
1664	sppsvc.exe
1808	sppsvc.exe
320	sppsvc.exe
2148	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	DllCommonsvc.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	296	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	1052	sppsvc.exe
Token: SeDebugPrivilege	2600	sppsvc.exe
Token: SeDebugPrivilege	1564	sppsvc.exe
Token: SeDebugPrivilege	2884	sppsvc.exe
Token: SeDebugPrivilege	552	sppsvc.exe
Token: SeDebugPrivilege	1596	sppsvc.exe
Token: SeDebugPrivilege	1892	sppsvc.exe
Token: SeDebugPrivilege	1584	sppsvc.exe
Token: SeDebugPrivilege	1664	sppsvc.exe
Token: SeDebugPrivilege	1808	sppsvc.exe
Token: SeDebugPrivilege	320	sppsvc.exe
Token: SeDebugPrivilege	2148	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 2680	1892	JaffaCakes118_9ae185d2b2a211e0bfebe0ff0451cd0a8c44fe9a75646226edf7b304ea7631f7.exe	31
PID 1892 wrote to memory of 2680	1892	JaffaCakes118_9ae185d2b2a211e0bfebe0ff0451cd0a8c44fe9a75646226edf7b304ea7631f7.exe	31
PID 1892 wrote to memory of 2680	1892	JaffaCakes118_9ae185d2b2a211e0bfebe0ff0451cd0a8c44fe9a75646226edf7b304ea7631f7.exe	31
PID 1892 wrote to memory of 2680	1892	JaffaCakes118_9ae185d2b2a211e0bfebe0ff0451cd0a8c44fe9a75646226edf7b304ea7631f7.exe	31
PID 2680 wrote to memory of 2992	2680	WScript.exe	32
PID 2680 wrote to memory of 2992	2680	WScript.exe	32
PID 2680 wrote to memory of 2992	2680	WScript.exe	32
PID 2680 wrote to memory of 2992	2680	WScript.exe	32
PID 2992 wrote to memory of 2684	2992	cmd.exe	34
PID 2992 wrote to memory of 2684	2992	cmd.exe	34
PID 2992 wrote to memory of 2684	2992	cmd.exe	34
PID 2992 wrote to memory of 2684	2992	cmd.exe	34
PID 2684 wrote to memory of 2844	2684	DllCommonsvc.exe	94
PID 2684 wrote to memory of 2844	2684	DllCommonsvc.exe	94
PID 2684 wrote to memory of 2844	2684	DllCommonsvc.exe	94
PID 2684 wrote to memory of 2284	2684	DllCommonsvc.exe	95
PID 2684 wrote to memory of 2284	2684	DllCommonsvc.exe	95
PID 2684 wrote to memory of 2284	2684	DllCommonsvc.exe	95
PID 2684 wrote to memory of 2596	2684	DllCommonsvc.exe	96
PID 2684 wrote to memory of 2596	2684	DllCommonsvc.exe	96
PID 2684 wrote to memory of 2596	2684	DllCommonsvc.exe	96
PID 2684 wrote to memory of 2072	2684	DllCommonsvc.exe	97
PID 2684 wrote to memory of 2072	2684	DllCommonsvc.exe	97
PID 2684 wrote to memory of 2072	2684	DllCommonsvc.exe	97
PID 2684 wrote to memory of 320	2684	DllCommonsvc.exe	98
PID 2684 wrote to memory of 320	2684	DllCommonsvc.exe	98
PID 2684 wrote to memory of 320	2684	DllCommonsvc.exe	98
PID 2684 wrote to memory of 1876	2684	DllCommonsvc.exe	99
PID 2684 wrote to memory of 1876	2684	DllCommonsvc.exe	99
PID 2684 wrote to memory of 1876	2684	DllCommonsvc.exe	99
PID 2684 wrote to memory of 296	2684	DllCommonsvc.exe	100
PID 2684 wrote to memory of 296	2684	DllCommonsvc.exe	100
PID 2684 wrote to memory of 296	2684	DllCommonsvc.exe	100
PID 2684 wrote to memory of 2176	2684	DllCommonsvc.exe	101
PID 2684 wrote to memory of 2176	2684	DllCommonsvc.exe	101
PID 2684 wrote to memory of 2176	2684	DllCommonsvc.exe	101
PID 2684 wrote to memory of 2140	2684	DllCommonsvc.exe	102
PID 2684 wrote to memory of 2140	2684	DllCommonsvc.exe	102
PID 2684 wrote to memory of 2140	2684	DllCommonsvc.exe	102
PID 2684 wrote to memory of 1816	2684	DllCommonsvc.exe	103
PID 2684 wrote to memory of 1816	2684	DllCommonsvc.exe	103
PID 2684 wrote to memory of 1816	2684	DllCommonsvc.exe	103
PID 2684 wrote to memory of 1808	2684	DllCommonsvc.exe	104
PID 2684 wrote to memory of 1808	2684	DllCommonsvc.exe	104
PID 2684 wrote to memory of 1808	2684	DllCommonsvc.exe	104
PID 2684 wrote to memory of 1608	2684	DllCommonsvc.exe	105
PID 2684 wrote to memory of 1608	2684	DllCommonsvc.exe	105
PID 2684 wrote to memory of 1608	2684	DllCommonsvc.exe	105
PID 2684 wrote to memory of 2672	2684	DllCommonsvc.exe	106
PID 2684 wrote to memory of 2672	2684	DllCommonsvc.exe	106
PID 2684 wrote to memory of 2672	2684	DllCommonsvc.exe	106
PID 2684 wrote to memory of 2720	2684	DllCommonsvc.exe	107
PID 2684 wrote to memory of 2720	2684	DllCommonsvc.exe	107
PID 2684 wrote to memory of 2720	2684	DllCommonsvc.exe	107
PID 2684 wrote to memory of 2960	2684	DllCommonsvc.exe	108
PID 2684 wrote to memory of 2960	2684	DllCommonsvc.exe	108
PID 2684 wrote to memory of 2960	2684	DllCommonsvc.exe	108
PID 2684 wrote to memory of 2780	2684	DllCommonsvc.exe	109
PID 2684 wrote to memory of 2780	2684	DllCommonsvc.exe	109
PID 2684 wrote to memory of 2780	2684	DllCommonsvc.exe	109
PID 2684 wrote to memory of 680	2684	DllCommonsvc.exe	110
PID 2684 wrote to memory of 680	2684	DllCommonsvc.exe	110
PID 2684 wrote to memory of 680	2684	DllCommonsvc.exe	110
PID 2684 wrote to memory of 1784	2684	DllCommonsvc.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ae185d2b2a211e0bfebe0ff0451cd0a8c44fe9a75646226edf7b304ea7631f7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ae185d2b2a211e0bfebe0ff0451cd0a8c44fe9a75646226edf7b304ea7631f7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\ja-JP\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\ja-JP\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
    - - C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat"
        6⤵
        
        PID:1524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2272
        
        C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat"
        8⤵
        
        PID:2316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2896
        
        C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat"
        10⤵
        
        PID:2968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2732
        
        C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat"
        12⤵
        
        PID:2052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2764
        
        C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jef2EZNQSo.bat"
        14⤵
        
        PID:2000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1776
        
        C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HfroAScfQF.bat"
        16⤵
        
        PID:2036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1356
        
        C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ww6iFNwlpp.bat"
        18⤵
        
        PID:1676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2764
        
        C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat"
        20⤵
        
        PID:2572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1368
        
        C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat"
        22⤵
        
        PID:2720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2144
        
        C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat"
        24⤵
        
        PID:2868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1744
        
        C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I4yJNRBzAA.bat"
        26⤵
        
        PID:2888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2340
        
        C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Panther\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Desktop\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\ja-JP\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\DataStore\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\ja-JP\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\System\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\System\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Downloads\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\Downloads\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ccbaa432048e22be0be51fca6c7ff97

SHA1
bbe72e08398d125ac60e0ccc0fac6f4f21c09676

SHA256
3cb12f9b8dacb155d217de0804f77db50978aa76ec021232a8608aebf8fc8647

SHA512
d6b7136f002b94d6e76aca5ab9835d9e05d394bf2f3085e8ac4cfe715265619203e6c62d287d20f9c4322bd5552b8a6bac2f1da33aa5c03d56c532d62d342135

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
222228b687fdadc9f87e68e7f1007442

SHA1
dab7a501c14321aee952bb847bf27d0a26c8a7ca

SHA256
417b6edaf1824bf9a400bdd893a05a3f7535e2da011a630ea2108b3a87abc98f

SHA512
801343ddda0e378efcb43616200858f99d583317e08b7e3b087b7d7f54f460eaf8eb9ba21fdd5dfe0a12728a9cac099e1b28c2bf13944d39eaefc5248788f129

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f65fbfcb446110336d22ca66507fc27

SHA1
8abe389dea675d31d4250ca6632661a6265b99ec

SHA256
59801e34e77120f7f92a50af4eb6d041f065315caed656b5e36059e8dd9154b4

SHA512
af113a3ccee1a204fbd8aaa63633644d5f95c4d923272294841b660eb88251ffc652c5f6641c83faba5242cf6257e0b29bf7d8a30c7c9a5761196b2cb75cf053

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2a7822bcc668002bfeed47ac0966426

SHA1
444af2c48585c011ff2acf9ee111fbba292097d4

SHA256
570f0499dcb9ed00d7810f2e6ff629f620257c31cf17d0f1884f0ead618fad6a

SHA512
289ffd5107a57155c8d105fe2e2cccca27dac9b17a1315e1aa4231e4c756120835d3416be72d8e5da4e7f042d01b6dff126d39dc6e814acb27a79e97889763e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5192dc7b9bb87f807b20f26eafc4f9b6

SHA1
88ad23e8380c893a19afaca64d164eec1d5a01b2

SHA256
75f6b179f888530f8fa5871f7bf8a9737cae0d77f7446bd05f83c10c64f77d20

SHA512
3222195be480f48d1b266a1dc480cafbef477e1ffef73d83b97f41e7926a57754814274e77f29e5adf4df780bbdafb73ef599ac41cc238df1d0b25ae18652097

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78b2e14ae0737ba5a66b3aa16a45cc30

SHA1
07dc954061dc1e286b9a6ab9e99178e06f975e07

SHA256
0ff324cd3e362d88764bcc11ad2f720c23421710776b18df085d2e488558adca

SHA512
cfaaea1d9f98e5d1c9131bc8233001fd4c1eecba43ee349e2733e490697ca13e985e7c9f2b75c6f4c0fb8636ebec66f5cc1af39a83020e2662d81c6ebe6885bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7eea30d5bbeccb7a533ecac424ba6b7c

SHA1
5ee362aa3a63145b9a0efc50b0228d7821a300f3

SHA256
194d3a80ea0767ed60214aa3b1e13d36743aa4d7153e6428695d9738580eda9c

SHA512
4a3a0af6ce00634cb25e5fbbd18c853f1c4b5e98dd520c969cdcf8dcea781efc938ee4bec26383ab74290fe5cef1db98fb20b8f298d426b36c65fdda51f9f55b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72b4d3c03c661b3e0ad4def9583402ae

SHA1
2b4a5a1eaa004ed5011a5e4bcade2f8cf35f50a3

SHA256
a95bd2e954f690632947388b9ca35a143ef1fe2f27c86d33543b641ed36ff716

SHA512
6c4f7b83a447019da9bcc808ece85f275264dfb89f2fc526c27f4fb8c43379806ee5dd49f5453296a95a318553fb8c8800ea2892fa5dcae811f1a32cbd226d08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80c67099af5cbfebdc7eaff1f5114369

SHA1
4721bf93a53df6a3afb331a5e77be806e40035d3

SHA256
297c20902b5064e2b7d54ee1f031a10a8aae30b221b0b2fe89217a3eaad45f11

SHA512
befbcdc9d68918770002b3775ffb838cdbe2292e56973934b4ecf0ac8f08748b6da873fdc866df16b18209668e436a8cce83edfa7d74e265b0cee7cc2a8b5302

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6aca83e17093f9def318ff8c2dbf4dd3

SHA1
43f24782cc3845314f77425ee57e946469144e25

SHA256
da5dd514296728502e5092ebed23b38757f448975463f25f8fd23a161afd94ca

SHA512
36bf76b1ac649820ce4616bf4dd25289e64a369cf5f8a0f1ae7975512340ff73d9b417a9d63e76da98104b4678803ff6d5947f6fecded5e2cb949c04d4897f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat

Filesize
215B

MD5
8335a739f53696f0e9acfad6df764dc2

SHA1
2ae57f52586f1ac2b4c6b5a5bbf92f00340db055

SHA256
6f46f3ba5a93977236ac241c12aee810453ec45d200d1a8cab35cad9c7d2f426

SHA512
5ada94f2978370549322438457b2fdb09852431440a5d3d1b59f8b3f8678fba93ca268dc9e5d9b1d2acbcc028c6bdcc22935a85795bf74c074eb20f1618f6144

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2DF5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HfroAScfQF.bat

Filesize
215B

MD5
67b92c7105f5bd8642a853ff3081e074

SHA1
3bbdb21c1c8499d2041dfe6c7eeeb95bc2c4bb11

SHA256
9bf301414ef4b598dd88e5537b11a82b5c620a3c98a7003118c53202c68cc121

SHA512
4f91be28a154515b689453fbb81f9d62f8dc05e340337703d748caec22699f5f7559aba1db4c3cd4770ebe9b0e96c9cb95c99b45443230c3135551c83e9a422b

Download Submit
C:\Users\Admin\AppData\Local\Temp\I4yJNRBzAA.bat

Filesize
215B

MD5
eda5166b86fac7471cf6eb758967c347

SHA1
9dbb25aee1c843283597c59ad78b451e2b370f17

SHA256
c67acb2748e561daa9c6d225fc0109d5b092a8e317fdec0a957b53ee0834537b

SHA512
616e38b12f450e6dad5f75e7c05a03335cf7c28ca3a7e74d683040f25b67f8c973bacfe231ff6cc72e37d2a796ebbea603b54316c4e559384f5de73cc2bd7466

Download Submit
C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat

Filesize
215B

MD5
c94185ad1d911f98a558e1b7f3e9ecbd

SHA1
67089c15559ee5d1d20a650cee155e62bd863735

SHA256
bf6e510682fca779d642203b8b838655fb4ab49ed1138ab79fa3e57c631a67fc

SHA512
3c37b83e14f03d78e672dd4dd7474a29d7a2a980d4262236113d426517708fed0933d6bdd62a48d546aa089720a32652e3bdb51ec34a9fee7e7c06e7f75e82ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jef2EZNQSo.bat

Filesize
215B

MD5
1c6ea9154b16e163f186eabd5e354adc

SHA1
c847717e24eb558c6c639b5590fa03dc0bacc20a

SHA256
adcabcdc060532f3bf7e0980f7d24245de3915f7432624ba7a7eea1741e9b7f0

SHA512
064a07996027ea013eeaaf31de99c4721437474a9e946dcaecd5b9b5eba3cf4848838265fe4efc113f57e4e8da93b8e230d9cdeb53cdf3cee9e4b9e9bef2b0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat

Filesize
215B

MD5
d834830aba0857a3e8d302185f1c9080

SHA1
52462f36556c90362fdb485853ea7dcf8284b037

SHA256
cee59e9500ffabd9387e759111b532dae11155abd34583649e448d2ff40dced9

SHA512
04effa334c52c3a7838b7fe190ebbceaa57baa8e5e6d32c238dec99207b8fb921b12f7f89ef035b2ab82190ab2a796f615b2d02ec6756d166942892bbc4db555

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2E17.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat

Filesize
215B

MD5
00a99824abe32966fda59535dbf436cf

SHA1
49ce43909aa62a5b3c3e979e72018e2b0dd0588b

SHA256
a1bb5e04ae3eebae03f0bdf5f9f4d9167613effee332b0835d718f9519261304

SHA512
73826c3a9f649640bbe394e00f051fed1f5ff658816d5fa6ab7f53ecf94b0354c34b0a3b5770ef83749f5cc6215fcc0e99901f07f41a987073c1c06f71fdf519

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ww6iFNwlpp.bat

Filesize
215B

MD5
5ef6db8b80b472f90397035327e9fe24

SHA1
1d46d50f301bc0575b7a402e49d37bd7352fa2e0

SHA256
4cffbb264a0fd8ddc26024371ce16ecbf424e655d664f56aad638dd2fc3aa5a2

SHA512
b25c929fa01ff47d645f499a32ebe7fbf211489afb0d10caee2d300da404829bb1f7c90931545a5c0aef1b0b15da7dca1fa693629f56a6d76cf439294aa738bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat

Filesize
215B

MD5
f68372ff02479171897a7a0e4102baca

SHA1
ac34ff3219fc6103678934258bc2c0759947573e

SHA256
8ae07ad040fffbd01c8e28136e7246b7b64249d75347f161df9da746950eb440

SHA512
3f19a7b4267f2ce505bf8063657fdd36186efbacecbc2d3675f6dc4e7c256faff57f8116598aa85a7bf918bad66e037a534c9b071bf90bfe1737f8bd8789c948

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat

Filesize
215B

MD5
f55c77d663fc652225e8b0dc703e57a9

SHA1
a1be1cb09c2984e442657925f12cb1a4458ebd19

SHA256
5d6fddf608bf68fe6ca29d30072095be43288d9494ed196f86dec927586f20e5

SHA512
9bab5913123294ca50164eaa01f0abd7940dafd434dc8f374e8a90d717ebf57c4babd70bb54c10ccc49adab082faaa4f079f09223ed2acca8563dcf2c9e3eb2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat

Filesize
215B

MD5
552c3df04ae628a63ac1fd4af1ba1804

SHA1
61426aac2eeb5240e0b8fa27e7e4b9461b7c5953

SHA256
a61fb3450a3dc48e81713a53bcbd71102982c6170afa95bc9a12369882b33aa1

SHA512
23d1e152c0a56325c16e556530f7c2a079db59bea3a45ce2fef108f711aa74b0eee3d17d1c9a160d92254520c4fab916a416fa230592ae902b70326d0264fc72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0566d9744661ad87cfbf79db727d48c9

SHA1
951842d1f299b5415040d06ecd6bf04720baaa67

SHA256
b10d066be93c8e458b3c98730a4c79873ef72230dd857184ea217377c0dd90b1

SHA512
eba174012963a0d48e046de99b7797126999964f6d37c95bb447d3c5b03c4ff3e4e2a6e203fa159b96efafb6a2ec10aca12334a55c99a9b2621810a5ac94d53a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/320-751-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/552-393-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1052-80-0x00000000012D0000-0x00000000013E0000-memory.dmp

Filesize
1.1MB

Download
memory/1664-631-0x0000000000090000-0x00000000001A0000-memory.dmp

Filesize
1.1MB

Download
memory/1808-691-0x0000000000F20000-0x0000000001030000-memory.dmp

Filesize
1.1MB

Download
memory/1892-512-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download
memory/2148-811-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2596-78-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2684-16-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2684-17-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2684-15-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2684-13-0x0000000001030000-0x0000000001140000-memory.dmp

Filesize
1.1MB

Download
memory/2684-14-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2844-77-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download