dcrat | b963bc8ebb59408dbf1c96ef1141179cda94583176071a305830f124a0d5aaee

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b963bc8ebb59408dbf1c96ef1141179cda94583176071a305830f124a0d5aaee.exe
Size

1.3MB
MD5

db7445abcc7e602ce3549504ca0d792c
SHA1

0e7f3f56937b2dcec9cc4fa1ab4897dde397eaf6
SHA256

b963bc8ebb59408dbf1c96ef1141179cda94583176071a305830f124a0d5aaee
SHA512

bf885e254789dd776a2541cc96718111ff77d8d76f77edc7f3f19a9bb6ee094714226a84093ddef1ba872f191c247c5708c6c02f042f1f4d855ce7a1a97d25e3
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	1508	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	1508	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000193c4-9.dat	dcrat
behavioral1/memory/2820-13-0x0000000000DD0000-0x0000000000EE0000-memory.dmp	dcrat
behavioral1/memory/2036-93-0x0000000000920000-0x0000000000A30000-memory.dmp	dcrat
behavioral1/memory/2528-224-0x0000000001280000-0x0000000001390000-memory.dmp	dcrat
behavioral1/memory/2732-343-0x00000000012E0000-0x00000000013F0000-memory.dmp	dcrat
behavioral1/memory/1788-462-0x00000000013A0000-0x00000000014B0000-memory.dmp	dcrat
behavioral1/memory/1708-581-0x00000000002B0000-0x00000000003C0000-memory.dmp	dcrat
behavioral1/memory/1256-641-0x00000000011F0000-0x0000000001300000-memory.dmp	dcrat
behavioral1/memory/2860-701-0x0000000001390000-0x00000000014A0000-memory.dmp	dcrat
behavioral1/memory/2548-761-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1324	powershell.exe
1080	powershell.exe
1536	powershell.exe
2564	powershell.exe
2164	powershell.exe
1476	powershell.exe
576	powershell.exe
2988	powershell.exe
2204	powershell.exe
844	powershell.exe
1040	powershell.exe
2708	powershell.exe
2356	powershell.exe
2072	powershell.exe
756	powershell.exe
2992	powershell.exe
2960	powershell.exe
2600	powershell.exe
2116	powershell.exe
2780	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2820	DllCommonsvc.exe
2036	WmiPrvSE.exe
2528	WmiPrvSE.exe
2640	WmiPrvSE.exe
2732	WmiPrvSE.exe
1144	WmiPrvSE.exe
1788	WmiPrvSE.exe
2572	WmiPrvSE.exe
1708	WmiPrvSE.exe
1256	WmiPrvSE.exe
2860	WmiPrvSE.exe
2548	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2568	cmd.exe
2568	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
23	raw.githubusercontent.com
29	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
32	raw.githubusercontent.com
36	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\en-US\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\DllCommonsvc.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\dllhost.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ja-JP\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\ja-JP\101b941d020240	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b963bc8ebb59408dbf1c96ef1141179cda94583176071a305830f124a0d5aaee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2400	schtasks.exe
2388	schtasks.exe
1936	schtasks.exe
2452	schtasks.exe
2796	schtasks.exe
2592	schtasks.exe
2168	schtasks.exe
1980	schtasks.exe
2688	schtasks.exe
1700	schtasks.exe
648	schtasks.exe
2836	schtasks.exe
596	schtasks.exe
1596	schtasks.exe
1296	schtasks.exe
2368	schtasks.exe
1940	schtasks.exe
1808	schtasks.exe
2448	schtasks.exe
2016	schtasks.exe
836	schtasks.exe
944	schtasks.exe
940	schtasks.exe
1540	schtasks.exe
2616	schtasks.exe
884	schtasks.exe
2288	schtasks.exe
1708	schtasks.exe
2892	schtasks.exe
2180	schtasks.exe
1916	schtasks.exe
1908	schtasks.exe
344	schtasks.exe
1472	schtasks.exe
1560	schtasks.exe
2208	schtasks.exe
2120	schtasks.exe
3008	schtasks.exe
1684	schtasks.exe
2888	schtasks.exe
2780	schtasks.exe
1764	schtasks.exe
352	schtasks.exe
2432	schtasks.exe
1920	schtasks.exe
2456	schtasks.exe
2532	schtasks.exe
992	schtasks.exe
1520	schtasks.exe
1688	schtasks.exe
1268	schtasks.exe
2000	schtasks.exe
1528	schtasks.exe
2792	schtasks.exe
1312	schtasks.exe
2492	schtasks.exe
1672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2820	DllCommonsvc.exe
2820	DllCommonsvc.exe
2820	DllCommonsvc.exe
2820	DllCommonsvc.exe
2820	DllCommonsvc.exe
2820	DllCommonsvc.exe
2820	DllCommonsvc.exe
2564	powershell.exe
2600	powershell.exe
2356	powershell.exe
2708	powershell.exe
2780	powershell.exe
1476	powershell.exe
2116	powershell.exe
2072	powershell.exe
2960	powershell.exe
1324	powershell.exe
2036	WmiPrvSE.exe
756	powershell.exe
2988	powershell.exe
1080	powershell.exe
844	powershell.exe
2204	powershell.exe
1536	powershell.exe
2164	powershell.exe
576	powershell.exe
2992	powershell.exe
1040	powershell.exe
2528	WmiPrvSE.exe
2640	WmiPrvSE.exe
2732	WmiPrvSE.exe
1144	WmiPrvSE.exe
1788	WmiPrvSE.exe
2572	WmiPrvSE.exe
1708	WmiPrvSE.exe
1256	WmiPrvSE.exe
2860	WmiPrvSE.exe
2548	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	DllCommonsvc.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2036	WmiPrvSE.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	2528	WmiPrvSE.exe
Token: SeDebugPrivilege	2640	WmiPrvSE.exe
Token: SeDebugPrivilege	2732	WmiPrvSE.exe
Token: SeDebugPrivilege	1144	WmiPrvSE.exe
Token: SeDebugPrivilege	1788	WmiPrvSE.exe
Token: SeDebugPrivilege	2572	WmiPrvSE.exe
Token: SeDebugPrivilege	1708	WmiPrvSE.exe
Token: SeDebugPrivilege	1256	WmiPrvSE.exe
Token: SeDebugPrivilege	2860	WmiPrvSE.exe
Token: SeDebugPrivilege	2548	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2056	2628	JaffaCakes118_b963bc8ebb59408dbf1c96ef1141179cda94583176071a305830f124a0d5aaee.exe	30
PID 2628 wrote to memory of 2056	2628	JaffaCakes118_b963bc8ebb59408dbf1c96ef1141179cda94583176071a305830f124a0d5aaee.exe	30
PID 2628 wrote to memory of 2056	2628	JaffaCakes118_b963bc8ebb59408dbf1c96ef1141179cda94583176071a305830f124a0d5aaee.exe	30
PID 2628 wrote to memory of 2056	2628	JaffaCakes118_b963bc8ebb59408dbf1c96ef1141179cda94583176071a305830f124a0d5aaee.exe	30
PID 2056 wrote to memory of 2568	2056	WScript.exe	31
PID 2056 wrote to memory of 2568	2056	WScript.exe	31
PID 2056 wrote to memory of 2568	2056	WScript.exe	31
PID 2056 wrote to memory of 2568	2056	WScript.exe	31
PID 2568 wrote to memory of 2820	2568	cmd.exe	33
PID 2568 wrote to memory of 2820	2568	cmd.exe	33
PID 2568 wrote to memory of 2820	2568	cmd.exe	33
PID 2568 wrote to memory of 2820	2568	cmd.exe	33
PID 2820 wrote to memory of 2564	2820	DllCommonsvc.exe	92
PID 2820 wrote to memory of 2564	2820	DllCommonsvc.exe	92
PID 2820 wrote to memory of 2564	2820	DllCommonsvc.exe	92
PID 2820 wrote to memory of 2600	2820	DllCommonsvc.exe	93
PID 2820 wrote to memory of 2600	2820	DllCommonsvc.exe	93
PID 2820 wrote to memory of 2600	2820	DllCommonsvc.exe	93
PID 2820 wrote to memory of 2708	2820	DllCommonsvc.exe	95
PID 2820 wrote to memory of 2708	2820	DllCommonsvc.exe	95
PID 2820 wrote to memory of 2708	2820	DllCommonsvc.exe	95
PID 2820 wrote to memory of 2072	2820	DllCommonsvc.exe	96
PID 2820 wrote to memory of 2072	2820	DllCommonsvc.exe	96
PID 2820 wrote to memory of 2072	2820	DllCommonsvc.exe	96
PID 2820 wrote to memory of 2356	2820	DllCommonsvc.exe	98
PID 2820 wrote to memory of 2356	2820	DllCommonsvc.exe	98
PID 2820 wrote to memory of 2356	2820	DllCommonsvc.exe	98
PID 2820 wrote to memory of 2164	2820	DllCommonsvc.exe	101
PID 2820 wrote to memory of 2164	2820	DllCommonsvc.exe	101
PID 2820 wrote to memory of 2164	2820	DllCommonsvc.exe	101
PID 2820 wrote to memory of 756	2820	DllCommonsvc.exe	103
PID 2820 wrote to memory of 756	2820	DllCommonsvc.exe	103
PID 2820 wrote to memory of 756	2820	DllCommonsvc.exe	103
PID 2820 wrote to memory of 1476	2820	DllCommonsvc.exe	104
PID 2820 wrote to memory of 1476	2820	DllCommonsvc.exe	104
PID 2820 wrote to memory of 1476	2820	DllCommonsvc.exe	104
PID 2820 wrote to memory of 2116	2820	DllCommonsvc.exe	105
PID 2820 wrote to memory of 2116	2820	DllCommonsvc.exe	105
PID 2820 wrote to memory of 2116	2820	DllCommonsvc.exe	105
PID 2820 wrote to memory of 576	2820	DllCommonsvc.exe	107
PID 2820 wrote to memory of 576	2820	DllCommonsvc.exe	107
PID 2820 wrote to memory of 576	2820	DllCommonsvc.exe	107
PID 2820 wrote to memory of 2780	2820	DllCommonsvc.exe	108
PID 2820 wrote to memory of 2780	2820	DllCommonsvc.exe	108
PID 2820 wrote to memory of 2780	2820	DllCommonsvc.exe	108
PID 2820 wrote to memory of 1324	2820	DllCommonsvc.exe	109
PID 2820 wrote to memory of 1324	2820	DllCommonsvc.exe	109
PID 2820 wrote to memory of 1324	2820	DllCommonsvc.exe	109
PID 2820 wrote to memory of 1536	2820	DllCommonsvc.exe	111
PID 2820 wrote to memory of 1536	2820	DllCommonsvc.exe	111
PID 2820 wrote to memory of 1536	2820	DllCommonsvc.exe	111
PID 2820 wrote to memory of 1040	2820	DllCommonsvc.exe	112
PID 2820 wrote to memory of 1040	2820	DllCommonsvc.exe	112
PID 2820 wrote to memory of 1040	2820	DllCommonsvc.exe	112
PID 2820 wrote to memory of 844	2820	DllCommonsvc.exe	113
PID 2820 wrote to memory of 844	2820	DllCommonsvc.exe	113
PID 2820 wrote to memory of 844	2820	DllCommonsvc.exe	113
PID 2820 wrote to memory of 2992	2820	DllCommonsvc.exe	114
PID 2820 wrote to memory of 2992	2820	DllCommonsvc.exe	114
PID 2820 wrote to memory of 2992	2820	DllCommonsvc.exe	114
PID 2820 wrote to memory of 2204	2820	DllCommonsvc.exe	115
PID 2820 wrote to memory of 2204	2820	DllCommonsvc.exe	115
PID 2820 wrote to memory of 2204	2820	DllCommonsvc.exe	115
PID 2820 wrote to memory of 2960	2820	DllCommonsvc.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b963bc8ebb59408dbf1c96ef1141179cda94583176071a305830f124a0d5aaee.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b963bc8ebb59408dbf1c96ef1141179cda94583176071a305830f124a0d5aaee.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\en-US\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
    - - C:\Program Files\Windows Journal\WmiPrvSE.exe
        
        "C:\Program Files\Windows Journal\WmiPrvSE.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat"
        6⤵
        
        PID:1348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2588
        
        C:\Program Files\Windows Journal\WmiPrvSE.exe
        
        "C:\Program Files\Windows Journal\WmiPrvSE.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat"
        8⤵
        
        PID:1988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:616
        
        C:\Program Files\Windows Journal\WmiPrvSE.exe
        
        "C:\Program Files\Windows Journal\WmiPrvSE.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat"
        10⤵
        
        PID:1940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2040
        
        C:\Program Files\Windows Journal\WmiPrvSE.exe
        
        "C:\Program Files\Windows Journal\WmiPrvSE.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat"
        12⤵
        
        PID:2416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1708
        
        C:\Program Files\Windows Journal\WmiPrvSE.exe
        
        "C:\Program Files\Windows Journal\WmiPrvSE.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat"
        14⤵
        
        PID:572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2380
        
        C:\Program Files\Windows Journal\WmiPrvSE.exe
        
        "C:\Program Files\Windows Journal\WmiPrvSE.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat"
        16⤵
        
        PID:2164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1040
        
        C:\Program Files\Windows Journal\WmiPrvSE.exe
        
        "C:\Program Files\Windows Journal\WmiPrvSE.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QRlBHoY6P9.bat"
        18⤵
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1772
        
        C:\Program Files\Windows Journal\WmiPrvSE.exe
        
        "C:\Program Files\Windows Journal\WmiPrvSE.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat"
        20⤵
        
        PID:756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1920
        
        C:\Program Files\Windows Journal\WmiPrvSE.exe
        
        "C:\Program Files\Windows Journal\WmiPrvSE.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"
        22⤵
        
        PID:2784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1076
        
        C:\Program Files\Windows Journal\WmiPrvSE.exe
        
        "C:\Program Files\Windows Journal\WmiPrvSE.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6M87tNVNy8.bat"
        24⤵
        
        PID:2720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1496
        
        C:\Program Files\Windows Journal\WmiPrvSE.exe
        
        "C:\Program Files\Windows Journal\WmiPrvSE.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft Help\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft Help\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Documents\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Documents\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Documents\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
557a4db26697f5dd973d6df1b6bc37a7

SHA1
79a3a40619a93414e4b371348ba4a6d546ecb04d

SHA256
03302adbfec03de5ff73219f1913943ec56b397ec24a3189cda4187cfed64d3c

SHA512
b077e323701e6f610d1712fea7f91cce934572539df89d3236fbec2039ac452624ab3666a3f65de3dceaa86b517e00b2450de2aa1e5cc9fdcfae06404b27b7cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f8decf0d8d581c7162739f22a0cdb1d

SHA1
392fe812e3e2f5267e9f5fadf027a8e124f74c5a

SHA256
c82fc3d43580875c6da97e44b7a2c0229f527b424f57588bc0a3032c11f6865d

SHA512
0104712c0280cdacf4e551cfa5b0acf5fac3abb2ff7178378fe1fa35b50ef898474a95ce9ceceb678af6fccb04d80cc08a015e3f3ecd12345ed8ea7fc72f1a0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a188e1f745e36a5a9d7e2ae4f2d6410

SHA1
78bd41607e28c74e30c494a689911d7181fad51e

SHA256
25da7d094de9a4025826d83e7e653a33eba18948000b890c22018d2f28475c62

SHA512
05e71250a7a72c835a8748b266effe2ab5fe3f832ce22b9921453ae7709058169d2bf9e66c5d6b8c77f30510d175b7317ddc73ed8713a8c60fbaec2ac6caf5a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6011155e907d45c298f8f35c45e0224e

SHA1
5c685d5fe6df013915b6a2b34346d8b622a00846

SHA256
1a4f17a91c0030fcc0e11204f59b239c8583a40e4f6fe8f43559e4dbb2562497

SHA512
d597da7863287a76cce4662cdeff9c6fdd04c42dea065b0fc90329faf1acf521f1659ad1b0e3489f3c600fdedb4179d3c032181fcb5d81a3d13faba51849c5ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
938000c4daa5c43dbdc95daaad48b660

SHA1
3c178b780f72ea650d781493efc7a6d5593a22db

SHA256
83e5eccb3dc0559a9b9a0f67f9201e7105bce6ec24627617df1dc0f59119e2cd

SHA512
c7100a574fbf7c43fea7124fc19ee9044b2a84f904b3ac6bd5e61ea503346b700b5a15cbc8f63c54fe3f1835d030e32aaaa5ee66d772e044b7dbc3034115648a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b808c3421e2c06301b76a4382efecde9

SHA1
de74cacf7f4b2af735380c1e248c41f691904db5

SHA256
a1c14e48769cdee4a494be2c17d09c0e554ad856a597109d8312de331d7e55d0

SHA512
fcaa5649d4806c5cb4930041e5b2e1c9b84ca974e46ec969f695c227e2acfb0fdff5297d9df2cd295a44e7887c3b4da125a25400a2dc8fb99fd2734a61077e2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f4fe768985d9bc3b2cc1c352ea4d8f9

SHA1
4210391416ebcb1acb742cd2f822f8e8fed30e74

SHA256
94bf15b4c1dcc56e85ea8efedd52485be05ced36e04ea31fbc79aa82a8496049

SHA512
99d689bedacca1917d145fddcef479a536fc0b56d7c3f3c0de28b0f5ac52ce0646e3b70a960987c967cbc703ab72ec146ea0fa9fe25ee979b53d9eb6009412c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f97fa9f37619b5dd111d6e3dfa077bc6

SHA1
78f88be32594a27f114eb3a048a1648adc443939

SHA256
381fb7ac6cecff40fdf8780b03a0c95710b88ef733ded71c09a3c0059b555f1a

SHA512
92a0a775eb48b1e35fd5473750bfbe1fe0e411f890393245b0b08da6787078215f69898915ae8834d0055c49f56b97b0ba2007659b4fc2202aa94b7deaccdae9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b496a157938d3a1f7c2fefcf20c07c6

SHA1
30b3ba5990c3df05447d986b7d37b600ee389eb7

SHA256
a5c43ee5de8abaa87a961546874739d371c285bb35a28969725e4ca1c1830e47

SHA512
dade67cb1aa16b3cebadca3da31b10958066f2ea6441a6057e338ce600d0be4b171f3fd6c1634c2a64d800a336b083850315947ff348e69e2152498e9908bdd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6M87tNVNy8.bat

Filesize
210B

MD5
ee51406121203b644d4dfa9c223dcbd2

SHA1
4c7751c093eb6ec75f0d36487fa9fcfb3177018f

SHA256
2f5a65f97faa141428435bddbfc174c4e83c0ecc9646d4ff2acc07b391087fbd

SHA512
a6c5ff4d2a3debcced47271b98c28064693f1c3ec2ead4a804069fcba99b45ff70dd0426da9c6e6cf9b80db45b4f1d56fdcf5b3226a5fa92c6751ad508eb7138

Download Submit
C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat

Filesize
210B

MD5
f9dda8b002ffd07969e56e6410c2baed

SHA1
463dc35fbbbbfc94f2daafaa7883bc94d36a9156

SHA256
cdd6a371d2c62158a508618f3b8dd341095cbf8c869368e81cead0d114f1eba8

SHA512
d7eccc0f2735e533cef3d7de7495de3be3afb4d8d5855d29c58caea9fc64f16b775e69c4e177ab00cc71b14a09845da9c3b508e0a2dbf25d7927707d8f682c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5276.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat

Filesize
210B

MD5
920255007a6c3136f1415af9167ce2e7

SHA1
8998c48c68a9b526deefba6ea8fe4f17fb8f1f46

SHA256
598a2e9d0da1b4237874c556f836861a920bfab4a2551eb582f1bb0eb8c88f82

SHA512
7c7f496ff24611ea4040ced11bcd3cc63b087e17327a4a906144dc577be7dfa4b690bb2c9aaf40bb06e5b9895a5dc024ee221e93c0ccc58fa2546c0968592ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQn77QEoUi.bat

Filesize
210B

MD5
43ab0ebf081d750edc17ba2b338b503b

SHA1
a875f2c1d480188d5429f5ae9b0eb68992e4b032

SHA256
4013f03e05124256527b343453a98133e0bd9d40e0aaa3c46e88891d50f06221

SHA512
ef8d1c8de9af4a2be3453ef25a091b56824625853251b9ec52915c612259c4fd8064e1a799e869af8c4c55ce6932e086ba30fa7e9829530ca698d450313e6f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat

Filesize
210B

MD5
94b7977f79ac378197389c24ede0cf1c

SHA1
854a20d129f0080eb7aaaa96a7dd2e4712eee438

SHA256
040f4fcddf8adf4cd653e8ae8f253fe65781b6542a32d1809da6338621d02765

SHA512
ba131a41c4dc863bb67cd9676e9a33740ebacfc97187c0129f100d8809a8803a49367420c61151da937eafb929e1e83d10c8aef27c1e7e7da7c2184e9e8f602d

Download Submit
C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat

Filesize
210B

MD5
c1c6ff80024fc1e84e3033d10cd3d63d

SHA1
bb9680f5ec34f04a0e67715d92e217bc4a6fd3c0

SHA256
0528c97cebf0baece7e5242f2647064a55f41f209cf1d30ccf53f9f14a5555db

SHA512
074c7793ded1399aeb0d0f08b5ea4030db1b5d4987072c2d085f1ff5fe4bcbedab1f638ed783f6d6450a0a185f92a46c2c2bc3b8d95ff3eb9697cb69ba5d9232

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat

Filesize
210B

MD5
f1ca23df507075f378c23a801c500745

SHA1
f070cdd64af9137d78b37de8fac690020a1eeace

SHA256
81d09133de36d63460a030cc6b73b25be24095b8a419bcefed956125b4ed1145

SHA512
084e75c04fd849d9263d43e67e3eb7b881ac5db654f432ec609dd4a85f45e5a15d342c47a499dfa1fe17d582816be012f6968155feeeafa5fefbe04e18ce575b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QRlBHoY6P9.bat

Filesize
210B

MD5
48a612a0b529eb9db627a63d76f979d4

SHA1
02d5b6c77345f0abd445c5ab312c0f998998c9cd

SHA256
b4cd2391e2d4f90c1c8eca2161b6127026a32236b267dbb4c928a181abb5efb1

SHA512
f3eea6611489cc10a10005fd035a0ceae532d67820a5aa023c82b2c0f11d38d02639994def7e5b524e8c76962aa9bafe33036a896cb1a6be1a5b6aee2cea3860

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5279.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat

Filesize
210B

MD5
2a4a20d0778f88ab70d142f4dab177e6

SHA1
dc8b5bf877ec5311de11be18022dd777228c4a86

SHA256
68c5fd15ce1d3e3015c3b37dae4fe8eee7d874129dd35640d722368a5d5b4578

SHA512
d319c15d618c495fd510f532c0db9305841695498c6484cd86c1e8719ecfa343911add4687be22129b51b98918416d1fc6e7954b5b46f3a5d8f42d94bc7c52a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat

Filesize
210B

MD5
d1c93740c682d18144c1771533ee8009

SHA1
333e9b182971f7819427d0246819922950314145

SHA256
2c490f5f827f2b93027e1d856df47bfb3e4ce0634075665e0f7bde039e0366cd

SHA512
c8fd5e4f8ad6cc490acaf3bf433ddaeb92b8020eaa9773c8600cccc88ecadfa3831f6152750127fe9f5e2fbe8f8301f2ee34f824bdf33ee04e63a96e69385b6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IOAJZUPYTXC3V7Z7T9SC.temp

Filesize
7KB

MD5
d86cbb4471ddbe87012c75cb17873d32

SHA1
3c2088e921cccab70053163d0a755084bbb550c1

SHA256
62bb62606f9ccfcf2f9bac21651888b773baf9cbef9888bfdd34a6c281e9c183

SHA512
1f33fc040695300c3b7e7e82682ac87997118e8180eeb4701823258d359bdaaaab5dfce34e271000307737de5773d6bc04e713129ce04362ac729ea8c0a9789c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1256-641-0x00000000011F0000-0x0000000001300000-memory.dmp

Filesize
1.1MB

Download
memory/1708-581-0x00000000002B0000-0x00000000003C0000-memory.dmp

Filesize
1.1MB

Download
memory/1788-462-0x00000000013A0000-0x00000000014B0000-memory.dmp

Filesize
1.1MB

Download
memory/2036-93-0x0000000000920000-0x0000000000A30000-memory.dmp

Filesize
1.1MB

Download
memory/2528-224-0x0000000001280000-0x0000000001390000-memory.dmp

Filesize
1.1MB

Download
memory/2548-761-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/2564-66-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2564-67-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2732-343-0x00000000012E0000-0x00000000013F0000-memory.dmp

Filesize
1.1MB

Download
memory/2820-17-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2820-13-0x0000000000DD0000-0x0000000000EE0000-memory.dmp

Filesize
1.1MB

Download
memory/2820-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2820-15-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/2820-16-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2860-701-0x0000000001390000-0x00000000014A0000-memory.dmp

Filesize
1.1MB

Download