dcrat | ac674c36c60c7231c8021e873b92137d16d0260a1b92e899849fa98421d275ed

Analysis

max time kernel
146s
max time network
145s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ac674c36c60c7231c8021e873b92137d16d0260a1b92e899849fa98421d275ed.exe
Size

1.3MB
MD5

cd91a2e3175abbc3c2c1dfdd5495c28b
SHA1

3bab62947c58143761b717d4f6777ccb44f1cf09
SHA256

ac674c36c60c7231c8021e873b92137d16d0260a1b92e899849fa98421d275ed
SHA512

32329330db3e3db2888d88777822e164f0dff36a6039c6b74f46c2eefc9e2ce12b0bb0ceba12ca4ff1a53bdfbc3eac88e242ded8a1bf806db764d86a7a1abf7c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 63 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2976	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2976	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d0c-9.dat	dcrat
behavioral1/memory/2256-13-0x0000000000A40000-0x0000000000B50000-memory.dmp	dcrat
behavioral1/memory/1744-65-0x00000000010D0000-0x00000000011E0000-memory.dmp	dcrat
behavioral1/memory/2196-196-0x00000000013B0000-0x00000000014C0000-memory.dmp	dcrat
behavioral1/memory/2120-433-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/2412-493-0x0000000000010000-0x0000000000120000-memory.dmp	dcrat
behavioral1/memory/3004-553-0x0000000000A10000-0x0000000000B20000-memory.dmp	dcrat
behavioral1/memory/1248-613-0x0000000000DE0000-0x0000000000EF0000-memory.dmp	dcrat
behavioral1/memory/1664-673-0x0000000000070000-0x0000000000180000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 23 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1408	powershell.exe
3008	powershell.exe
2860	powershell.exe
2208	powershell.exe
2280	powershell.exe
2168	powershell.exe
840	powershell.exe
608	powershell.exe
2244	powershell.exe
2732	powershell.exe
1324	powershell.exe
1832	powershell.exe
2580	powershell.exe
2088	powershell.exe
1016	powershell.exe
2676	powershell.exe
2560	powershell.exe
904	powershell.exe
2452	powershell.exe
980	powershell.exe
1324	powershell.exe
2344	powershell.exe
2440	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2256	DllCommonsvc.exe
1744	DllCommonsvc.exe
2196	explorer.exe
1720	explorer.exe
1308	explorer.exe
1708	explorer.exe
2120	explorer.exe
2412	explorer.exe
3004	explorer.exe
1248	explorer.exe
1664	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2040	cmd.exe
2040	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
23	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
20	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\it-IT\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\it-IT\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\es-ES\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\ja-JP\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\es-ES\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\ja-JP\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\6203df4a6bafc7	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Setup\State\audiodg.exe	DllCommonsvc.exe
File created	C:\Windows\Setup\State\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Windows\SoftwareDistribution\SelfUpdate\services.exe	DllCommonsvc.exe
File created	C:\Windows\SoftwareDistribution\SelfUpdate\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ac674c36c60c7231c8021e873b92137d16d0260a1b92e899849fa98421d275ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 63 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2812	schtasks.exe
1944	schtasks.exe
2436	schtasks.exe
1492	schtasks.exe
2316	schtasks.exe
536	schtasks.exe
2596	schtasks.exe
2964	schtasks.exe
264	schtasks.exe
2052	schtasks.exe
1964	schtasks.exe
2880	schtasks.exe
984	schtasks.exe
1784	schtasks.exe
2344	schtasks.exe
2608	schtasks.exe
1620	schtasks.exe
2804	schtasks.exe
2884	schtasks.exe
2160	schtasks.exe
1304	schtasks.exe
1528	schtasks.exe
760	schtasks.exe
2888	schtasks.exe
1224	schtasks.exe
612	schtasks.exe
2876	schtasks.exe
2260	schtasks.exe
2996	schtasks.exe
916	schtasks.exe
3036	schtasks.exe
2572	schtasks.exe
984	schtasks.exe
2328	schtasks.exe
588	schtasks.exe
2812	schtasks.exe
2536	schtasks.exe
2152	schtasks.exe
1436	schtasks.exe
2540	schtasks.exe
2156	schtasks.exe
1152	schtasks.exe
580	schtasks.exe
2380	schtasks.exe
888	schtasks.exe
1704	schtasks.exe
856	schtasks.exe
1540	schtasks.exe
2632	schtasks.exe
2536	schtasks.exe
2248	schtasks.exe
2584	schtasks.exe
2184	schtasks.exe
2924	schtasks.exe
1832	schtasks.exe
560	schtasks.exe
2336	schtasks.exe
2532	schtasks.exe
2860	schtasks.exe
1320	schtasks.exe
2784	schtasks.exe
2552	schtasks.exe
840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2256	DllCommonsvc.exe
2256	DllCommonsvc.exe
2256	DllCommonsvc.exe
608	powershell.exe
1408	powershell.exe
840	powershell.exe
980	powershell.exe
1324	powershell.exe
2088	powershell.exe
1744	DllCommonsvc.exe
1744	DllCommonsvc.exe
1744	DllCommonsvc.exe
904	powershell.exe
3008	powershell.exe
2208	powershell.exe
1016	powershell.exe
2452	powershell.exe
2676	powershell.exe
2280	powershell.exe
2344	powershell.exe
2580	powershell.exe
2244	powershell.exe
2560	powershell.exe
2860	powershell.exe
2732	powershell.exe
1324	powershell.exe
1832	powershell.exe
2168	powershell.exe
2440	powershell.exe
2196	explorer.exe
1720	explorer.exe
1308	explorer.exe
1708	explorer.exe
2120	explorer.exe
2412	explorer.exe
3004	explorer.exe
1248	explorer.exe
1664	explorer.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	DllCommonsvc.exe
Token: SeDebugPrivilege	608	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	1744	DllCommonsvc.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2196	explorer.exe
Token: SeDebugPrivilege	1720	explorer.exe
Token: SeDebugPrivilege	1308	explorer.exe
Token: SeDebugPrivilege	1708	explorer.exe
Token: SeDebugPrivilege	2120	explorer.exe
Token: SeDebugPrivilege	2412	explorer.exe
Token: SeDebugPrivilege	3004	explorer.exe
Token: SeDebugPrivilege	1248	explorer.exe
Token: SeDebugPrivilege	1664	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 872	1880	JaffaCakes118_ac674c36c60c7231c8021e873b92137d16d0260a1b92e899849fa98421d275ed.exe	30
PID 1880 wrote to memory of 872	1880	JaffaCakes118_ac674c36c60c7231c8021e873b92137d16d0260a1b92e899849fa98421d275ed.exe	30
PID 1880 wrote to memory of 872	1880	JaffaCakes118_ac674c36c60c7231c8021e873b92137d16d0260a1b92e899849fa98421d275ed.exe	30
PID 1880 wrote to memory of 872	1880	JaffaCakes118_ac674c36c60c7231c8021e873b92137d16d0260a1b92e899849fa98421d275ed.exe	30
PID 872 wrote to memory of 2040	872	WScript.exe	31
PID 872 wrote to memory of 2040	872	WScript.exe	31
PID 872 wrote to memory of 2040	872	WScript.exe	31
PID 872 wrote to memory of 2040	872	WScript.exe	31
PID 2040 wrote to memory of 2256	2040	cmd.exe	33
PID 2040 wrote to memory of 2256	2040	cmd.exe	33
PID 2040 wrote to memory of 2256	2040	cmd.exe	33
PID 2040 wrote to memory of 2256	2040	cmd.exe	33
PID 2256 wrote to memory of 980	2256	DllCommonsvc.exe	50
PID 2256 wrote to memory of 980	2256	DllCommonsvc.exe	50
PID 2256 wrote to memory of 980	2256	DllCommonsvc.exe	50
PID 2256 wrote to memory of 1324	2256	DllCommonsvc.exe	51
PID 2256 wrote to memory of 1324	2256	DllCommonsvc.exe	51
PID 2256 wrote to memory of 1324	2256	DllCommonsvc.exe	51
PID 2256 wrote to memory of 608	2256	DllCommonsvc.exe	52
PID 2256 wrote to memory of 608	2256	DllCommonsvc.exe	52
PID 2256 wrote to memory of 608	2256	DllCommonsvc.exe	52
PID 2256 wrote to memory of 1408	2256	DllCommonsvc.exe	53
PID 2256 wrote to memory of 1408	2256	DllCommonsvc.exe	53
PID 2256 wrote to memory of 1408	2256	DllCommonsvc.exe	53
PID 2256 wrote to memory of 840	2256	DllCommonsvc.exe	54
PID 2256 wrote to memory of 840	2256	DllCommonsvc.exe	54
PID 2256 wrote to memory of 840	2256	DllCommonsvc.exe	54
PID 2256 wrote to memory of 2088	2256	DllCommonsvc.exe	55
PID 2256 wrote to memory of 2088	2256	DllCommonsvc.exe	55
PID 2256 wrote to memory of 2088	2256	DllCommonsvc.exe	55
PID 2256 wrote to memory of 2216	2256	DllCommonsvc.exe	62
PID 2256 wrote to memory of 2216	2256	DllCommonsvc.exe	62
PID 2256 wrote to memory of 2216	2256	DllCommonsvc.exe	62
PID 2216 wrote to memory of 1700	2216	cmd.exe	64
PID 2216 wrote to memory of 1700	2216	cmd.exe	64
PID 2216 wrote to memory of 1700	2216	cmd.exe	64
PID 2216 wrote to memory of 1744	2216	cmd.exe	65
PID 2216 wrote to memory of 1744	2216	cmd.exe	65
PID 2216 wrote to memory of 1744	2216	cmd.exe	65
PID 1744 wrote to memory of 2244	1744	DllCommonsvc.exe	114
PID 1744 wrote to memory of 2244	1744	DllCommonsvc.exe	114
PID 1744 wrote to memory of 2244	1744	DllCommonsvc.exe	114
PID 1744 wrote to memory of 1016	1744	DllCommonsvc.exe	115
PID 1744 wrote to memory of 1016	1744	DllCommonsvc.exe	115
PID 1744 wrote to memory of 1016	1744	DllCommonsvc.exe	115
PID 1744 wrote to memory of 3008	1744	DllCommonsvc.exe	116
PID 1744 wrote to memory of 3008	1744	DllCommonsvc.exe	116
PID 1744 wrote to memory of 3008	1744	DllCommonsvc.exe	116
PID 1744 wrote to memory of 2452	1744	DllCommonsvc.exe	117
PID 1744 wrote to memory of 2452	1744	DllCommonsvc.exe	117
PID 1744 wrote to memory of 2452	1744	DllCommonsvc.exe	117
PID 1744 wrote to memory of 2676	1744	DllCommonsvc.exe	120
PID 1744 wrote to memory of 2676	1744	DllCommonsvc.exe	120
PID 1744 wrote to memory of 2676	1744	DllCommonsvc.exe	120
PID 1744 wrote to memory of 2344	1744	DllCommonsvc.exe	121
PID 1744 wrote to memory of 2344	1744	DllCommonsvc.exe	121
PID 1744 wrote to memory of 2344	1744	DllCommonsvc.exe	121
PID 1744 wrote to memory of 2168	1744	DllCommonsvc.exe	124
PID 1744 wrote to memory of 2168	1744	DllCommonsvc.exe	124
PID 1744 wrote to memory of 2168	1744	DllCommonsvc.exe	124
PID 1744 wrote to memory of 2280	1744	DllCommonsvc.exe	125
PID 1744 wrote to memory of 2280	1744	DllCommonsvc.exe	125
PID 1744 wrote to memory of 2280	1744	DllCommonsvc.exe	125
PID 1744 wrote to memory of 2208	1744	DllCommonsvc.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ac674c36c60c7231c8021e873b92137d16d0260a1b92e899849fa98421d275ed.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ac674c36c60c7231c8021e873b92137d16d0260a1b92e899849fa98421d275ed.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\ja-JP\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5HgwEuCkaa.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2216
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1700
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\it-IT\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\taskhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\explorer.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\SelfUpdate\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\smss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\es-ES\audiodg.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\lsass.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s0Dk4F6dXp.bat"
        7⤵
        
        PID:1528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2480
        
        C:\Users\Default\Downloads\explorer.exe
        
        "C:\Users\Default\Downloads\explorer.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat"
        9⤵
        
        PID:520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:972
        
        C:\Users\Default\Downloads\explorer.exe
        
        "C:\Users\Default\Downloads\explorer.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iMm147yiIR.bat"
        11⤵
        
        PID:2616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:576
        
        C:\Users\Default\Downloads\explorer.exe
        
        "C:\Users\Default\Downloads\explorer.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat"
        13⤵
        
        PID:1620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:932
        
        C:\Users\Default\Downloads\explorer.exe
        
        "C:\Users\Default\Downloads\explorer.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"
        15⤵
        
        PID:580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2924
        
        C:\Users\Default\Downloads\explorer.exe
        
        "C:\Users\Default\Downloads\explorer.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tA3KztjMoN.bat"
        17⤵
        
        PID:1400
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2556
        
        C:\Users\Default\Downloads\explorer.exe
        
        "C:\Users\Default\Downloads\explorer.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat"
        19⤵
        
        PID:2732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2820
        
        C:\Users\Default\Downloads\explorer.exe
        
        "C:\Users\Default\Downloads\explorer.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat"
        21⤵
        
        PID:1964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:944
        
        C:\Users\Default\Downloads\explorer.exe
        
        "C:\Users\Default\Downloads\explorer.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat"
        23⤵
        
        PID:1700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3016
        
        C:\Users\Default\Downloads\explorer.exe
        
        "C:\Users\Default\Downloads\explorer.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Documents\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Searches\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Searches\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Searches\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\State\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Setup\State\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\State\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\ja-JP\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\it-IT\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Downloads\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\SelfUpdate\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\SelfUpdate\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\SoftwareDistribution\SelfUpdate\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Templates\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\es-ES\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56694a762c584ae71ab0fcb065ea9b12

SHA1
5f7096d6f87eaeb0537eb8332138e7adcf8885af

SHA256
4cdb78ae88bef77dd1c132cdf6b773b8550441719101387e5e321b0b3da83701

SHA512
5bef4ed47ab770181cbd8eff83448f0eb2fad99b6bed6b81f3fb19f536e46594f6fd802304c4aa2e51a63dc19ce80959751db70dbcdcbd58950657d1f0ff0cad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32d9084c57353c1a3bac6b12c8747bc4

SHA1
4833da72868c0f1fcf5763f25e2e02aeb995ca3f

SHA256
04b47f17adc0263fe96cf5b356da8202aba93bae8cb8dc6a092f17597812beeb

SHA512
f429267c8e68c3be6722429b7906852bcbe051d5a6d15e592706e1253925262f3b7a58070fb1e8382d79322e5d8e5ffa429b10b2acd796fdec86e2ba2279448f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2abafa36e9de3052006b844753a7c4b

SHA1
59e4d2389d825faa5512538625a4fc8fe634db79

SHA256
655ed0e3ab8c99dae2ff42106000fed57db7685b7fbfec9b05e16c827f47a13f

SHA512
0db951f9c9da29ae9d55932ee8bba75cfc2d65d534ebf17f1e7d8e14b969944a954ebdb8f9e674081cd6961146cbf6a5027f5cd00b2931f5b33edd5a3ee28685

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bf87abfc0ef50268b7d9ceba23c06f2

SHA1
a9900a44dceaea49da1f5e12d1fabf6c799d6dbc

SHA256
d536b76a5a0924606733397c88c3c247992d600784502b1c1208c8fc255bfd01

SHA512
e406137b3d1e6f47458cc3da67d9215de8c18ff2b09fe8bf2017951b34b8c657844b1167fe972b1399edf11c6f1646ddce0bde352a8f8a69dc40cd4cee90bb8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7b3ab6495c4bfc3e999486f8384af97

SHA1
b1bb8becca694157940a250c20a60d2c3c090993

SHA256
038f0ceee5ca905d588222473e8f53af473bfa6881340a10821c4ed0af823c3d

SHA512
44298013513fe16202e4b23ef7a04186b22696cafc0b02f35ef2f77bd114c0d7132e690eb67c1ae3824cd76aff04220fc50b0526443fbd52f91857dae82857fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77b0d05cc20f769fc7e95ddb69ec6b72

SHA1
58cd0154c1a6e409c7b3434fb821872fc5c27b62

SHA256
9aaad630928cbc1636b56c3635a371236657f4fe8523b594a6bc0078c288f6fa

SHA512
0f56b54d17da1c85b30e7dda9a087aca47fbe994786d3dc4217ca6bcf2ce93260455b784256e13c240849071d9125ab08c42a86c84e27425ed583e31b373773c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5837e42e74ee24009740690f21c6acbd

SHA1
12c72ea867040c64d234758b936130b19f5f863d

SHA256
e45615b88e0e311c16c08b179511d8243feac7704984690beba76a4ee44206e2

SHA512
903c137ceb59d3dcf717a26ad4bc53e34d9779f00eead6a3ae60165f974b672c440e574c782bb13fe69ee3e5fb7abdde4f012fc6a72659dfdcec5b7317be8ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5HgwEuCkaa.bat

Filesize
199B

MD5
4832adb7fbbe398101e31b8d639eb42c

SHA1
5bbcd0c223ac3b959c46301b7b522b997114337f

SHA256
c6a976bd30c7603ec84c3d17dc14e0b19aaa9c224c73f4db6e50fc883f86d7d9

SHA512
156cf26877f4a8bac87ff71fcc458f4d7db81c42268ea93dd9f69529cf07a4c484bd30471800185a63e25c60579102ec5863820690a48499fbf65f1ea18d9bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab21F4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat

Filesize
204B

MD5
b1ee20a0ac4aa5cf3de68cf0147a82ff

SHA1
164af8c505863d8fc7e4389f6c2949e3a2c0fc84

SHA256
d7c2d6b1fdac858ff559dac97ac78470e728bba1a29da14756c2f9af6a10a752

SHA512
6ef7e59fb9240fbef8e477a2334dd29cd88a7dfa967e63f857581fc9c4e98644d62b24da882cc26afa420dfdb68b2e7a2fc103bad51549bdf32e0791bf83c4d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat

Filesize
204B

MD5
fb8f0a10723177ebbd2a2b31489d3921

SHA1
4618776bd2701edfda117e8ed6991ce61227cff0

SHA256
a261628146d90da87713be6eb48b0d580ffed92bfbf0270e3ca8baf7a0c06492

SHA512
3c61565c6dd4ab7a4f48bf6ffdad2674ca33087a704eb54f74a7ebdb6c69ba15ed906d5bc6814fd97611c1af277de40bca4e6cea1a1d8d4244cf7c1090da7876

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2264.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat

Filesize
204B

MD5
90e907c00f1621ff138cc9cb2ed19054

SHA1
3d387954163201b4c3435352199625650030fc3a

SHA256
f584d21cc65172d62cf78c90d562cb01593b086755d536d43ecd585485269f9c

SHA512
432ba09b01473c9ddd4c4d1a2de30675b378aaad2c037fe88f5180fb045d9f1824f4cc6808828cac1915c07b5bdc2bcb462d47a7dc114222859313c84c2b17a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat

Filesize
204B

MD5
4e32baf6e05b396d3f3b960bf9d69eb1

SHA1
911c3a67b640607931f1b419cde97f4c1e960ed6

SHA256
53ec037d5ed01ef0d93a54f8576226b13f3940e3b31a5a25a46e20500039140c

SHA512
1f74850a034fdf50a1436338f7708d6316be1f393c6a3ab56c9770648dbf8d0bb3334bc92f1b7ea79cc0a45a3b7f722afbcc4d41fc48f1d75bb843e98f439ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMm147yiIR.bat

Filesize
204B

MD5
9e6eec1019d93f84cdda1819c3356f4f

SHA1
ec31ea938dc54619f2bb9dc4361a511021fd3dc5

SHA256
050bbcfec608cc37f36282f966a9e532c3e5d23bc46be5e082edcaa1445a869e

SHA512
c9fe6519883c05ee38eac265822a2fe35f021fbaa5d065d8c981210b1063467b812eb6424a8136ec5d3130f9e856ebd9c89c9004e744cfd3f9660b2011c28aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\s0Dk4F6dXp.bat

Filesize
204B

MD5
475f8b001ec18ea087c25f440adaa67f

SHA1
6247a74e2c10e16d1d567c469856d11f0b871879

SHA256
0583d3a861a837ab8bc772cbc5333d8e351e6c35262a61c720fb684dc703f12c

SHA512
8747d8b33210a34956498ef39b4b622343bae80e597c5814fb80e7a696c602f2f6d7d67b4bc01c788f42f8273e85cf1898fe05a23e0de2206bff4eff53c0d266

Download Submit
C:\Users\Admin\AppData\Local\Temp\tA3KztjMoN.bat

Filesize
204B

MD5
b22e243fe93c133374fbafa49c718668

SHA1
926927dd4f71dfb0db3ecfc0d784d4bd2fa4b343

SHA256
34c20394df9d0c1c6fd45659761eb9b013453f00516d1601711972ee6eeac3b7

SHA512
5b44a169cbc3079b4cfba831f899a7e98929063f9363e8f9d4854920d88eb05a743d16650add6e8e22fb5a24c6822f4c8ee8c75fa57830d415d38d64e56f1c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat

Filesize
204B

MD5
254eab234a6f13756ed4c3c67d8a449b

SHA1
b22012b241c2a5d1dba206ffddd33f734ca340b3

SHA256
8dd981b230b28410e9001626e9185355ea585fdd6cde72e8efec96ce3d9762e6

SHA512
e1c5b4b8aff358ddc338439d0923cd9346b236142c97e9a8a8b690e018e3de89edf521ca01db212f19f31c6bb6c75f0e3cc7ebe9d3c6764f53667debe853afe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat

Filesize
204B

MD5
290df5a9c21851d2864e3992332e5ed9

SHA1
bba52a7dc13a988d90033963a5c042e0e0075067

SHA256
3fa15b03000a5402be377a03f07f02cb629f38dff9cef20e43942265c2cff37b

SHA512
113d7dc1b8883f2128072999a216abf2140da1a9609c2a829c934ea7f82426a5235175371aa9e1ea82999b81b426087e9c4725c843ef2358edf8dfb067cad3dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JUVMIO6CRYV67QGDAYQ3.temp

Filesize
7KB

MD5
686611a21fc1ec253e9b9b3fa040d720

SHA1
01153351747a6fb7f74bac3d0611c576703467dc

SHA256
fae68c104c993e61d616f958f789dcf67879eace7ad7fa08d67ff483ba3f964b

SHA512
cb3429181dc462e4f3807de67648697722d7c1f46b28995876a711f427632e668024637caadd3ccb862ba828bdac044fa480a9a4ce2aba0fdcfaa799979d2692

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/608-38-0x00000000025A0000-0x00000000025A8000-memory.dmp

Filesize
32KB

Download
memory/608-37-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/1016-113-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/1248-613-0x0000000000DE0000-0x0000000000EF0000-memory.dmp

Filesize
1.1MB

Download
memory/1664-673-0x0000000000070000-0x0000000000180000-memory.dmp

Filesize
1.1MB

Download
memory/1720-255-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1744-66-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1744-65-0x00000000010D0000-0x00000000011E0000-memory.dmp

Filesize
1.1MB

Download
memory/2120-433-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/2196-196-0x00000000013B0000-0x00000000014C0000-memory.dmp

Filesize
1.1MB

Download
memory/2208-136-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/2256-13-0x0000000000A40000-0x0000000000B50000-memory.dmp

Filesize
1.1MB

Download
memory/2256-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2256-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2256-15-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2256-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2412-493-0x0000000000010000-0x0000000000120000-memory.dmp

Filesize
1.1MB

Download
memory/3004-553-0x0000000000A10000-0x0000000000B20000-memory.dmp

Filesize
1.1MB

Download