dcrat | f30c75fe9bc65b14496c4ea6c35cf8710d00e27bb7ab0780791d2186ebcf7b6d

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_f30c75fe9bc65b14496c4ea6c35cf8710d00e27bb7ab0780791d2186ebcf7b6d.exe
Size

1.3MB
MD5

3a94eddfbf8e9e9b007a26c015293df5
SHA1

694d23e8bd529158b623d7d394b048408cdfa3d9
SHA256

f30c75fe9bc65b14496c4ea6c35cf8710d00e27bb7ab0780791d2186ebcf7b6d
SHA512

2371a1ea679048b44af4783e367ab4d978200f1f64a4e1c7459200f70e4630659870c4e8cfe51e7120f7f698fe28e4dca61e85fb74c60de23b791dbba24498c0
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2864	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2864	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d0c-9.dat	dcrat
behavioral1/memory/2436-13-0x0000000000B40000-0x0000000000C50000-memory.dmp	dcrat
behavioral1/memory/2064-165-0x0000000000930000-0x0000000000A40000-memory.dmp	dcrat
behavioral1/memory/1752-224-0x0000000000A70000-0x0000000000B80000-memory.dmp	dcrat
behavioral1/memory/3000-344-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/2456-404-0x0000000000EE0000-0x0000000000FF0000-memory.dmp	dcrat
behavioral1/memory/948-762-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2636	powershell.exe
1924	powershell.exe
3068	powershell.exe
2664	powershell.exe
2244	powershell.exe
2756	powershell.exe
2724	powershell.exe
2692	powershell.exe
2784	powershell.exe
2652	powershell.exe
532	powershell.exe
2660	powershell.exe
2968	powershell.exe
640	powershell.exe
2720	powershell.exe
2868	powershell.exe
2616	powershell.exe
1256	powershell.exe
2848	powershell.exe
2728	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2436	DllCommonsvc.exe
2064	WmiPrvSE.exe
1752	WmiPrvSE.exe
2904	WmiPrvSE.exe
3000	WmiPrvSE.exe
2456	WmiPrvSE.exe
2732	WmiPrvSE.exe
772	WmiPrvSE.exe
2396	WmiPrvSE.exe
1144	WmiPrvSE.exe
2436	WmiPrvSE.exe
948	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2876	cmd.exe
2876	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
36	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
26	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Java\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\de-DE\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\de-DE\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Java\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\WmiPrvSE.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f30c75fe9bc65b14496c4ea6c35cf8710d00e27bb7ab0780791d2186ebcf7b6d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1876	schtasks.exe
1752	schtasks.exe
2080	schtasks.exe
2268	schtasks.exe
2536	schtasks.exe
1512	schtasks.exe
816	schtasks.exe
3016	schtasks.exe
1320	schtasks.exe
2380	schtasks.exe
2620	schtasks.exe
596	schtasks.exe
1772	schtasks.exe
444	schtasks.exe
2076	schtasks.exe
2372	schtasks.exe
1940	schtasks.exe
2812	schtasks.exe
2040	schtasks.exe
1232	schtasks.exe
1040	schtasks.exe
2416	schtasks.exe
1536	schtasks.exe
380	schtasks.exe
2796	schtasks.exe
1960	schtasks.exe
1368	schtasks.exe
3020	schtasks.exe
1076	schtasks.exe
2484	schtasks.exe
1672	schtasks.exe
1608	schtasks.exe
3044	schtasks.exe
2508	schtasks.exe
1500	schtasks.exe
1224	schtasks.exe
2652	schtasks.exe
1568	schtasks.exe
2328	schtasks.exe
2488	schtasks.exe
1636	schtasks.exe
2280	schtasks.exe
2848	schtasks.exe
2164	schtasks.exe
1588	schtasks.exe
820	schtasks.exe
2904	schtasks.exe
1016	schtasks.exe
2260	schtasks.exe
2180	schtasks.exe
2520	schtasks.exe
1840	schtasks.exe
2704	schtasks.exe
2368	schtasks.exe
2552	schtasks.exe
2012	schtasks.exe
2312	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2436	DllCommonsvc.exe
2436	DllCommonsvc.exe
2436	DllCommonsvc.exe
2436	DllCommonsvc.exe
2436	DllCommonsvc.exe
2244	powershell.exe
2756	powershell.exe
2720	powershell.exe
1924	powershell.exe
3068	powershell.exe
640	powershell.exe
1256	powershell.exe
2968	powershell.exe
2784	powershell.exe
2724	powershell.exe
2664	powershell.exe
2868	powershell.exe
2660	powershell.exe
2728	powershell.exe
2848	powershell.exe
2616	powershell.exe
532	powershell.exe
2652	powershell.exe
2692	powershell.exe
2636	powershell.exe
2064	WmiPrvSE.exe
1752	WmiPrvSE.exe
2904	WmiPrvSE.exe
3000	WmiPrvSE.exe
2456	WmiPrvSE.exe
2732	WmiPrvSE.exe
772	WmiPrvSE.exe
2396	WmiPrvSE.exe
1144	WmiPrvSE.exe
2436	WmiPrvSE.exe
948	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2436	DllCommonsvc.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2064	WmiPrvSE.exe
Token: SeDebugPrivilege	1752	WmiPrvSE.exe
Token: SeDebugPrivilege	2904	WmiPrvSE.exe
Token: SeDebugPrivilege	3000	WmiPrvSE.exe
Token: SeDebugPrivilege	2456	WmiPrvSE.exe
Token: SeDebugPrivilege	2732	WmiPrvSE.exe
Token: SeDebugPrivilege	772	WmiPrvSE.exe
Token: SeDebugPrivilege	2396	WmiPrvSE.exe
Token: SeDebugPrivilege	1144	WmiPrvSE.exe
Token: SeDebugPrivilege	2436	WmiPrvSE.exe
Token: SeDebugPrivilege	948	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2316	1920	JaffaCakes118_f30c75fe9bc65b14496c4ea6c35cf8710d00e27bb7ab0780791d2186ebcf7b6d.exe	30
PID 1920 wrote to memory of 2316	1920	JaffaCakes118_f30c75fe9bc65b14496c4ea6c35cf8710d00e27bb7ab0780791d2186ebcf7b6d.exe	30
PID 1920 wrote to memory of 2316	1920	JaffaCakes118_f30c75fe9bc65b14496c4ea6c35cf8710d00e27bb7ab0780791d2186ebcf7b6d.exe	30
PID 1920 wrote to memory of 2316	1920	JaffaCakes118_f30c75fe9bc65b14496c4ea6c35cf8710d00e27bb7ab0780791d2186ebcf7b6d.exe	30
PID 2316 wrote to memory of 2876	2316	WScript.exe	31
PID 2316 wrote to memory of 2876	2316	WScript.exe	31
PID 2316 wrote to memory of 2876	2316	WScript.exe	31
PID 2316 wrote to memory of 2876	2316	WScript.exe	31
PID 2876 wrote to memory of 2436	2876	cmd.exe	33
PID 2876 wrote to memory of 2436	2876	cmd.exe	33
PID 2876 wrote to memory of 2436	2876	cmd.exe	33
PID 2876 wrote to memory of 2436	2876	cmd.exe	33
PID 2436 wrote to memory of 2244	2436	DllCommonsvc.exe	92
PID 2436 wrote to memory of 2244	2436	DllCommonsvc.exe	92
PID 2436 wrote to memory of 2244	2436	DllCommonsvc.exe	92
PID 2436 wrote to memory of 2756	2436	DllCommonsvc.exe	93
PID 2436 wrote to memory of 2756	2436	DllCommonsvc.exe	93
PID 2436 wrote to memory of 2756	2436	DllCommonsvc.exe	93
PID 2436 wrote to memory of 2720	2436	DllCommonsvc.exe	95
PID 2436 wrote to memory of 2720	2436	DllCommonsvc.exe	95
PID 2436 wrote to memory of 2720	2436	DllCommonsvc.exe	95
PID 2436 wrote to memory of 2724	2436	DllCommonsvc.exe	96
PID 2436 wrote to memory of 2724	2436	DllCommonsvc.exe	96
PID 2436 wrote to memory of 2724	2436	DllCommonsvc.exe	96
PID 2436 wrote to memory of 2868	2436	DllCommonsvc.exe	97
PID 2436 wrote to memory of 2868	2436	DllCommonsvc.exe	97
PID 2436 wrote to memory of 2868	2436	DllCommonsvc.exe	97
PID 2436 wrote to memory of 2728	2436	DllCommonsvc.exe	101
PID 2436 wrote to memory of 2728	2436	DllCommonsvc.exe	101
PID 2436 wrote to memory of 2728	2436	DllCommonsvc.exe	101
PID 2436 wrote to memory of 2616	2436	DllCommonsvc.exe	102
PID 2436 wrote to memory of 2616	2436	DllCommonsvc.exe	102
PID 2436 wrote to memory of 2616	2436	DllCommonsvc.exe	102
PID 2436 wrote to memory of 2636	2436	DllCommonsvc.exe	103
PID 2436 wrote to memory of 2636	2436	DllCommonsvc.exe	103
PID 2436 wrote to memory of 2636	2436	DllCommonsvc.exe	103
PID 2436 wrote to memory of 1924	2436	DllCommonsvc.exe	104
PID 2436 wrote to memory of 1924	2436	DllCommonsvc.exe	104
PID 2436 wrote to memory of 1924	2436	DllCommonsvc.exe	104
PID 2436 wrote to memory of 2652	2436	DllCommonsvc.exe	105
PID 2436 wrote to memory of 2652	2436	DllCommonsvc.exe	105
PID 2436 wrote to memory of 2652	2436	DllCommonsvc.exe	105
PID 2436 wrote to memory of 3068	2436	DllCommonsvc.exe	106
PID 2436 wrote to memory of 3068	2436	DllCommonsvc.exe	106
PID 2436 wrote to memory of 3068	2436	DllCommonsvc.exe	106
PID 2436 wrote to memory of 2664	2436	DllCommonsvc.exe	107
PID 2436 wrote to memory of 2664	2436	DllCommonsvc.exe	107
PID 2436 wrote to memory of 2664	2436	DllCommonsvc.exe	107
PID 2436 wrote to memory of 2784	2436	DllCommonsvc.exe	108
PID 2436 wrote to memory of 2784	2436	DllCommonsvc.exe	108
PID 2436 wrote to memory of 2784	2436	DllCommonsvc.exe	108
PID 2436 wrote to memory of 2848	2436	DllCommonsvc.exe	109
PID 2436 wrote to memory of 2848	2436	DllCommonsvc.exe	109
PID 2436 wrote to memory of 2848	2436	DllCommonsvc.exe	109
PID 2436 wrote to memory of 640	2436	DllCommonsvc.exe	110
PID 2436 wrote to memory of 640	2436	DllCommonsvc.exe	110
PID 2436 wrote to memory of 640	2436	DllCommonsvc.exe	110
PID 2436 wrote to memory of 2692	2436	DllCommonsvc.exe	111
PID 2436 wrote to memory of 2692	2436	DllCommonsvc.exe	111
PID 2436 wrote to memory of 2692	2436	DllCommonsvc.exe	111
PID 2436 wrote to memory of 2968	2436	DllCommonsvc.exe	112
PID 2436 wrote to memory of 2968	2436	DllCommonsvc.exe	112
PID 2436 wrote to memory of 2968	2436	DllCommonsvc.exe	112
PID 2436 wrote to memory of 2660	2436	DllCommonsvc.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f30c75fe9bc65b14496c4ea6c35cf8710d00e27bb7ab0780791d2186ebcf7b6d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f30c75fe9bc65b14496c4ea6c35cf8710d00e27bb7ab0780791d2186ebcf7b6d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\de-DE\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EEtKVavCHk.bat"
        5⤵
        
        PID:1696
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1856
      - C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"
        7⤵
        
        PID:1248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1940
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat"
        9⤵
        
        PID:1868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2592
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat"
        11⤵
        
        PID:1380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1856
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat"
        13⤵
        
        PID:1916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2632
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat"
        15⤵
        
        PID:340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2412
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat"
        17⤵
        
        PID:3048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1072
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat"
        19⤵
        
        PID:2928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1720
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat"
        21⤵
        
        PID:1632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1092
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat"
        23⤵
        
        PID:2652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2508
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\msQYHxuKnC.bat"
        25⤵
        
        PID:2600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1628
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Java\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Videos\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\de-DE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66c5bdd367f8a67b917de869d17fda2b

SHA1
b6ecfe3f97942d0d6803f2a4d044be6c7f392f89

SHA256
fd47b119c93099b8b8f5bb5f10edcd69306c725ddb4a793f2f35bc9d3cf9eccf

SHA512
141cfaa3672ba8eba2b0c5ac08db46d4eca71d47c7ad74330426f6af6fe110478a0ac0ce848e6dfd1aeb0a9ae3079d821e320815c38c78155c01f4df4d926310

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7bd75c0c58a4a1b50bd96d9b84dae17e

SHA1
8728c09d35a3e00759f2a685cb87b56a8c2d3254

SHA256
2cecf33e0c9773aea54e39648723444ed5111563240fe6aecb379b1e09f8f95a

SHA512
030f1bd5beda370dfadb0a832ce29d63375488d6e58ee31a0c4b4ec1687e5436ecba1351f5584f3465c2acf9215d920cbbe5f78b6a97c697e3c33fc65fb69489

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0360c5e7c70dc1d4ab4511fef40fc8f7

SHA1
cb00a64264d7e10ad6b63645a2d6ae13a4d3a5de

SHA256
861f2cf8efcac1d6b9551a216a6efea0095d6a79fb3fcaee28060b0bcf599b04

SHA512
780a484fa89bc712ed44971bb201ccf2cab05fdb00564de092e33b73ae4cbede8eb764a69880d271082c300d4039ca399c3b405cd27154e25e92b358c5661732

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c6e6c43fa8956d6cd52adbab10b38dc

SHA1
c6f1fcaa0184f0fc4264023040d25fa3fdb8a11e

SHA256
c2231ba66bc90a13bc5998fbe8b068b21050eda5e9c627c5cebe9e100bdbf9af

SHA512
1ea4b7f7494caabf01413ab056c245c2dcc28c7c648e199e2edcf67ab5e734e537e6a7fac11cdb4f38f6c43d042bfa311433b28461a7fb5610f1bbea6f61e70d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0041dbd4c50c7db5fb5b7aa518f72f78

SHA1
6f2c553427e014dc504d82be0b0bc29ecce7068a

SHA256
88abb6be522c7374b24991dc2cdf37320ba39000b4a6603f1e362ee1643dea10

SHA512
43d9a5a50249ff4da7252c8d7cf9a735354b649b9539cbf94eaf924590433972e72489654f7e8011513dd7d16e8f0d6dcb66842f061b480fa02746f156c6a0e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9845f17d203d8a0fc359045591638981

SHA1
15836e35dd20a93a0728dff999696ab9305c2955

SHA256
382d1345d04528ada5662c4ad3611d8287d51e430177be714af373ca780fb6e6

SHA512
2cf547a0f09aaadc7bb096339789089826b30b780ca288e1af7d9ff6c56c485a76891e230b4edca525e0172416504ab7fcc4f1f3fee83e30bffcaa15e97994fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f3bdd458a298c7c1f52b01b28d6914c

SHA1
4ae0e281c84b265f53b27739eb9f9f85930a6403

SHA256
68f08f7497691dd1689a9ffffef6947084eaf423df2190c0832a6b82cb39d363

SHA512
a59814cc72dd7d9f721be6e731ff48e8c225cc49107d015d66d9ca096431eba81273077ca469ce919412cdf0741bf8a7e06f0ba665d5e61624e1373276ba992f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
358be71019995aee38f6f7053946abba

SHA1
a42347bcb4d910144d8b0cec57713377ee8f9acb

SHA256
689056e29e3ab5f7ad71e6f5167c1a1683e489e025cc9bf3eb8fe2d8400b39d9

SHA512
686fede4d3b9f0416819bd9aff073c9c9cddb4be3f35f9f99aaa96157171e15ccd76e3f7c196777b2a4a8fba3998a381d789139e5635acfe5ccb751512982d72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f36af9f8860a71d143358ff5ce7b4a48

SHA1
e82b9e24f752f6a54e4ebaab5a79a5c9ce96f78a

SHA256
dc7e16495f661369ae8ddb955e1542adde5a838a0a8ca45c4967772c6a654d58

SHA512
2134cf56ecc81997ea74a9df19454b34a179277fefecbd45d9079faef19e096d05925dc28f9a1704c7bd45ae95bf5cd086e03437bd27c182a8c527907abd5b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat

Filesize
245B

MD5
150b4e07027eb8007031b52ae7a57cb4

SHA1
952671adfeac947c3ac52afca7f0ddabcfe71f53

SHA256
58219dbb9e949b890fa403d484855182b034a7b75e4ff9f4c825506643ee9f99

SHA512
00b24401fc6637ffdcd7de083e0c61a4227895f62a630a051f2297af15d637bb484aca0145f1300f444a44f41c063890d866a2854c6da3057e267836a024f127

Download Submit
C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat

Filesize
245B

MD5
3c6c62ef92d04311c6165e2b02ea7e17

SHA1
eff4e3acfe7f34d20a5ba57dde7ec5ed55281596

SHA256
2d06b077cd7c81ca189294e9027f8cf534cf04d92e132cc507e29bcc9754315a

SHA512
b8d39a7bea9c2a6096dbcf7b65e6f2e5ce6fc549385f9d407e38e72cc4a5cb8c6ff15349ebb2ce8293820bdd5570c9409d65b469c90a87e8d2540d728df81a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat

Filesize
245B

MD5
09187c4ac805b5cba972c8fe6986dc4a

SHA1
50b288c070a4162ae6e47722b319da0ff29dac63

SHA256
b0cd4e2e8bd45459d3ab53bf6e7453cfc35af710d605a7a74443ff7705790306

SHA512
a2bb5811e937c1c19299946a3534a5594a9819db47086e36852208b8f3704bbc03a44e8401cc3831ee48a7991039352e40c1abb174aa8d6e6166ea44e0e3da0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF72D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEtKVavCHk.bat

Filesize
245B

MD5
0926c9466a6a020245e2bc9c8f026268

SHA1
a93c41efd1d67f851ffd8916a8bf964bc7472517

SHA256
347be2fb55b6577a308ce5e57438ac0dff45284745c0273e239b7350f89c7657

SHA512
94fd22c8311b0706c3ddbeb3f97877fc236130a1a771ca215866cf03be97934e017be18c9c3ef32cd0569d98928899c9ce5e8e7ffe67dcd8328588d2fb97002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat

Filesize
245B

MD5
500f849d58a3daaba5d3d5464d419f18

SHA1
1532f7650c4f5ea4f1b9700968bf756f008f72ee

SHA256
586de857cd52e66440fa75bb6a3d8c8cb28c72dcccf82049b69d6b5ee6e5cfe6

SHA512
163c6263cc33e0deb0b1993af7637edf3883ad04b7c705587c4444d6ac11a18a63e86f1827afe47f59758f6f02144e90b4a604a17533cad2336c0497689c9450

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF74F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat

Filesize
245B

MD5
53d5ff1398e3de97fed3e0bf9378190e

SHA1
cc967cf7d691503e451b3ee033b2872957c8de72

SHA256
b14513a1b89b18f28dfdef2eeec642627f0e6517166753f31521c79f431d31c2

SHA512
714fe45fc29c6a1db75cc344a956d479ea47eb3f8d5568629e752b3210f39b8563ac3d3e478d2a8259e8ce0d717f702ba587beab37ceeb60ffc0e273d347794d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat

Filesize
245B

MD5
197a3dfec5b11c6d1936d5cf006b39c3

SHA1
357b78c65372a7b0cc13f5b5ee6a9e18959c34e6

SHA256
a2f74daad905679275ede9c5dbfe45fe8e0401ad8921b71bef69e81919a04746

SHA512
222a15cb8dcea809cbc8a69b4b30ed0932f12a1cbca73440773f2bc6097b141b6ef21c9af6aebd4a6d29b3612b38d1bac73d55e96cf53619339b175afca5feb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat

Filesize
245B

MD5
707d34a2250d08c83f80c3fbf180f853

SHA1
cd4698a63ae2f912f0adac8c8efe3b25e92c422c

SHA256
edab719256ebbca626412bfa0ec3bd7db594e927511ac5755925076aef00469a

SHA512
2d6252602503842a626c59638b729bc6109ff7c7535ffe0bc9e6b06cbdbad9af57d59c73888780382fd5f133903e482d97b4c3082ebb79dfd51827fabe64069e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat

Filesize
245B

MD5
8c3c0d50ee7e3794b8547f82e1c43f24

SHA1
2e0545cc592207edbaab7af74ccddb1ee42eb5fa

SHA256
879580fbfd53152924fff267af31e6a6e88dcd51c8ad924a83e959700374bf08

SHA512
63943a6edf44179d5b159aeefbe974c636bdbe53ff3c9a47fd8b397ad4ecc9ce1d96a7c4db50830e3adc4e6ef087afdb5587eee99ff2c684632fec94b57be39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\msQYHxuKnC.bat

Filesize
245B

MD5
c6b5fed2404b1857f008e7f95714f659

SHA1
e063a46f76268a69ca14a73c5426037a0a709456

SHA256
b6246634aa4e28c5e292b78ab39e0e470add08419c85aa71b2e846bb9d59798a

SHA512
6803dfde4d53689e1aa030374341d1cc4ce0cba39aa0a28b39e465c04ab175fdb16e3f2b8839b9e5561e70d785b63e17f5b7df38f0655f7a9da956acec6156ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat

Filesize
245B

MD5
603c8d7527d0a4622ed0f8c27be70088

SHA1
49f2bbdb70d40189ad6ada104e0e123a92cd1e2f

SHA256
8ead92efa063482d66ad5ffbe33cd3cfd2fd28ffe8ffa02dd73ecf4760ac5436

SHA512
22d1a13b9191f85f1a0855fe41d043141e4929f994bf4514f6974447ef83f8ce8b5d187a54a1165305b1c0a15f7732e935e7a5ed1004512fd13cbdb9fe86e8a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f836fc90650f61ac7b4664f21b493d49

SHA1
1ad4d1ed37dd1a81cb84a92bff4e54ddfbe87f89

SHA256
dd0621d418bfc5909a6659de07f7e70d24da4c020443547bfa4cc7e723c49416

SHA512
2bab0df95b051e6992e3105fa6f2ce5b6655842566edb3441eeebf26c9496cbcf80f78c71d23ee738a8b813a0a7c9823296d84a56bd59001c2b664da443f30a4

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/948-762-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download
memory/1144-643-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1752-224-0x0000000000A70000-0x0000000000B80000-memory.dmp

Filesize
1.1MB

Download
memory/2064-165-0x0000000000930000-0x0000000000A40000-memory.dmp

Filesize
1.1MB

Download
memory/2244-69-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2244-70-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2436-16-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2436-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2436-17-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2436-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2436-13-0x0000000000B40000-0x0000000000C50000-memory.dmp

Filesize
1.1MB

Download
memory/2456-405-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2456-404-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

Filesize
1.1MB

Download
memory/2732-465-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2904-284-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/3000-344-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download