dcrat | 3223b05524a6c8de662b0505d23266c5e7407c9dde82392afc10e413e6dba9fd

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3223b05524a6c8de662b0505d23266c5e7407c9dde82392afc10e413e6dba9fd.exe
Size

1.3MB
MD5

c900e0035b464eb2bf306fb7df30a929
SHA1

3a191623d8fa97348d5e969d8fcb88d294463d55
SHA256

3223b05524a6c8de662b0505d23266c5e7407c9dde82392afc10e413e6dba9fd
SHA512

fa7ce17cd3d36273bd73b595aa1d111162ff50c611513cfef18472943756a034601a826b954143db5ff649d7e57f1384d93fb06728e1023618abf8186bcfe8a0
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3868	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	3628	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	3628	schtasks.exe	87

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0008000000023c46-9.dat	dcrat
behavioral2/memory/3984-13-0x0000000000960000-0x0000000000A70000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3308	powershell.exe
2388	powershell.exe
1020	powershell.exe
2360	powershell.exe
4300	powershell.exe
2908	powershell.exe
2216	powershell.exe
3060	powershell.exe
4748	powershell.exe
1008	powershell.exe
2024	powershell.exe
8	powershell.exe
3900	powershell.exe
3604	powershell.exe
4204	powershell.exe
1220	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	JaffaCakes118_3223b05524a6c8de662b0505d23266c5e7407c9dde82392afc10e413e6dba9fd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe

Executes dropped EXE 15 IoCs

pid	Process
3984	DllCommonsvc.exe
820	DllCommonsvc.exe
2192	DllCommonsvc.exe
4012	smss.exe
980	smss.exe
372	smss.exe
2472	smss.exe
3592	smss.exe
2388	smss.exe
216	smss.exe
1932	smss.exe
1472	smss.exe
4932	smss.exe
1732	smss.exe
2248	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
43	raw.githubusercontent.com
48	raw.githubusercontent.com
20	raw.githubusercontent.com
21	raw.githubusercontent.com
37	raw.githubusercontent.com
38	raw.githubusercontent.com
50	raw.githubusercontent.com
51	raw.githubusercontent.com
36	raw.githubusercontent.com
42	raw.githubusercontent.com
44	raw.githubusercontent.com
49	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\winlogon.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\e1ef82546f0b02	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\TextInputHost.exe	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\22eafd247d37c3	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\it-IT\smss.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\smss.exe	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\it-IT\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3223b05524a6c8de662b0505d23266c5e7407c9dde82392afc10e413e6dba9fd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	JaffaCakes118_3223b05524a6c8de662b0505d23266c5e7407c9dde82392afc10e413e6dba9fd.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1664	schtasks.exe
2300	schtasks.exe
2260	schtasks.exe
5008	schtasks.exe
3996	schtasks.exe
4828	schtasks.exe
4424	schtasks.exe
5032	schtasks.exe
1976	schtasks.exe
3056	schtasks.exe
3368	schtasks.exe
4840	schtasks.exe
3548	schtasks.exe
4400	schtasks.exe
3664	schtasks.exe
4748	schtasks.exe
4740	schtasks.exe
888	schtasks.exe
672	schtasks.exe
1992	schtasks.exe
2420	schtasks.exe
1336	schtasks.exe
1656	schtasks.exe
1480	schtasks.exe
464	schtasks.exe
456	schtasks.exe
4744	schtasks.exe
4488	schtasks.exe
4928	schtasks.exe
5080	schtasks.exe
4196	schtasks.exe
1792	schtasks.exe
3392	schtasks.exe
3868	schtasks.exe
3848	schtasks.exe
1908	schtasks.exe
1928	schtasks.exe
4932	schtasks.exe
640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
3984	DllCommonsvc.exe
3984	DllCommonsvc.exe
3984	DllCommonsvc.exe
3308	powershell.exe
4748	powershell.exe
1220	powershell.exe
3060	powershell.exe
2216	powershell.exe
8	powershell.exe
2216	powershell.exe
820	DllCommonsvc.exe
8	powershell.exe
1220	powershell.exe
4748	powershell.exe
3060	powershell.exe
3308	powershell.exe
820	DllCommonsvc.exe
820	DllCommonsvc.exe
2024	powershell.exe
2024	powershell.exe
1008	powershell.exe
1008	powershell.exe
2388	powershell.exe
2388	powershell.exe
3604	powershell.exe
3604	powershell.exe
2908	powershell.exe
2908	powershell.exe
1020	powershell.exe
1020	powershell.exe
3900	powershell.exe
3900	powershell.exe
2024	powershell.exe
3604	powershell.exe
1008	powershell.exe
2908	powershell.exe
2388	powershell.exe
3900	powershell.exe
1020	powershell.exe
2192	DllCommonsvc.exe
2192	DllCommonsvc.exe
2192	DllCommonsvc.exe
2192	DllCommonsvc.exe
2192	DllCommonsvc.exe
4300	powershell.exe
2360	powershell.exe
4204	powershell.exe
4204	powershell.exe
2360	powershell.exe
4300	powershell.exe
4012	smss.exe
980	smss.exe
372	smss.exe
2472	smss.exe
3592	smss.exe
2388	smss.exe
216	smss.exe
1932	smss.exe
1472	smss.exe
4932	smss.exe
1732	smss.exe
2248	smss.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	3984	DllCommonsvc.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	820	DllCommonsvc.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	2192	DllCommonsvc.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	4012	smss.exe
Token: SeDebugPrivilege	980	smss.exe
Token: SeDebugPrivilege	372	smss.exe
Token: SeDebugPrivilege	2472	smss.exe
Token: SeDebugPrivilege	3592	smss.exe
Token: SeDebugPrivilege	2388	smss.exe
Token: SeDebugPrivilege	216	smss.exe
Token: SeDebugPrivilege	1932	smss.exe
Token: SeDebugPrivilege	1472	smss.exe
Token: SeDebugPrivilege	4932	smss.exe
Token: SeDebugPrivilege	1732	smss.exe
Token: SeDebugPrivilege	2248	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 3552	2300	JaffaCakes118_3223b05524a6c8de662b0505d23266c5e7407c9dde82392afc10e413e6dba9fd.exe	83
PID 2300 wrote to memory of 3552	2300	JaffaCakes118_3223b05524a6c8de662b0505d23266c5e7407c9dde82392afc10e413e6dba9fd.exe	83
PID 2300 wrote to memory of 3552	2300	JaffaCakes118_3223b05524a6c8de662b0505d23266c5e7407c9dde82392afc10e413e6dba9fd.exe	83
PID 3552 wrote to memory of 4300	3552	WScript.exe	84
PID 3552 wrote to memory of 4300	3552	WScript.exe	84
PID 3552 wrote to memory of 4300	3552	WScript.exe	84
PID 4300 wrote to memory of 3984	4300	cmd.exe	86
PID 4300 wrote to memory of 3984	4300	cmd.exe	86
PID 3984 wrote to memory of 8	3984	DllCommonsvc.exe	104
PID 3984 wrote to memory of 8	3984	DllCommonsvc.exe	104
PID 3984 wrote to memory of 3308	3984	DllCommonsvc.exe	105
PID 3984 wrote to memory of 3308	3984	DllCommonsvc.exe	105
PID 3984 wrote to memory of 2216	3984	DllCommonsvc.exe	106
PID 3984 wrote to memory of 2216	3984	DllCommonsvc.exe	106
PID 3984 wrote to memory of 3060	3984	DllCommonsvc.exe	107
PID 3984 wrote to memory of 3060	3984	DllCommonsvc.exe	107
PID 3984 wrote to memory of 1220	3984	DllCommonsvc.exe	108
PID 3984 wrote to memory of 1220	3984	DllCommonsvc.exe	108
PID 3984 wrote to memory of 4748	3984	DllCommonsvc.exe	109
PID 3984 wrote to memory of 4748	3984	DllCommonsvc.exe	109
PID 3984 wrote to memory of 820	3984	DllCommonsvc.exe	115
PID 3984 wrote to memory of 820	3984	DllCommonsvc.exe	115
PID 820 wrote to memory of 1008	820	DllCommonsvc.exe	135
PID 820 wrote to memory of 1008	820	DllCommonsvc.exe	135
PID 820 wrote to memory of 2024	820	DllCommonsvc.exe	136
PID 820 wrote to memory of 2024	820	DllCommonsvc.exe	136
PID 820 wrote to memory of 1020	820	DllCommonsvc.exe	137
PID 820 wrote to memory of 1020	820	DllCommonsvc.exe	137
PID 820 wrote to memory of 3604	820	DllCommonsvc.exe	138
PID 820 wrote to memory of 3604	820	DllCommonsvc.exe	138
PID 820 wrote to memory of 3900	820	DllCommonsvc.exe	139
PID 820 wrote to memory of 3900	820	DllCommonsvc.exe	139
PID 820 wrote to memory of 2388	820	DllCommonsvc.exe	140
PID 820 wrote to memory of 2388	820	DllCommonsvc.exe	140
PID 820 wrote to memory of 2908	820	DllCommonsvc.exe	141
PID 820 wrote to memory of 2908	820	DllCommonsvc.exe	141
PID 820 wrote to memory of 4220	820	DllCommonsvc.exe	149
PID 820 wrote to memory of 4220	820	DllCommonsvc.exe	149
PID 4220 wrote to memory of 2848	4220	cmd.exe	151
PID 4220 wrote to memory of 2848	4220	cmd.exe	151
PID 4220 wrote to memory of 2192	4220	cmd.exe	157
PID 4220 wrote to memory of 2192	4220	cmd.exe	157
PID 2192 wrote to memory of 2360	2192	DllCommonsvc.exe	164
PID 2192 wrote to memory of 2360	2192	DllCommonsvc.exe	164
PID 2192 wrote to memory of 4300	2192	DllCommonsvc.exe	165
PID 2192 wrote to memory of 4300	2192	DllCommonsvc.exe	165
PID 2192 wrote to memory of 4204	2192	DllCommonsvc.exe	166
PID 2192 wrote to memory of 4204	2192	DllCommonsvc.exe	166
PID 2192 wrote to memory of 4308	2192	DllCommonsvc.exe	170
PID 2192 wrote to memory of 4308	2192	DllCommonsvc.exe	170
PID 4308 wrote to memory of 5028	4308	cmd.exe	172
PID 4308 wrote to memory of 5028	4308	cmd.exe	172
PID 4308 wrote to memory of 4012	4308	cmd.exe	179
PID 4308 wrote to memory of 4012	4308	cmd.exe	179
PID 4012 wrote to memory of 1020	4012	smss.exe	181
PID 4012 wrote to memory of 1020	4012	smss.exe	181
PID 1020 wrote to memory of 2932	1020	cmd.exe	183
PID 1020 wrote to memory of 2932	1020	cmd.exe	183
PID 1020 wrote to memory of 980	1020	cmd.exe	185
PID 1020 wrote to memory of 980	1020	cmd.exe	185
PID 980 wrote to memory of 4592	980	smss.exe	190
PID 980 wrote to memory of 4592	980	smss.exe	190
PID 4592 wrote to memory of 3872	4592	cmd.exe	192
PID 4592 wrote to memory of 3872	4592	cmd.exe	192

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3223b05524a6c8de662b0505d23266c5e7407c9dde82392afc10e413e6dba9fd.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3223b05524a6c8de662b0505d23266c5e7407c9dde82392afc10e413e6dba9fd.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:8
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4748
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:820
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3604
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3900
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\TextInputHost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchApp.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kitFqHqIkB.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2848
        
        C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\it-IT\smss.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\unsecapp.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O6c8m4LB56.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5028
        
        C:\Windows\PolicyDefinitions\it-IT\smss.exe
        
        "C:\Windows\PolicyDefinitions\it-IT\smss.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2932
        
        C:\Windows\PolicyDefinitions\it-IT\smss.exe
        
        "C:\Windows\PolicyDefinitions\it-IT\smss.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DFgOOKl5EO.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3872
        
        C:\Windows\PolicyDefinitions\it-IT\smss.exe
        
        "C:\Windows\PolicyDefinitions\it-IT\smss.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat"
        14⤵
        
        PID:820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1692
        
        C:\Windows\PolicyDefinitions\it-IT\smss.exe
        
        "C:\Windows\PolicyDefinitions\it-IT\smss.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"
        16⤵
        
        PID:2660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3320
        
        C:\Windows\PolicyDefinitions\it-IT\smss.exe
        
        "C:\Windows\PolicyDefinitions\it-IT\smss.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat"
        18⤵
        
        PID:1500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4116
        
        C:\Windows\PolicyDefinitions\it-IT\smss.exe
        
        "C:\Windows\PolicyDefinitions\it-IT\smss.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat"
        20⤵
        
        PID:2296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2216
        
        C:\Windows\PolicyDefinitions\it-IT\smss.exe
        
        "C:\Windows\PolicyDefinitions\it-IT\smss.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat"
        22⤵
        
        PID:980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2860
        
        C:\Windows\PolicyDefinitions\it-IT\smss.exe
        
        "C:\Windows\PolicyDefinitions\it-IT\smss.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat"
        24⤵
        
        PID:4680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2212
        
        C:\Windows\PolicyDefinitions\it-IT\smss.exe
        
        "C:\Windows\PolicyDefinitions\it-IT\smss.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat"
        26⤵
        
        PID:1068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4336
        
        C:\Windows\PolicyDefinitions\it-IT\smss.exe
        
        "C:\Windows\PolicyDefinitions\it-IT\smss.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat"
        28⤵
        
        PID:5040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4384
        
        C:\Windows\PolicyDefinitions\it-IT\smss.exe
        
        "C:\Windows\PolicyDefinitions\it-IT\smss.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat"
        30⤵
        
        PID:4272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:336
        
        C:\Windows\PolicyDefinitions\it-IT\smss.exe
        
        "C:\Windows\PolicyDefinitions\it-IT\smss.exe"
        31⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\NetHood\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\NetHood\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Admin\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SendTo\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\SendTo\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\providercommon\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\PolicyDefinitions\it-IT\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\providercommon\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\providercommon\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\providercommon\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e25058a5d8ac6b42d8c7c9883c598303

SHA1
bd9e6194a36a959772fc020f905244900ffc3d57

SHA256
9f6fe2203df58ba90b512b436fd74f5eeb4f39f4f9f54a41e882fc54e5f35d51

SHA512
0146f2d1298acf189005217784e952d6e99bf7c8bf24ae9e9af1a2ca3d881dca39f19f3ecd06c7d0ad919bc929edaf6e97e0ab2d7f71733b9422527c594ea0c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3e242d3c4b39d344f66c494424020c61

SHA1
194e596f33d54482e7880e91dc05e0d247a46399

SHA256
f688037cb0c9f9c97b3b906a6c0636c91ad1864564feb17bba4973cde361172e

SHA512
27c1cd6d72554fdce3b960458a1a6bd3f740aa7c22a313a80b043db283a224bf390648b9e59e6bdbf48020d082d728fbde569bee4ee2a610f21d659a7b3dfa02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
330c0d750a5199394897ed266a508d9a

SHA1
48cc83c9efe720b4018a1bbbd28b9548b7cc08ed

SHA256
eac12f58c6fd86f674cc2dfec7717b5be286f45a370b22e522b86c302b94421d

SHA512
511cb3e04881e206fd8b86840b33b8ed8a78e71c28c508384387348982283b1bc0522051f992c998f7e64e4069e9ee55a5e3a6d1e0b923f4f34fdb1c17fd5631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0256bd284691ed0fc502ef3c8a7e58dc

SHA1
dcdf69dc8ca8bf068f65d20ef1563bbe283e2413

SHA256
e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf

SHA512
c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat

Filesize
208B

MD5
95c53480f9e29a8bbc90a0d9de0b3dc1

SHA1
6c3cbbfaaa95f309d60e8bbf0dcd128a45c6ccd7

SHA256
308f0b5c6331f673b2d79f7afb128d02271379f9272a629ccefc49f6bc299313

SHA512
763e1116c82ff3d394c9cdbce205989a61afaff33b4b0fd6e45535bcffd4e6ac35c861462a1a21264699a46579b1eb90aab3be140495e71a9c4ea30b8a474831

Download Submit
C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat

Filesize
208B

MD5
b34c8f2382573166873326093b0fbe8e

SHA1
835b7a8775632b041e5725ed94a3a2d359d65b81

SHA256
39582f9b18a4e4b98b7656089b5257f86f06db0d19a7a30104a5ec7e719b1fc7

SHA512
0f5e5473bb9f9af5da8c744962add183d5c96317a7db127230472e039b8d5a975cd7d2305c173b51e102d621f6146bf54f3e594e08e77339bcb5bc786a1d3ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFgOOKl5EO.bat

Filesize
208B

MD5
aa03787376070b9056158fc8e9d1d596

SHA1
209369f03cc5da8e7d869496f5d156b61bc0ed37

SHA256
e6983b7afc38564ebbce288571469b2ad123e4d181fb1119e78f956770f4c987

SHA512
e0c66007143a885adb8012db7b51643db0ae821a4aec33c4c052b353ea9cd72aa2611206054707480c524178ca0cdd2d67c4948b97d081f2db913571281a5aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat

Filesize
208B

MD5
bb0ed6a02b02fe673cdbc420e1a08907

SHA1
a184f20b6bf3ec93d64eeddff4b62e672820bdf4

SHA256
d5d0917752286584d110e32e024260b250ca98a5cbff4f55bede2b2a9675e086

SHA512
340cb57d36b30c268a3ff30bb01edc0097b5e28935fc4df09617a5050c755b413821ab0e7255f3016b7e5941d596519187f54d0feef350c9dee3289e86ed9142

Download Submit
C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat

Filesize
208B

MD5
55324c99c1fea1491af78593924b0733

SHA1
349834f8dbfc7cb17470acd11fd84f3716a096be

SHA256
7844c25d9f1aa68bb39882c4e13cbc03e6212e1274d6aba23c514f8ba66d758c

SHA512
ea38806eb4bae02fd40e7e7898129352ee9c91fd8fba4c7c08774da6bcb318075c8293b90669747b545787bc505ce3ca8c2f3ae63c7e2f59407c46ad8d0a4e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\O6c8m4LB56.bat

Filesize
208B

MD5
5e52b9f251bf1b05427ae9077f254d4d

SHA1
285386548413775daf77e134a0681688aa81b47c

SHA256
7ae59554bf2334faf5f29eae8aa857dbb8d8b88dddea79e94f7baea7e3ff9297

SHA512
ffb606d6d7daa93028a1d7dc5185d05baeac17a98eae898eeed0bbc124f338370c88e1a0d3a2af797b4d7fc240f2260affc7216afc9563cf986c571a776371cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat

Filesize
208B

MD5
f7ed00884cbebbd2f0bb2df82c0a1f72

SHA1
2f093bf1e38b59e7f4e4ee26aaa742017607fb4a

SHA256
2441a7841fb6e180e7b006685767b04c2faf82ee60ad3975522b701b59758a71

SHA512
3f49cc50a96ab28eb66cebc49b05b2a35fa46d4588ee1359d4bf78641f2f9a36eeb3526c963f955508c0d5699f0ad5ec75e037c260c9f4fc7b63c67f85ba66bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat

Filesize
208B

MD5
3c7deb6ad6b945f06bde541b9092395e

SHA1
fd8d49e090a2bcaaf96579c2d55215b5c4ed60bd

SHA256
f15a84ee29c43c7db85fe464dabd98f5710452cfe7dc6710f821a22a6feeaae9

SHA512
feb01024dfbcbee64d77a4bae317ee02bee9d42e60ae834407cf8c8d4e2fe960e710e40e2563e257cd56161720dad855e8e00cae2fa8bf3dfd11dc61683f3883

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x1ytfrc5.kgy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat

Filesize
208B

MD5
5aa15ada1a974cbc778144d6f0360d4d

SHA1
c3f513ffbc9b04e7c1f191d4d4053b470dea8b91

SHA256
76ddfc3a67899759117e812635d7fef58502e31a0be60d0e49acf0e32a9030ee

SHA512
2e68d015fb5a06be5567690d72c5dfb0a9bc9ab7751b2cf2818f6874c3143a772bbe15d8e4815facf41da3a5e190857cbb06dd871247ef0a64423a6ce668f6fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\kitFqHqIkB.bat

Filesize
199B

MD5
697b6d5a34c93755d23d3ffb66d247b8

SHA1
273e28b2ccd47a187cf61fc2d2fe216e503c7733

SHA256
f61f2cb2fa508d715b23e9eae8c43e51cac2daeba5309e39fb1afc2733f8b4b1

SHA512
723da3707bd7a9b51c7848eb633ac8ffdc9c420beafc0b55d14babb3a7247053464c57c8e34043b6b1faa81790b91b00c59ded71c1163c4c6c7060fed0a17ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat

Filesize
208B

MD5
07b8efb858f1d6646f6e751fef9466ac

SHA1
e896b2df3628df65b1771ce93dec3f64ab26a713

SHA256
7046a38c50d9aa7d0e377b029140b9099b51fba4abbfe6d5a531825355b660ed

SHA512
ed780d5efda6fa647e15d96ba66a8a831f3f74c30bbe8f8eaaf87eab075145b51b4f0a0e9a798b680fd4aa3577bd6f445bf6f1f0e348ec4e1cc25d6ba0d89c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat

Filesize
208B

MD5
a8c5dd7b7f0d052b43727c6c9a5e4345

SHA1
cb4fdb7a7f929cb70d7e643fe7839adcea478b84

SHA256
7a902822eaad94e78471986d52b762e71d3180b662bd6edf8ba160ea3a50d018

SHA512
d0d5eb4e563bf884fe25dec5bc6b0a3d4be48288747a4b2bed4fac3be9c64ebfac696d59a63447279c75e422e6cb3f1aff6d6f7f2d85dcf7506c1c66cac5c411

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/216-281-0x000000001BBF0000-0x000000001BC02000-memory.dmp

Filesize
72KB

Download
memory/980-248-0x000000001AFF0000-0x000000001B002000-memory.dmp

Filesize
72KB

Download
memory/1732-306-0x000000001AFF0000-0x000000001B002000-memory.dmp

Filesize
72KB

Download
memory/2216-41-0x000001F284BD0000-0x000001F284BF2000-memory.dmp

Filesize
136KB

Download
memory/2248-313-0x000000001ADF0000-0x000000001AE02000-memory.dmp

Filesize
72KB

Download
memory/2472-261-0x0000000000DF0000-0x0000000000E02000-memory.dmp

Filesize
72KB

Download
memory/3592-268-0x000000001AFF0000-0x000000001B002000-memory.dmp

Filesize
72KB

Download
memory/3984-14-0x0000000002D50000-0x0000000002D62000-memory.dmp

Filesize
72KB

Download
memory/3984-16-0x0000000002D70000-0x0000000002D7C000-memory.dmp

Filesize
48KB

Download
memory/3984-31-0x00007FFD834F0000-0x00007FFD837B9000-memory.dmp

Filesize
2.8MB

Download
memory/3984-15-0x0000000002D60000-0x0000000002D6C000-memory.dmp

Filesize
48KB

Download
memory/3984-13-0x0000000000960000-0x0000000000A70000-memory.dmp

Filesize
1.1MB

Download
memory/3984-17-0x000000001B5A0000-0x000000001B5AC000-memory.dmp

Filesize
48KB

Download
memory/3984-12-0x00007FFD834F0000-0x00007FFD837B9000-memory.dmp

Filesize
2.8MB

Download