dcrat | f48bce1afb9d813684c56e06ee6df0905b1ed83f843cc55f6481b62a94b6f142

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_f48bce1afb9d813684c56e06ee6df0905b1ed83f843cc55f6481b62a94b6f142.exe
Size

1.3MB
MD5

32d240a4e06320b02139ac23d293b690
SHA1

d0545c3832f80b94899ec7170ecc39f369582e9d
SHA256

f48bce1afb9d813684c56e06ee6df0905b1ed83f843cc55f6481b62a94b6f142
SHA512

54d1ea49edae50f3958cf10a751ba5ded2bc6b21717de32a73114b28387b1533784de1ddbcb0487fed2a844120188d466afd32d5b1355395ff3ee91d122dfdc3
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	272	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2576	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2576	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016c7c-9.dat	dcrat
behavioral1/memory/2808-13-0x0000000000860000-0x0000000000970000-memory.dmp	dcrat
behavioral1/memory/1968-162-0x0000000000DD0000-0x0000000000EE0000-memory.dmp	dcrat
behavioral1/memory/2100-221-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/1496-281-0x0000000000E30000-0x0000000000F40000-memory.dmp	dcrat
behavioral1/memory/1936-459-0x0000000001220000-0x0000000001330000-memory.dmp	dcrat
behavioral1/memory/1788-697-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2096	powershell.exe
1500	powershell.exe
2616	powershell.exe
1164	powershell.exe
2448	powershell.exe
2588	powershell.exe
2172	powershell.exe
2732	powershell.exe
268	powershell.exe
2004	powershell.exe
1788	powershell.exe
2756	powershell.exe
3056	powershell.exe
1476	powershell.exe
2548	powershell.exe
2556	powershell.exe
1460	powershell.exe
2992	powershell.exe
916	powershell.exe
2928	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2808	DllCommonsvc.exe
1968	OSPPSVC.exe
2100	OSPPSVC.exe
1496	OSPPSVC.exe
2448	OSPPSVC.exe
652	OSPPSVC.exe
1936	OSPPSVC.exe
1320	OSPPSVC.exe
392	OSPPSVC.exe
2992	OSPPSVC.exe
1788	OSPPSVC.exe

Loads dropped DLL 2 IoCs

pid	Process
1172	cmd.exe
1172	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
30	raw.githubusercontent.com
33	raw.githubusercontent.com
37	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\es-ES\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\es-ES\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\en-US\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\en-US\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\es-ES\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Services\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\es-ES\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Services\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\sppsvc.exe	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GAC_64\napcrypt\6.1.0.0__31bf3856ad364e35\smss.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\assembly\GAC_64\napcrypt\6.1.0.0__31bf3856ad364e35\smss.exe	DllCommonsvc.exe
File created	C:\Windows\assembly\GAC_64\napcrypt\6.1.0.0__31bf3856ad364e35\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\Cursors\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f48bce1afb9d813684c56e06ee6df0905b1ed83f843cc55f6481b62a94b6f142.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3060	schtasks.exe
1244	schtasks.exe
2068	schtasks.exe
2660	schtasks.exe
2764	schtasks.exe
1784	schtasks.exe
1560	schtasks.exe
2192	schtasks.exe
2328	schtasks.exe
328	schtasks.exe
1772	schtasks.exe
1548	schtasks.exe
2900	schtasks.exe
480	schtasks.exe
1948	schtasks.exe
1012	schtasks.exe
2552	schtasks.exe
2784	schtasks.exe
1200	schtasks.exe
1764	schtasks.exe
2268	schtasks.exe
1732	schtasks.exe
2980	schtasks.exe
2888	schtasks.exe
2428	schtasks.exe
848	schtasks.exe
3068	schtasks.exe
2936	schtasks.exe
1040	schtasks.exe
1968	schtasks.exe
2008	schtasks.exe
1952	schtasks.exe
1268	schtasks.exe
876	schtasks.exe
2020	schtasks.exe
2452	schtasks.exe
1612	schtasks.exe
2696	schtasks.exe
604	schtasks.exe
1304	schtasks.exe
2312	schtasks.exe
908	schtasks.exe
2404	schtasks.exe
2444	schtasks.exe
2528	schtasks.exe
1256	schtasks.exe
2108	schtasks.exe
2144	schtasks.exe
2176	schtasks.exe
2652	schtasks.exe
2112	schtasks.exe
1264	schtasks.exe
1972	schtasks.exe
272	schtasks.exe
1604	schtasks.exe
2824	schtasks.exe
2648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2808	DllCommonsvc.exe
2548	powershell.exe
268	powershell.exe
2172	powershell.exe
3056	powershell.exe
2992	powershell.exe
2004	powershell.exe
2928	powershell.exe
2588	powershell.exe
2756	powershell.exe
1164	powershell.exe
1788	powershell.exe
2096	powershell.exe
2448	powershell.exe
1476	powershell.exe
1460	powershell.exe
2732	powershell.exe
2616	powershell.exe
916	powershell.exe
1500	powershell.exe
2556	powershell.exe
1968	OSPPSVC.exe
2100	OSPPSVC.exe
1496	OSPPSVC.exe
2448	OSPPSVC.exe
652	OSPPSVC.exe
1936	OSPPSVC.exe
1320	OSPPSVC.exe
392	OSPPSVC.exe
2992	OSPPSVC.exe
1788	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	DllCommonsvc.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	1968	OSPPSVC.exe
Token: SeDebugPrivilege	2100	OSPPSVC.exe
Token: SeDebugPrivilege	1496	OSPPSVC.exe
Token: SeDebugPrivilege	2448	OSPPSVC.exe
Token: SeDebugPrivilege	652	OSPPSVC.exe
Token: SeDebugPrivilege	1936	OSPPSVC.exe
Token: SeDebugPrivilege	1320	OSPPSVC.exe
Token: SeDebugPrivilege	392	OSPPSVC.exe
Token: SeDebugPrivilege	2992	OSPPSVC.exe
Token: SeDebugPrivilege	1788	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2836	2640	JaffaCakes118_f48bce1afb9d813684c56e06ee6df0905b1ed83f843cc55f6481b62a94b6f142.exe	30
PID 2640 wrote to memory of 2836	2640	JaffaCakes118_f48bce1afb9d813684c56e06ee6df0905b1ed83f843cc55f6481b62a94b6f142.exe	30
PID 2640 wrote to memory of 2836	2640	JaffaCakes118_f48bce1afb9d813684c56e06ee6df0905b1ed83f843cc55f6481b62a94b6f142.exe	30
PID 2640 wrote to memory of 2836	2640	JaffaCakes118_f48bce1afb9d813684c56e06ee6df0905b1ed83f843cc55f6481b62a94b6f142.exe	30
PID 2836 wrote to memory of 1172	2836	WScript.exe	31
PID 2836 wrote to memory of 1172	2836	WScript.exe	31
PID 2836 wrote to memory of 1172	2836	WScript.exe	31
PID 2836 wrote to memory of 1172	2836	WScript.exe	31
PID 1172 wrote to memory of 2808	1172	cmd.exe	33
PID 1172 wrote to memory of 2808	1172	cmd.exe	33
PID 1172 wrote to memory of 2808	1172	cmd.exe	33
PID 1172 wrote to memory of 2808	1172	cmd.exe	33
PID 2808 wrote to memory of 2548	2808	DllCommonsvc.exe	92
PID 2808 wrote to memory of 2548	2808	DllCommonsvc.exe	92
PID 2808 wrote to memory of 2548	2808	DllCommonsvc.exe	92
PID 2808 wrote to memory of 2556	2808	DllCommonsvc.exe	93
PID 2808 wrote to memory of 2556	2808	DllCommonsvc.exe	93
PID 2808 wrote to memory of 2556	2808	DllCommonsvc.exe	93
PID 2808 wrote to memory of 3056	2808	DllCommonsvc.exe	94
PID 2808 wrote to memory of 3056	2808	DllCommonsvc.exe	94
PID 2808 wrote to memory of 3056	2808	DllCommonsvc.exe	94
PID 2808 wrote to memory of 2172	2808	DllCommonsvc.exe	95
PID 2808 wrote to memory of 2172	2808	DllCommonsvc.exe	95
PID 2808 wrote to memory of 2172	2808	DllCommonsvc.exe	95
PID 2808 wrote to memory of 2732	2808	DllCommonsvc.exe	96
PID 2808 wrote to memory of 2732	2808	DllCommonsvc.exe	96
PID 2808 wrote to memory of 2732	2808	DllCommonsvc.exe	96
PID 2808 wrote to memory of 268	2808	DllCommonsvc.exe	97
PID 2808 wrote to memory of 268	2808	DllCommonsvc.exe	97
PID 2808 wrote to memory of 268	2808	DllCommonsvc.exe	97
PID 2808 wrote to memory of 1460	2808	DllCommonsvc.exe	98
PID 2808 wrote to memory of 1460	2808	DllCommonsvc.exe	98
PID 2808 wrote to memory of 1460	2808	DllCommonsvc.exe	98
PID 2808 wrote to memory of 2992	2808	DllCommonsvc.exe	99
PID 2808 wrote to memory of 2992	2808	DllCommonsvc.exe	99
PID 2808 wrote to memory of 2992	2808	DllCommonsvc.exe	99
PID 2808 wrote to memory of 916	2808	DllCommonsvc.exe	100
PID 2808 wrote to memory of 916	2808	DllCommonsvc.exe	100
PID 2808 wrote to memory of 916	2808	DllCommonsvc.exe	100
PID 2808 wrote to memory of 2004	2808	DllCommonsvc.exe	101
PID 2808 wrote to memory of 2004	2808	DllCommonsvc.exe	101
PID 2808 wrote to memory of 2004	2808	DllCommonsvc.exe	101
PID 2808 wrote to memory of 1500	2808	DllCommonsvc.exe	102
PID 2808 wrote to memory of 1500	2808	DllCommonsvc.exe	102
PID 2808 wrote to memory of 1500	2808	DllCommonsvc.exe	102
PID 2808 wrote to memory of 2096	2808	DllCommonsvc.exe	103
PID 2808 wrote to memory of 2096	2808	DllCommonsvc.exe	103
PID 2808 wrote to memory of 2096	2808	DllCommonsvc.exe	103
PID 2808 wrote to memory of 2616	2808	DllCommonsvc.exe	104
PID 2808 wrote to memory of 2616	2808	DllCommonsvc.exe	104
PID 2808 wrote to memory of 2616	2808	DllCommonsvc.exe	104
PID 2808 wrote to memory of 2588	2808	DllCommonsvc.exe	105
PID 2808 wrote to memory of 2588	2808	DllCommonsvc.exe	105
PID 2808 wrote to memory of 2588	2808	DllCommonsvc.exe	105
PID 2808 wrote to memory of 2756	2808	DllCommonsvc.exe	108
PID 2808 wrote to memory of 2756	2808	DllCommonsvc.exe	108
PID 2808 wrote to memory of 2756	2808	DllCommonsvc.exe	108
PID 2808 wrote to memory of 1788	2808	DllCommonsvc.exe	111
PID 2808 wrote to memory of 1788	2808	DllCommonsvc.exe	111
PID 2808 wrote to memory of 1788	2808	DllCommonsvc.exe	111
PID 2808 wrote to memory of 1164	2808	DllCommonsvc.exe	114
PID 2808 wrote to memory of 1164	2808	DllCommonsvc.exe	114
PID 2808 wrote to memory of 1164	2808	DllCommonsvc.exe	114
PID 2808 wrote to memory of 2928	2808	DllCommonsvc.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f48bce1afb9d813684c56e06ee6df0905b1ed83f843cc55f6481b62a94b6f142.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f48bce1afb9d813684c56e06ee6df0905b1ed83f843cc55f6481b62a94b6f142.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC_64\napcrypt\6.1.0.0__31bf3856ad364e35\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\es-ES\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\en-US\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\es-ES\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\it-IT\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lgTjQe2KUh.bat"
        5⤵
        
        PID:444
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:112
      - C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zAqEIlSfAD.bat"
        7⤵
        
        PID:1548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1424
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat"
        9⤵
        
        PID:2368
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1864
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat"
        11⤵
        
        PID:272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2788
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat"
        13⤵
        
        PID:1572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1868
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FIx4sKIZfl.bat"
        15⤵
        
        PID:1348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:276
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fBgHK1Vy37.bat"
        17⤵
        
        PID:2472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1932
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fELEOgu8eF.bat"
        19⤵
        
        PID:1680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1772
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"
        21⤵
        
        PID:2104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2740
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat"
        23⤵
        
        PID:2548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:556
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wNwF62sylT.bat"
        25⤵
        
        PID:808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\GAC_64\napcrypt\6.1.0.0__31bf3856ad364e35\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_64\napcrypt\6.1.0.0__31bf3856ad364e35\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\assembly\GAC_64\napcrypt\6.1.0.0__31bf3856ad364e35\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\es-ES\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\en-US\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Cursors\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Cursors\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Cursors\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\es-ES\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Services\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\Services\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19f4b9bdae5f9166db9928e298f5229c

SHA1
f12d29d60e5af7e6e34aafe60e87c3631ea59271

SHA256
0450333249ce1a6bee94317c5915041f8e6c2aaa85a1f3792ee08aafb552bd86

SHA512
401c803e3d8bb650513472f72ebdb3f02bda910f07b6070c2ab78b6ac45c2a8d6ec7dd9452ab0a92bcda7980ca4ea5ee7a8c05996a1a63e10a69aee4ce5d7063

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c618c438553e91344741c97ee976b6f

SHA1
46c1671909673b6f3b37d1921569b3cda8cf4add

SHA256
29068a12e3640298c6399780a68abda061cdef0ef1b2f5e911c8dd10791771d5

SHA512
b5dbdd472befdb78dbceb50464aa4cddd783aee1e481cfc1f65b5c708298b9b54f8a750b6d9581b13028045c9b84783cfdcc80dca66f72dccb294880dfb297ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
209e8ab563f8371203970e55e4bf139a

SHA1
17dc10f7bc2ca465f19273842cddde84abd75349

SHA256
9f928deb7c27fd6e69e227229de07ddbc7f6796113106cd7d9f35981e8f313e5

SHA512
b13058366e78ed9e6a9feeaab26ff14ec9526544cc1a507df25565c2b81b0136f7a2ff449778bc8585fea6330ffb1da47e1ef6157a08b064f9110a045af833ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
beffdb4b79faf0f692ce53b880684025

SHA1
33b2b31c3f5487e1d9ea24ee29e3a0af7b5bfda4

SHA256
45dda67bef88587cf57a7866baae69f903499fc92c9a3693fbcc91fa9d8a8516

SHA512
6ddd76bd623f06af0fa609221d8efb88374520bf1dcf280c86c730e02047d17333fb3417375634b56d921ecc2563042f76500ba49b1db749c1e0cdce50b6cba4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3254072f084153a9ae8ea830ba6a7be5

SHA1
dfaf197bf61bc04c1199e9bcc9158656b885fe6d

SHA256
9979e155a19513e42225ae387a80a4c75c3ac51245e03da250f309e4b923a966

SHA512
9cd6a83c155858f58e312fef2ab0ff131734458670356858f704b0f305ccd7f5ea9820c911b83964e7ca00b6362ea0e1e1e3477363089b75db6cc42044978f7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
312a7f029fe0d93eb1de541a840f7f79

SHA1
05951faf84953d316ff5b0773f178d3d760708c1

SHA256
8fffe200e823c1b6eff1fdfdde22a21ca28d86976ca4c901fb8444f339364cb5

SHA512
393f9da9d74b2e6339b61115bc72a961b272eb498959afd067ebf708f6af6cd49cc95e0bdb6440aa674ab6a7b202f44e06e75a613ee50ed6e35e4ec820ba1f67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff68bc3d18966cc0028fe77475ff26aa

SHA1
2b7c9237e983261c16f786c1e25cefff25390f51

SHA256
d5febb762b1f136ee066479843d8600df8231771e9fb49a3e49203a754678e87

SHA512
d3cdee5002b7aabe85b9cd6b8a6914613a8be0632ab8eed3927f80d8d6bc1136343b554e6ec8eaae041698854295bde9aa7fe5262ebcb7e72459de969950f17f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e5d5b490b47f8370b5b618527272fd2

SHA1
513d70e16ef8548871c8a29db14896be48c9e029

SHA256
fd9583aaa103d2de7855a320b547a48175dfbe3851e1d89eca4a8b3f37316995

SHA512
b92e47f2d15dc39d37d765ecff14980e5ae89b609af1f099377281837b2fe648d3222118aa455e8963c5ce5b4fa1b27b49b7efe20a5bf2e573dfaff1fa5b5620

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8df65eff6a5d09cf3995cd5b608447f

SHA1
dbf94f5f4717e382c22dadcabea95e825d07475c

SHA256
6ed0d0a863fe19eade248c5e5f501b4367a0e85a0cdeffb3bd857f03a3a8481c

SHA512
eae45adaddc2821f7b8eddf6cfef20020c2cbe9bbd36a89e745edc89c934dce8ce99d689a8b4a7ce8e54952749621bcca147a02b4c64f783b5ffba5433c7ec99

Download Submit
C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat

Filesize
225B

MD5
5062404dadae3e134bb957c5858e9ab3

SHA1
dd42446d1c52b6dc90578971581067b3c5966d7f

SHA256
12fc9ec9631050f4864a77eb83a7fc39ff5223e89058399e78f85aacdde2f55a

SHA512
bf2ce2cbb7d1dab6cbd24bbda692c96ef09f88d874285ec67f3719a443ff82b2bfa51cd8616d602c7fe2f2b71e27e4feca62ccb884c25619959f713a71fa9e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7689.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat

Filesize
225B

MD5
c2f32b8a27e8823b1fa4d00d2e8621b8

SHA1
83bc815d7bd40b85f385a7b95f6d69315d3ef5ad

SHA256
360fffa72ada362d23faa7a6a287e6082232773b231865e1b31d6f06267d75d7

SHA512
97ca21a57ecb19147f0baaaa7e0448d67c919d08435babdc08f5f63adfd04dec735f45838d92062396b74897c6c4ad98df900235fb265fdda24db9217bdaab35

Download Submit
C:\Users\Admin\AppData\Local\Temp\FIx4sKIZfl.bat

Filesize
225B

MD5
2a087e40f155111c252b9141ec8ac1cb

SHA1
9bf692660b66fed8e85c0fc4e2ac6f0c2b366ea9

SHA256
bbc26144e22a6f114b93f4a5cd64ffbb85a50dc02657fc724a93412c8883db62

SHA512
87871bacf5c0b47b3cbb93f28657bc398d6b7c6818e55a8f896280b85469f8c78e6beda64d40ad67e541a646622698b7de79166ed57b60ff64dedaef8ff1d9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar76AB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat

Filesize
225B

MD5
d1db772c80e7cea310521bcdd0411a3c

SHA1
04888f5e52c482d64cf07d01a63a23949efdbfe3

SHA256
b5cfa1cf0219928c5bfb2f7cca30005e27c357a4f239f8705ebf64c8faf75e32

SHA512
786ec40bcbfa69bcce17ab5b533afd1910880b4bfd5090bd0e6b7a4d11d77cd315591105f7e4f8fde809fc099b69b6b1fe4be59af2d4d7efd62b23f4b68fce8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fBgHK1Vy37.bat

Filesize
225B

MD5
92e150a102fbe08a19bceac6bd28c153

SHA1
562970063309392dd93747a2929ad7013cd30de8

SHA256
d0256c021cf6aceb1ca0b0b19d3c5eba8654db15de091e780952379cfb59f192

SHA512
be72934d5ce43ab45b9ba83d424fe2a0ae785114bc90d6f21564c359f3f040c0b51927e97e31b721cb6bc859a81c2a9811c0b027a0d13668cf270af44804403a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fELEOgu8eF.bat

Filesize
225B

MD5
901b9c4c579d421e26a75b1a3f1c321a

SHA1
756fa82a358e1b46ca9a195b03045adb7ed73507

SHA256
7be40b98b9c2ded1296400408a37b3a4c976720111342fb160463b4b98ebe91a

SHA512
b1130a9a5acc8c5958e1dfaf24935cfb7f5f146df4ef7ceb1b4ce509ea51cc183206193f9afb0a1adea34673102caadcc2c3380ff948b8b69ceac87b55d626a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat

Filesize
225B

MD5
1ed8721c8a706be9754dae75771eeffe

SHA1
dd76386468b8f62c4ea8680bf0489ee321992cc4

SHA256
a88206c5280d23da516dd2ef6efa3aa0a423c1072cec76dba36e2c3c6917310e

SHA512
163c6416814b7b96631192c48bbc086f5a6e847fa19f26a2876a3ae125338bcb1913b55b64cedf7cfe7a82fa8d27b11077d419ce7196d323608940d0fc033ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgTjQe2KUh.bat

Filesize
225B

MD5
4ae97d66be5dd2d309fd664fc2bd806c

SHA1
c912ccabff387c9b621ead3e0d55e15fe4de3ae5

SHA256
e81340609916b70c29fefc4d2849fe3598a2b8e6427352b8ecd7779b173c3844

SHA512
cffb01739507f141156999e07b659aede13fc0bb509fe3e60d4bf2db676b83eff0d4c31ce044198f924d975326e1e68e863e5302e388b790d45dacbe000a3f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat

Filesize
225B

MD5
baf60132cf54676ff8303782564fc5fe

SHA1
79b4c9a95c0daafeda877aefbb86bcc8ba8d29de

SHA256
7c5e74185d9167802f7c451029700b2ccae80d531985c25ac07c735e3603feef

SHA512
6afaab8958cc7a2dc7dd44790f0438b23e3d510569c71f22f2f17c41f080dad1496e9f2d9d8cc9c9e1104997f183d0d1bb594a825e66d2fbf596e84a43ca3540

Download Submit
C:\Users\Admin\AppData\Local\Temp\wNwF62sylT.bat

Filesize
225B

MD5
b8ae473a878ff8257efafb4514fe9763

SHA1
13613906b67438a69ad5af981b02a728ec2d06c2

SHA256
ce1acbd355951f529f89658af50a895c2b6651b5b94251ec231e426890f76352

SHA512
1313b90b5d229ba07c6ca78e2e2078d9e6ee193f924bba342311a4d31ab902b3b9d86836174de11d70d335c2ec3f0a6b216b07a06919ca9a3a679cc9fb1491f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zAqEIlSfAD.bat

Filesize
225B

MD5
e5d9c2f7dd6c86e1dfd61fde43109ffa

SHA1
efa40715f8451a4f1d563d8aad007236bc19ef4c

SHA256
66a168d37cf157758d6f00ccfc0b3f61b0befe982a9c30d17ffe2d3cb6d9da24

SHA512
1de3009cb4505eb552170d4888de3b1ded67582eebf413b95518a4820ef84173e730857de54361cb352249073a7a2a0d9f6de6cb160a9d957fdfe7474020cf66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e65adeb7439e962e5d09d56e426d95c9

SHA1
0f7c7fc0eb94d81444f8d4dca85792396b8185e5

SHA256
8147bae1d884b009f526b283f17032a73b30476f9102fb0fd49e6c9fa6570e2e

SHA512
a9ff2152d1750db39f72249a5acd523cc3f8e0db1b01125371ed2ccba4aa20f2be430bd406da460c7f1c95a1529ea41be4337b84f2806955a0f8b6dfe70af575

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1496-281-0x0000000000E30000-0x0000000000F40000-memory.dmp

Filesize
1.1MB

Download
memory/1788-697-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/1936-460-0x0000000000B40000-0x0000000000B52000-memory.dmp

Filesize
72KB

Download
memory/1936-459-0x0000000001220000-0x0000000001330000-memory.dmp

Filesize
1.1MB

Download
memory/1968-162-0x0000000000DD0000-0x0000000000EE0000-memory.dmp

Filesize
1.1MB

Download
memory/2100-221-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/2548-75-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download
memory/2548-65-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2808-17-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2808-16-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2808-15-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2808-14-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2808-13-0x0000000000860000-0x0000000000970000-memory.dmp

Filesize
1.1MB

Download