dcrat | 7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742.exe
Size

1.3MB
MD5

3108a2dabc945949edc1019eb794b752
SHA1

16c16b63f45d8cb9303102bff7981003719ec705
SHA256

7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742
SHA512

8fee7b5345a6e7e7f6195b4de30b57ce53196dbc509a080367f261e2f9c688ae8fa50c9fd1aa471b95bc00eccb0acbb9afe33f96ff2cfddd5f61bb4abee256c8
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3856	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3216	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	3588	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	3588	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b69-10.dat	dcrat
behavioral2/memory/3576-13-0x0000000000600000-0x0000000000710000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5076	powershell.exe
3800	powershell.exe
2900	powershell.exe
4004	powershell.exe
3584	powershell.exe
2032	powershell.exe
2868	powershell.exe
2896	powershell.exe
4940	powershell.exe
392	powershell.exe
8	powershell.exe
4112	powershell.exe
3136	powershell.exe
3048	powershell.exe
4616	powershell.exe
460	powershell.exe
2920	powershell.exe
1760	powershell.exe
2232	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	wininit.exe

Executes dropped EXE 14 IoCs

pid	Process
3576	DllCommonsvc.exe
4040	wininit.exe
5732	wininit.exe
4832	wininit.exe
552	wininit.exe
2812	wininit.exe
1524	wininit.exe
4408	wininit.exe
868	wininit.exe
1136	wininit.exe
4492	wininit.exe
2356	wininit.exe
6040	wininit.exe
2028	wininit.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
56	raw.githubusercontent.com
17	raw.githubusercontent.com
18	raw.githubusercontent.com
39	raw.githubusercontent.com
42	raw.githubusercontent.com
46	raw.githubusercontent.com
47	raw.githubusercontent.com
26	raw.githubusercontent.com
41	raw.githubusercontent.com
53	raw.githubusercontent.com
54	raw.githubusercontent.com
55	raw.githubusercontent.com
57	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\5b884080fd4f94	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Speech_OneCore\Engines\Lexicon\ja-JP\upfc.exe	DllCommonsvc.exe
File created	C:\Windows\Speech_OneCore\Engines\Lexicon\ja-JP\ea1d8f6d871115	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	wininit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4992	schtasks.exe
4752	schtasks.exe
3620	schtasks.exe
4904	schtasks.exe
3540	schtasks.exe
1668	schtasks.exe
3292	schtasks.exe
1428	schtasks.exe
1472	schtasks.exe
4544	schtasks.exe
3688	schtasks.exe
2708	schtasks.exe
1356	schtasks.exe
3652	schtasks.exe
1120	schtasks.exe
2248	schtasks.exe
4788	schtasks.exe
2616	schtasks.exe
3088	schtasks.exe
908	schtasks.exe
2012	schtasks.exe
4916	schtasks.exe
5012	schtasks.exe
1720	schtasks.exe
4060	schtasks.exe
3944	schtasks.exe
5004	schtasks.exe
2940	schtasks.exe
2332	schtasks.exe
1420	schtasks.exe
1816	schtasks.exe
2620	schtasks.exe
868	schtasks.exe
2632	schtasks.exe
1916	schtasks.exe
1536	schtasks.exe
3216	schtasks.exe
232	schtasks.exe
212	schtasks.exe
1480	schtasks.exe
5020	schtasks.exe
2008	schtasks.exe
2028	schtasks.exe
4812	schtasks.exe
552	schtasks.exe
764	schtasks.exe
1016	schtasks.exe
3680	schtasks.exe
2996	schtasks.exe
1372	schtasks.exe
3856	schtasks.exe
4420	schtasks.exe
716	schtasks.exe
4520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3576	DllCommonsvc.exe
3576	DllCommonsvc.exe
3576	DllCommonsvc.exe
3576	DllCommonsvc.exe
3576	DllCommonsvc.exe
3576	DllCommonsvc.exe
3576	DllCommonsvc.exe
3576	DllCommonsvc.exe
3576	DllCommonsvc.exe
3576	DllCommonsvc.exe
3576	DllCommonsvc.exe
3576	DllCommonsvc.exe
3576	DllCommonsvc.exe
3576	DllCommonsvc.exe
3576	DllCommonsvc.exe
3576	DllCommonsvc.exe
3576	DllCommonsvc.exe
3576	DllCommonsvc.exe
3576	DllCommonsvc.exe
3576	DllCommonsvc.exe
2232	powershell.exe
2232	powershell.exe
3584	powershell.exe
3584	powershell.exe
4616	powershell.exe
4616	powershell.exe
8	powershell.exe
8	powershell.exe
2920	powershell.exe
2920	powershell.exe
2868	powershell.exe
2868	powershell.exe
3136	powershell.exe
3136	powershell.exe
2896	powershell.exe
2896	powershell.exe
460	powershell.exe
460	powershell.exe
2900	powershell.exe
2900	powershell.exe
2032	powershell.exe
2032	powershell.exe
1760	powershell.exe
1760	powershell.exe
392	powershell.exe
392	powershell.exe
4940	powershell.exe
4940	powershell.exe
4040	wininit.exe
4040	wininit.exe
3800	powershell.exe
3800	powershell.exe
3048	powershell.exe
3048	powershell.exe
4004	powershell.exe
4004	powershell.exe
4112	powershell.exe
4112	powershell.exe
5076	powershell.exe
5076	powershell.exe
2232	powershell.exe
2232	powershell.exe
4616	powershell.exe
2920	powershell.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	3576	DllCommonsvc.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	4040	wininit.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	3136	powershell.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	460	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	3800	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	5732	wininit.exe
Token: SeDebugPrivilege	4832	wininit.exe
Token: SeDebugPrivilege	552	wininit.exe
Token: SeDebugPrivilege	2812	wininit.exe
Token: SeDebugPrivilege	1524	wininit.exe
Token: SeDebugPrivilege	4408	wininit.exe
Token: SeDebugPrivilege	868	wininit.exe
Token: SeDebugPrivilege	1136	wininit.exe
Token: SeDebugPrivilege	4492	wininit.exe
Token: SeDebugPrivilege	2356	wininit.exe
Token: SeDebugPrivilege	6040	wininit.exe
Token: SeDebugPrivilege	2028	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 4500	4676	7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742.exe	82
PID 4676 wrote to memory of 4500	4676	7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742.exe	82
PID 4676 wrote to memory of 4500	4676	7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742.exe	82
PID 4500 wrote to memory of 3360	4500	WScript.exe	83
PID 4500 wrote to memory of 3360	4500	WScript.exe	83
PID 4500 wrote to memory of 3360	4500	WScript.exe	83
PID 3360 wrote to memory of 3576	3360	cmd.exe	85
PID 3360 wrote to memory of 3576	3360	cmd.exe	85
PID 3576 wrote to memory of 5076	3576	DllCommonsvc.exe	141
PID 3576 wrote to memory of 5076	3576	DllCommonsvc.exe	141
PID 3576 wrote to memory of 2868	3576	DllCommonsvc.exe	142
PID 3576 wrote to memory of 2868	3576	DllCommonsvc.exe	142
PID 3576 wrote to memory of 8	3576	DllCommonsvc.exe	143
PID 3576 wrote to memory of 8	3576	DllCommonsvc.exe	143
PID 3576 wrote to memory of 2232	3576	DllCommonsvc.exe	144
PID 3576 wrote to memory of 2232	3576	DllCommonsvc.exe	144
PID 3576 wrote to memory of 1760	3576	DllCommonsvc.exe	145
PID 3576 wrote to memory of 1760	3576	DllCommonsvc.exe	145
PID 3576 wrote to memory of 3048	3576	DllCommonsvc.exe	146
PID 3576 wrote to memory of 3048	3576	DllCommonsvc.exe	146
PID 3576 wrote to memory of 2920	3576	DllCommonsvc.exe	148
PID 3576 wrote to memory of 2920	3576	DllCommonsvc.exe	148
PID 3576 wrote to memory of 460	3576	DllCommonsvc.exe	149
PID 3576 wrote to memory of 460	3576	DllCommonsvc.exe	149
PID 3576 wrote to memory of 4616	3576	DllCommonsvc.exe	151
PID 3576 wrote to memory of 4616	3576	DllCommonsvc.exe	151
PID 3576 wrote to memory of 3136	3576	DllCommonsvc.exe	152
PID 3576 wrote to memory of 3136	3576	DllCommonsvc.exe	152
PID 3576 wrote to memory of 2032	3576	DllCommonsvc.exe	154
PID 3576 wrote to memory of 2032	3576	DllCommonsvc.exe	154
PID 3576 wrote to memory of 4112	3576	DllCommonsvc.exe	155
PID 3576 wrote to memory of 4112	3576	DllCommonsvc.exe	155
PID 3576 wrote to memory of 3584	3576	DllCommonsvc.exe	156
PID 3576 wrote to memory of 3584	3576	DllCommonsvc.exe	156
PID 3576 wrote to memory of 392	3576	DllCommonsvc.exe	157
PID 3576 wrote to memory of 392	3576	DllCommonsvc.exe	157
PID 3576 wrote to memory of 4940	3576	DllCommonsvc.exe	158
PID 3576 wrote to memory of 4940	3576	DllCommonsvc.exe	158
PID 3576 wrote to memory of 4004	3576	DllCommonsvc.exe	159
PID 3576 wrote to memory of 4004	3576	DllCommonsvc.exe	159
PID 3576 wrote to memory of 2900	3576	DllCommonsvc.exe	160
PID 3576 wrote to memory of 2900	3576	DllCommonsvc.exe	160
PID 3576 wrote to memory of 2896	3576	DllCommonsvc.exe	161
PID 3576 wrote to memory of 2896	3576	DllCommonsvc.exe	161
PID 3576 wrote to memory of 3800	3576	DllCommonsvc.exe	162
PID 3576 wrote to memory of 3800	3576	DllCommonsvc.exe	162
PID 3576 wrote to memory of 4040	3576	DllCommonsvc.exe	178
PID 3576 wrote to memory of 4040	3576	DllCommonsvc.exe	178
PID 4040 wrote to memory of 5544	4040	wininit.exe	183
PID 4040 wrote to memory of 5544	4040	wininit.exe	183
PID 5544 wrote to memory of 5620	5544	cmd.exe	185
PID 5544 wrote to memory of 5620	5544	cmd.exe	185
PID 5544 wrote to memory of 5732	5544	cmd.exe	187
PID 5544 wrote to memory of 5732	5544	cmd.exe	187
PID 5732 wrote to memory of 6056	5732	wininit.exe	190
PID 5732 wrote to memory of 6056	5732	wininit.exe	190
PID 6056 wrote to memory of 6108	6056	cmd.exe	192
PID 6056 wrote to memory of 6108	6056	cmd.exe	192
PID 6056 wrote to memory of 4832	6056	cmd.exe	194
PID 6056 wrote to memory of 4832	6056	cmd.exe	194
PID 4832 wrote to memory of 968	4832	wininit.exe	196
PID 4832 wrote to memory of 968	4832	wininit.exe	196
PID 968 wrote to memory of 1612	968	cmd.exe	198
PID 968 wrote to memory of 1612	968	cmd.exe	198

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742.exe
"C:\Users\Admin\AppData\Local\Temp\7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3360
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:8
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech_OneCore\Engines\Lexicon\ja-JP\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\it-IT\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sihost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Roaming\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3800
    - - C:\Program Files (x86)\Windows Mail\wininit.exe
        
        "C:\Program Files (x86)\Windows Mail\wininit.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4040
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5620
        
        C:\Program Files (x86)\Windows Mail\wininit.exe
        
        "C:\Program Files (x86)\Windows Mail\wininit.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:6056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:6108
        
        C:\Program Files (x86)\Windows Mail\wininit.exe
        
        "C:\Program Files (x86)\Windows Mail\wininit.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1612
        
        C:\Program Files (x86)\Windows Mail\wininit.exe
        
        "C:\Program Files (x86)\Windows Mail\wininit.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"
        12⤵
        
        PID:3612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:812
        
        C:\Program Files (x86)\Windows Mail\wininit.exe
        
        "C:\Program Files (x86)\Windows Mail\wininit.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0SbqORFfit.bat"
        14⤵
        
        PID:1684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:316
        
        C:\Program Files (x86)\Windows Mail\wininit.exe
        
        "C:\Program Files (x86)\Windows Mail\wininit.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPbxFudqw6.bat"
        16⤵
        
        PID:2416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4872
        
        C:\Program Files (x86)\Windows Mail\wininit.exe
        
        "C:\Program Files (x86)\Windows Mail\wininit.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3a8tNGcxSj.bat"
        18⤵
        
        PID:5312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4584
        
        C:\Program Files (x86)\Windows Mail\wininit.exe
        
        "C:\Program Files (x86)\Windows Mail\wininit.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat"
        20⤵
        
        PID:1468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4416
        
        C:\Program Files (x86)\Windows Mail\wininit.exe
        
        "C:\Program Files (x86)\Windows Mail\wininit.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat"
        22⤵
        
        PID:1432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2928
        
        C:\Program Files (x86)\Windows Mail\wininit.exe
        
        "C:\Program Files (x86)\Windows Mail\wininit.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat"
        24⤵
        
        PID:3164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1380
        
        C:\Program Files (x86)\Windows Mail\wininit.exe
        
        "C:\Program Files (x86)\Windows Mail\wininit.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat"
        26⤵
        
        PID:5448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:5996
        
        C:\Program Files (x86)\Windows Mail\wininit.exe
        
        "C:\Program Files (x86)\Windows Mail\wininit.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat"
        28⤵
        
        PID:3248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:6084
        
        C:\Program Files (x86)\Windows Mail\wininit.exe
        
        "C:\Program Files (x86)\Windows Mail\wininit.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\ja-JP\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\ja-JP\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\ja-JP\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\providercommon\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Public\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\providercommon\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Templates\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\Templates\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\AppData\Roaming\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\AppData\Roaming\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\providercommon\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
120B

MD5
73f34fe916c19a2583073cf1cdb186cb

SHA1
fcf1054aa822ea423e181725ae9ef68d92abb347

SHA256
7343df9c19a951e3aec3eaf90bd4a24ffc712497c618acf94b3c0b4c9d4eb711

SHA512
6b820f949c3b5ce02c30c1e9f39364f7f1726ca02e4fbce9f12fff0c22fe317e9ccdccbc917506860d0cacac120ef6d215d9ef1ddb7fbf5fffc835c8e28c0019

Download Submit
C:\Users\Admin\AppData\Local\Temp\0SbqORFfit.bat

Filesize
212B

MD5
17485e5c3fb2bb9f89a9fe3f23b12336

SHA1
56520de2c14f5d2637076be9532d23926d527b8f

SHA256
5e5dab1fe19076a34ed7b1d531546d781563ecbceb097d14cadb6094b30dd9d5

SHA512
a64f2bf0c43953dcd82ea28249e3313782002a2983fb5bdb82b7571f82b20c4c35511f1064ed021264b47fb882efafe17859c44ff44fde59c0084314f420c836

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat

Filesize
212B

MD5
8ab67f0ec3c35ba17dddf300e1342ec2

SHA1
b061cf14d3a908fb8fc1d47ea93e093ae7913c11

SHA256
b897f8e9e893ce82aa466908d32a4d72b688543277581372c574e477224a6e37

SHA512
1d4d5d70244bc0b2074d75db7e38687ef9e6b5403d915f9394b6fddb54cc8183a6f6f562e45cf1a90f456a00f660d8394e2377aad8e6aba8765ace3446d3a228

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a8tNGcxSj.bat

Filesize
212B

MD5
dc2c31ce6243a4065001269797fe6e24

SHA1
3cfc05be224b684f768fbed4f756467720b55d20

SHA256
3692f8e9aa6e35adb9cf0ef012f9b95fe65fc2f3a731f128ff294ca9b09690b0

SHA512
1dfc7bb043d808bb94d0d9256fe3fc7f91077ea402e0a72c835cec4990955900ec4899c726f1f48e49b0021c35ec0f63d820c38d7e38f1a67a0daf6e4ca14680

Download Submit
C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat

Filesize
212B

MD5
85d8fd7d5620bed872dc6de30c64f28f

SHA1
840d85185a58642143f404b617ce5ad8763cc295

SHA256
00178d83bce2619cb3f60653242bbb2be3ac6aedf0def98e7afd41e90c5abeaa

SHA512
dcb686560608de4142867b6d78260c79c8105e27ea288502796ed0a096a0dcad5a2de770285732e02e8b39945966c336c7134dd167c048f14a4219287d32d877

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPbxFudqw6.bat

Filesize
212B

MD5
718766231a65e49e9cf8ab7141662bc7

SHA1
83853411ae3711384d26667dc4648fb84d15191a

SHA256
f171bfdb255a60d1a584d2505731026d9007b51809ecec1bf1463a3d87a2887d

SHA512
3aeda408117b1749eb925b492b9feb6285a6e6fb509d1583880df40a1e450fe26597c0084958eaba79dc5ebd92289dba5161db9dffc04c363fc10260da6787af

Download Submit
C:\Users\Admin\AppData\Local\Temp\HHf3c4kdaf.bat

Filesize
212B

MD5
3bdaa3ade3cd65a3651d479cbbc22133

SHA1
83d1352c5165e396f07761433009cc7456106059

SHA256
5ba7623b41412575dc4825f447fea207b21d446b170d2b39d9f045e4cf89b24e

SHA512
87044fdc4e444109616f035f68b9c217926e1c7809db26817eb099934ba4c923033235d0c1659f12de315386dfb89a546a3bae593c35be4ff22512d17a7a812d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat

Filesize
212B

MD5
78ec8a92b9747fd16dd7ce15f7987ca1

SHA1
cfb6005f6acd26a4c9c6cfb5a7802ee251b050e8

SHA256
67cc4f34fcb8dc62dbaed295f13f97d34f51170f057a4715c23950168b104b0e

SHA512
673d33df6677144ec92b5214927f8f562acf263c9275791150764017055221b9d5deef8ad5d37dc1fc84c57af13b9881fb656a38ea54628708d44a51140202ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat

Filesize
212B

MD5
5ae8b8f8c15f3e66c1e8542408684172

SHA1
a82632b3f8c8673a65a7c9f8a1366b518d405922

SHA256
2e8dc3545f72bd45fff7cbfee4d9bd1aee83110b21177c77bedd97244b2694b3

SHA512
4b08e7290c66ddf4374509176e027174634acf4f5b11ef573d6d7d9c38eabd22a8b805f5a4677f7dcce4897dc4bfcbfe2d9f60be1a28d8f0a578295738bb71ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat

Filesize
212B

MD5
3e3f562429bc2e8182e5abdbf1e8c9ba

SHA1
ed563623ba5561b6059de065e249b46a726e9c29

SHA256
56fb269c03659a752bab94c42e4e8ac8fc86d0ba582036ffa650875f8d6c089e

SHA512
4ee112cafcb71faa5b64f3921905d8a991395e2b8dfb32d3d05f1a44729090c2b524c146278273e097a0f94d038503d55bd49bf1d1af8e0edd9ca6902c8886dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wodrxxtt.lmu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat

Filesize
212B

MD5
e3a4afa571557c5d5c4081946ed5d8a1

SHA1
5dc61a17f73e27fe9f267c07466113320f42a165

SHA256
c3ba00ced4a7a6e2bfb90757374d8a0616c1fc9bdfc5cd8b4d0c42f4d5d820b7

SHA512
4ce22d217891ae5432a004d5a659344004361dee89b387a5965bb3f73780fcfe32c902668c999c5c5183b28cfa8be698372aaf111a7d88733281ff0b71853120

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat

Filesize
212B

MD5
40688d2d1b74332cfdf1b064f6bc650d

SHA1
a431cddc816f3881778c56076a1a88e9e5081359

SHA256
cd5dd988de7c9c7378cab24efdec6fbf7550e06670a3c5b71c6807783e15fa35

SHA512
8d509104dd66bbcbe45b6fbec8e33a5d0cfbcdd08207d6c5108a9b5fcf84a621922b88714ce9bef2260bad7101185cf874bfb10c593d60313499b0139fbab152

Download Submit
C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat

Filesize
212B

MD5
48738335bc8a9f43d137fb82446ac7e2

SHA1
8501c1ec2c8efc9ed10ce198d3dbcc883d4b4e30

SHA256
1c166573f9ae0b5bed7b8d85450d647c4a7859a74256786a1ab115c83434ad0e

SHA512
0f8abb63852945b38da777ec08adea45677f0ff188eeee61d3e44a568e7a07a8b8857cf145c594c21d29adef212dc580acc28fc00863f0df429b7e6d1f2c400f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/552-302-0x000000001C2B0000-0x000000001C41A000-memory.dmp

Filesize
1.4MB

Download
memory/868-327-0x00000000023D0000-0x00000000023E2000-memory.dmp

Filesize
72KB

Download
memory/1524-318-0x000000001BFA0000-0x000000001C10A000-memory.dmp

Filesize
1.4MB

Download
memory/1524-313-0x0000000002630000-0x0000000002642000-memory.dmp

Filesize
72KB

Download
memory/2356-346-0x0000000002F80000-0x0000000002F92000-memory.dmp

Filesize
72KB

Download
memory/2812-310-0x000000001BC30000-0x000000001BD9A000-memory.dmp

Filesize
1.4MB

Download
memory/2812-305-0x0000000002220000-0x0000000002232000-memory.dmp

Filesize
72KB

Download
memory/3576-17-0x00000000028F0000-0x00000000028FC000-memory.dmp

Filesize
48KB

Download
memory/3576-16-0x0000000000F30000-0x0000000000F3C000-memory.dmp

Filesize
48KB

Download
memory/3576-15-0x000000001B320000-0x000000001B32C000-memory.dmp

Filesize
48KB

Download
memory/3576-14-0x0000000000F20000-0x0000000000F32000-memory.dmp

Filesize
72KB

Download
memory/3576-13-0x0000000000600000-0x0000000000710000-memory.dmp

Filesize
1.1MB

Download
memory/3576-12-0x00007FFDF1813000-0x00007FFDF1815000-memory.dmp

Filesize
8KB

Download
memory/4040-281-0x000000001C040000-0x000000001C142000-memory.dmp

Filesize
1.0MB

Download
memory/4040-65-0x00000000013A0000-0x00000000013B2000-memory.dmp

Filesize
72KB

Download
memory/4616-71-0x000001ED4B0D0000-0x000001ED4B0F2000-memory.dmp

Filesize
136KB

Download
memory/4832-295-0x000000001C500000-0x000000001C66A000-memory.dmp

Filesize
1.4MB

Download
memory/5732-284-0x0000000000E50000-0x0000000000E62000-memory.dmp

Filesize
72KB

Download