dcrat | 6509eaeadebb1d825eb80469017139173ff1b89e84006b0514ef6417ecab9db2

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6509eaeadebb1d825eb80469017139173ff1b89e84006b0514ef6417ecab9db2.exe
Size

1.3MB
MD5

597145f6c6d0a2c648cef94239127d66
SHA1

de75fe961729970e6980f817c452400ceb96c7e4
SHA256

6509eaeadebb1d825eb80469017139173ff1b89e84006b0514ef6417ecab9db2
SHA512

1b7b90ee65ce37f1ea3a960d5babf951e29984d4e4211ff4a8de273aad565d7dcba73de638a763a9544da4c53476eeb4cc565be8d97c463a474a08e50d63a13e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2608	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2608	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c76-10.dat	dcrat
behavioral2/memory/1136-13-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 21 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2524	powershell.exe
224	powershell.exe
2216	powershell.exe
324	powershell.exe
4220	powershell.exe
64	powershell.exe
4508	powershell.exe
4656	powershell.exe
2156	powershell.exe
4976	powershell.exe
412	powershell.exe
4528	powershell.exe
2272	powershell.exe
3632	powershell.exe
3652	powershell.exe
1404	powershell.exe
4740	powershell.exe
3716	powershell.exe
100	powershell.exe
4736	powershell.exe
3536	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	6509eaeadebb1d825eb80469017139173ff1b89e84006b0514ef6417ecab9db2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 14 IoCs

pid	Process
1136	DllCommonsvc.exe
3592	DllCommonsvc.exe
1900	csrss.exe
320	csrss.exe
1324	csrss.exe
2384	csrss.exe
2312	csrss.exe
2752	csrss.exe
4672	csrss.exe
4768	csrss.exe
4796	csrss.exe
4808	csrss.exe
1016	csrss.exe
1400	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
51	raw.githubusercontent.com
52	raw.githubusercontent.com
53	raw.githubusercontent.com
12	raw.githubusercontent.com
13	raw.githubusercontent.com
38	raw.githubusercontent.com
43	raw.githubusercontent.com
49	raw.githubusercontent.com
18	raw.githubusercontent.com
37	raw.githubusercontent.com
42	raw.githubusercontent.com
50	raw.githubusercontent.com
54	raw.githubusercontent.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\Idle.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\System32\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\System32\6ccacd8608530f	DllCommonsvc.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\WindowsApps\sppsvc.exe	DllCommonsvc.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\RemotePackages\RemoteApps\SearchApp.exe	DllCommonsvc.exe
File created	C:\Windows\es-ES\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\CbsTemp\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\WinSxS\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\PLA\Reports\es-ES\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteApps\38384e6a620884	DllCommonsvc.exe
File created	C:\Windows\es-ES\System.exe	DllCommonsvc.exe
File created	C:\Windows\CbsTemp\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Logs\DISM\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\Logs\DISM\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\PLA\Reports\es-ES\csrss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6509eaeadebb1d825eb80469017139173ff1b89e84006b0514ef6417ecab9db2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	6509eaeadebb1d825eb80469017139173ff1b89e84006b0514ef6417ecab9db2.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
640	schtasks.exe
4184	schtasks.exe
3988	schtasks.exe
4188	schtasks.exe
1448	schtasks.exe
2508	schtasks.exe
4348	schtasks.exe
3348	schtasks.exe
796	schtasks.exe
3488	schtasks.exe
2476	schtasks.exe
2716	schtasks.exe
4660	schtasks.exe
4272	schtasks.exe
740	schtasks.exe
2416	schtasks.exe
4596	schtasks.exe
4504	schtasks.exe
3668	schtasks.exe
2504	schtasks.exe
2384	schtasks.exe
1184	schtasks.exe
1296	schtasks.exe
2208	schtasks.exe
1284	schtasks.exe
4572	schtasks.exe
4672	schtasks.exe
5032	schtasks.exe
228	schtasks.exe
2008	schtasks.exe
4844	schtasks.exe
572	schtasks.exe
4796	schtasks.exe
220	schtasks.exe
4248	schtasks.exe
692	schtasks.exe
4340	schtasks.exe
4908	schtasks.exe
1084	schtasks.exe
2428	schtasks.exe
1472	schtasks.exe
4596	schtasks.exe
4732	schtasks.exe
4516	schtasks.exe
3340	schtasks.exe
3968	schtasks.exe
1528	schtasks.exe
1780	schtasks.exe
2012	schtasks.exe
2064	schtasks.exe
4712	schtasks.exe
3012	schtasks.exe
5092	schtasks.exe
1472	schtasks.exe
5056	schtasks.exe
1892	schtasks.exe
432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1136	DllCommonsvc.exe
1136	DllCommonsvc.exe
1136	DllCommonsvc.exe
4976	powershell.exe
412	powershell.exe
4528	powershell.exe
100	powershell.exe
2156	powershell.exe
4528	powershell.exe
4976	powershell.exe
412	powershell.exe
2156	powershell.exe
100	powershell.exe
3592	DllCommonsvc.exe
3592	DllCommonsvc.exe
3592	DllCommonsvc.exe
3716	powershell.exe
3716	powershell.exe
324	powershell.exe
324	powershell.exe
2272	powershell.exe
2272	powershell.exe
4220	powershell.exe
4220	powershell.exe
2524	powershell.exe
2524	powershell.exe
3652	powershell.exe
3652	powershell.exe
64	powershell.exe
64	powershell.exe
4508	powershell.exe
4508	powershell.exe
4656	powershell.exe
4656	powershell.exe
3632	powershell.exe
3632	powershell.exe
1404	powershell.exe
1404	powershell.exe
2216	powershell.exe
2216	powershell.exe
3536	powershell.exe
3536	powershell.exe
224	powershell.exe
224	powershell.exe
4740	powershell.exe
4740	powershell.exe
4736	powershell.exe
4736	powershell.exe
1900	csrss.exe
1900	csrss.exe
3716	powershell.exe
3716	powershell.exe
4736	powershell.exe
3652	powershell.exe
2272	powershell.exe
2524	powershell.exe
324	powershell.exe
324	powershell.exe
224	powershell.exe
1404	powershell.exe
4508	powershell.exe
4656	powershell.exe
4740	powershell.exe
64	powershell.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	1136	DllCommonsvc.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeDebugPrivilege	4528	powershell.exe
Token: SeDebugPrivilege	100	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	3592	DllCommonsvc.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	224	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	1900	csrss.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeDebugPrivilege	320	csrss.exe
Token: SeDebugPrivilege	1324	csrss.exe
Token: SeDebugPrivilege	2384	csrss.exe
Token: SeDebugPrivilege	2312	csrss.exe
Token: SeDebugPrivilege	2752	csrss.exe
Token: SeDebugPrivilege	4672	csrss.exe
Token: SeDebugPrivilege	4768	csrss.exe
Token: SeDebugPrivilege	4796	csrss.exe
Token: SeDebugPrivilege	4808	csrss.exe
Token: SeDebugPrivilege	1016	csrss.exe
Token: SeDebugPrivilege	1400	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 2596	1348	6509eaeadebb1d825eb80469017139173ff1b89e84006b0514ef6417ecab9db2.exe	83
PID 1348 wrote to memory of 2596	1348	6509eaeadebb1d825eb80469017139173ff1b89e84006b0514ef6417ecab9db2.exe	83
PID 1348 wrote to memory of 2596	1348	6509eaeadebb1d825eb80469017139173ff1b89e84006b0514ef6417ecab9db2.exe	83
PID 2596 wrote to memory of 4164	2596	WScript.exe	85
PID 2596 wrote to memory of 4164	2596	WScript.exe	85
PID 2596 wrote to memory of 4164	2596	WScript.exe	85
PID 4164 wrote to memory of 1136	4164	cmd.exe	87
PID 4164 wrote to memory of 1136	4164	cmd.exe	87
PID 1136 wrote to memory of 2156	1136	DllCommonsvc.exe	102
PID 1136 wrote to memory of 2156	1136	DllCommonsvc.exe	102
PID 1136 wrote to memory of 4976	1136	DllCommonsvc.exe	103
PID 1136 wrote to memory of 4976	1136	DllCommonsvc.exe	103
PID 1136 wrote to memory of 412	1136	DllCommonsvc.exe	104
PID 1136 wrote to memory of 412	1136	DllCommonsvc.exe	104
PID 1136 wrote to memory of 4528	1136	DllCommonsvc.exe	105
PID 1136 wrote to memory of 4528	1136	DllCommonsvc.exe	105
PID 1136 wrote to memory of 100	1136	DllCommonsvc.exe	106
PID 1136 wrote to memory of 100	1136	DllCommonsvc.exe	106
PID 1136 wrote to memory of 4900	1136	DllCommonsvc.exe	111
PID 1136 wrote to memory of 4900	1136	DllCommonsvc.exe	111
PID 4900 wrote to memory of 1596	4900	cmd.exe	114
PID 4900 wrote to memory of 1596	4900	cmd.exe	114
PID 4900 wrote to memory of 3592	4900	cmd.exe	116
PID 4900 wrote to memory of 3592	4900	cmd.exe	116
PID 3592 wrote to memory of 2272	3592	DllCommonsvc.exe	162
PID 3592 wrote to memory of 2272	3592	DllCommonsvc.exe	162
PID 3592 wrote to memory of 4220	3592	DllCommonsvc.exe	163
PID 3592 wrote to memory of 4220	3592	DllCommonsvc.exe	163
PID 3592 wrote to memory of 2524	3592	DllCommonsvc.exe	164
PID 3592 wrote to memory of 2524	3592	DllCommonsvc.exe	164
PID 3592 wrote to memory of 3632	3592	DllCommonsvc.exe	165
PID 3592 wrote to memory of 3632	3592	DllCommonsvc.exe	165
PID 3592 wrote to memory of 64	3592	DllCommonsvc.exe	166
PID 3592 wrote to memory of 64	3592	DllCommonsvc.exe	166
PID 3592 wrote to memory of 4508	3592	DllCommonsvc.exe	167
PID 3592 wrote to memory of 4508	3592	DllCommonsvc.exe	167
PID 3592 wrote to memory of 224	3592	DllCommonsvc.exe	168
PID 3592 wrote to memory of 224	3592	DllCommonsvc.exe	168
PID 3592 wrote to memory of 2216	3592	DllCommonsvc.exe	169
PID 3592 wrote to memory of 2216	3592	DllCommonsvc.exe	169
PID 3592 wrote to memory of 4656	3592	DllCommonsvc.exe	170
PID 3592 wrote to memory of 4656	3592	DllCommonsvc.exe	170
PID 3592 wrote to memory of 3716	3592	DllCommonsvc.exe	172
PID 3592 wrote to memory of 3716	3592	DllCommonsvc.exe	172
PID 3592 wrote to memory of 4740	3592	DllCommonsvc.exe	175
PID 3592 wrote to memory of 4740	3592	DllCommonsvc.exe	175
PID 3592 wrote to memory of 1404	3592	DllCommonsvc.exe	177
PID 3592 wrote to memory of 1404	3592	DllCommonsvc.exe	177
PID 3592 wrote to memory of 3536	3592	DllCommonsvc.exe	178
PID 3592 wrote to memory of 3536	3592	DllCommonsvc.exe	178
PID 3592 wrote to memory of 4736	3592	DllCommonsvc.exe	179
PID 3592 wrote to memory of 4736	3592	DllCommonsvc.exe	179
PID 3592 wrote to memory of 3652	3592	DllCommonsvc.exe	180
PID 3592 wrote to memory of 3652	3592	DllCommonsvc.exe	180
PID 3592 wrote to memory of 324	3592	DllCommonsvc.exe	181
PID 3592 wrote to memory of 324	3592	DllCommonsvc.exe	181
PID 3592 wrote to memory of 1900	3592	DllCommonsvc.exe	194
PID 3592 wrote to memory of 1900	3592	DllCommonsvc.exe	194
PID 1900 wrote to memory of 2180	1900	csrss.exe	196
PID 1900 wrote to memory of 2180	1900	csrss.exe	196
PID 2180 wrote to memory of 3860	2180	cmd.exe	198
PID 2180 wrote to memory of 3860	2180	cmd.exe	198
PID 2180 wrote to memory of 320	2180	cmd.exe	204
PID 2180 wrote to memory of 320	2180	cmd.exe	204

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6509eaeadebb1d825eb80469017139173ff1b89e84006b0514ef6417ecab9db2.exe
"C:\Users\Admin\AppData\Local\Temp\6509eaeadebb1d825eb80469017139173ff1b89e84006b0514ef6417ecab9db2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:100
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjLuxY44un.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4900
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1596
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\SearchApp.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\System.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:64
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\regid.1991-06.com.microsoft\RuntimeBroker.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\unsecapp.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\DISM\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Reports\es-ES\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\SearchApp.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\sihost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
        
        C:\Windows\PLA\Reports\es-ES\csrss.exe
        
        "C:\Windows\PLA\Reports\es-ES\csrss.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdN2yJpTNi.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3860
        
        C:\Windows\PLA\Reports\es-ES\csrss.exe
        
        "C:\Windows\PLA\Reports\es-ES\csrss.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DemtbJLPzJ.bat"
        10⤵
        
        PID:5016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3712
        
        C:\Windows\PLA\Reports\es-ES\csrss.exe
        
        "C:\Windows\PLA\Reports\es-ES\csrss.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFXOGCU6Cq.bat"
        12⤵
        
        PID:4400
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2916
        
        C:\Windows\PLA\Reports\es-ES\csrss.exe
        
        "C:\Windows\PLA\Reports\es-ES\csrss.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eG7Plib0M1.bat"
        14⤵
        
        PID:4800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1748
        
        C:\Windows\PLA\Reports\es-ES\csrss.exe
        
        "C:\Windows\PLA\Reports\es-ES\csrss.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\THL7XCWxQ1.bat"
        16⤵
        
        PID:3860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:5104
        
        C:\Windows\PLA\Reports\es-ES\csrss.exe
        
        "C:\Windows\PLA\Reports\es-ES\csrss.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat"
        18⤵
        
        PID:2496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1636
        
        C:\Windows\PLA\Reports\es-ES\csrss.exe
        
        "C:\Windows\PLA\Reports\es-ES\csrss.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat"
        20⤵
        
        PID:1448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3120
        
        C:\Windows\PLA\Reports\es-ES\csrss.exe
        
        "C:\Windows\PLA\Reports\es-ES\csrss.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IVqzzTSBcr.bat"
        22⤵
        
        PID:4468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3220
        
        C:\Windows\PLA\Reports\es-ES\csrss.exe
        
        "C:\Windows\PLA\Reports\es-ES\csrss.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat"
        24⤵
        
        PID:2820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4772
        
        C:\Windows\PLA\Reports\es-ES\csrss.exe
        
        "C:\Windows\PLA\Reports\es-ES\csrss.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat"
        26⤵
        
        PID:1888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2468
        
        C:\Windows\PLA\Reports\es-ES\csrss.exe
        
        "C:\Windows\PLA\Reports\es-ES\csrss.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syea0WjfTx.bat"
        28⤵
        
        PID:2752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:1112
        
        C:\Windows\PLA\Reports\es-ES\csrss.exe
        
        "C:\Windows\PLA\Reports\es-ES\csrss.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat"
        30⤵
        
        PID:3168
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Users\Public\AccountPictures\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Users\Public\AccountPictures\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\System32\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\System32\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\RemotePackages\RemoteApps\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteApps\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\CbsTemp\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\CbsTemp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\CbsTemp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Templates\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\Logs\DISM\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Logs\DISM\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\DISM\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\Reports\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\Reports\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Start Menu\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Start Menu\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Default\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Users\Default\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd68aef889825631ca1a3fb2cf252327

SHA1
cc27457339841d137e7dea3e87ffcfd6a2e85be3

SHA256
1fdb444cd6c884016036079e23ff3959e4defb191d9c0458cb48c7235f234d30

SHA512
af3a4fb508425a24882a641aef945c7cf6bf344793b5c4bc7a90adedd0f84e38ea6d07b4ac7e84e789acb9fbd83db814d82b25c5f508f2c940e16d7d3e2af54c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8a1d5945d69caaa5ad4650aa92416db8

SHA1
fce5ff33231a7b99c4e54afac0b356aa72c86aef

SHA256
536f6c89e5a645ed4b13768d4e63be2900f010b341e04729e79c04af7af1d567

SHA512
04a94cfc967dccb836f2a51b86f861f77421f57bfc6826b00a63a86df995e0e873b38a5c930a15a173b3ea4e768776a13860206468d1bb7ec614ce93f8143cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d3e8199b4634731cf0a0c26c1f14f588

SHA1
7f8fae27eb80055a436a6b5457978f32673d9ad4

SHA256
ef33f487f93c2977e92fb08d6bdcc9d48b5d1864c402f9d3fbf3e1b30e8b3b9a

SHA512
806a123100dbc1ca1b27bbad5b93c3a9a840dc795127af8523333a71259a8c5ef8aefccb83ef390f2644e013f138c4b7b63c584acccb197aada0c70c038032e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
78195d8b7a45224d9226a535bbb5748c

SHA1
6b62ab26a161747cc74d9c1286d4b8d7655eef60

SHA256
271ef485fb495ded2187d2d97fd28ba339d1d5a5bd0749c19d63ff5ade5ef41c

SHA512
912de1000c3653fb4486f5436339378a33c8937fd38d2afaedb7715160f2960636dd58c5cc3e77f72b24ca864813fb1af3537001cb01ba95404b4dbb7e358703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0f6a77860cd9c5289dd6e45bbc36a982

SHA1
750d55b0d394bc5716fc3e3204975b029d3dc43b

SHA256
a8388051b43fdc7a50ee51047ef4076c4b6502a6e53befe8131efcb71aa700a4

SHA512
e4e4473383243a71d7bebffb8bf4bf449201e1aee752426044e81bdc12c3aaf284ce003a859b0ac96d5fd75063376485dc5b5ac0caad189577bf394f104cdd06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d39ea6f9ab2ac89f0eecf4195aa92ab1

SHA1
330eceaf8a8f7f482b8efcdd909dd17fcab58861

SHA256
c43aeb94aa5a3757d5366738541991ed39ff1ad7d5b5f5644dcecd78bdc48398

SHA512
25d06b3688f9454a2b9598c9cc65f49184d743124a5723b43a4278effd95bee192e83ba7be486f5e331692d78d81e58c5cc2720aac56551dc3f90a9e81278222

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
928d62b3bff6c2ba2feb3e37e7ef14a9

SHA1
904fd42ba7c22b4d785c488b3cbaf080703332ab

SHA256
c758935f8dbeb15e72d97997398eecd836a9c121cac0b768b45f291de7ad19d1

SHA512
5028139166b01ff0cf07f4cd00579bc1e23577637d057a9060019c26cc8f6a761c0d739bdccf9fd0245a90a4ee27b60fcb3e222fea61a180c9ace79ee03cd643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat

Filesize
203B

MD5
e4a7e943b62263ef28db44be47602fdd

SHA1
64db671314f8987b27e7266df9dfd67b64b8e415

SHA256
399e0c10f2a425045cb4190ca2d0ea6e77bc74d4af2a03995fba8af2f694a1fa

SHA512
ee6b08c221947b7142a2fefbd31e3c8a8c6382ee30c3796cd22f2d454f31b9458b97356b381aad86257700c0710540f61c8f3896ec14a4cba45cb6f5f7ee6b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\DemtbJLPzJ.bat

Filesize
203B

MD5
ef5cd46e5e4dee876b2ab9a7697a60d4

SHA1
61930d0fd31db3f2373f53a5149944b4cff43ac4

SHA256
a1e8fcbc697799ab493c1571b108388844a7f97dbbf128e595634acb0e87b553

SHA512
c0d323f32c3d29b3f75d65eed01f5066f943d4465c7f11b25939005939a98963e70e8bd5516d5c526609b53ca576863f19cf215ed5d3d14c7faebb31291cd340

Download Submit
C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat

Filesize
203B

MD5
e2f6c78b6b3dcba56a6892aa7fdc7b52

SHA1
959ff80733ada8a982dffffe9ea09625ad8802d2

SHA256
5d948e1f693650e5c7ead2dfa2d4d496c01c99546c90f0ac6f4fadb5605e2684

SHA512
ebad840b150c59bff38d01dace67b2971fbebe4e41a11304e9aa2507e09d4c1b6500efe332ee5d0a63dcfda88c9079bfd7caec36549721dddb928c637d9f141b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IVqzzTSBcr.bat

Filesize
203B

MD5
390b53bb187c667c494083865f29f8d9

SHA1
d46d0b73d5d516485423084f188d012c763276f0

SHA256
220072708bd1417a313dde518511fe265e7df0519aaf57a9c163fb9ca0ef8bfd

SHA512
fb23895b62acd7f3df45e05a3dfeae8566f0ab9a0a8c9610b15c554d0a5c6ab2d6b2a2523d9e62820381e48ce1b8f8d2d18e8d73c3dd69aa304d002df91dbc06

Download Submit
C:\Users\Admin\AppData\Local\Temp\LdN2yJpTNi.bat

Filesize
203B

MD5
549dabed6815178423a6efc4fb74d97d

SHA1
18c38d30385886aa390f636943355f6cde1fa8b1

SHA256
637750adedcf68c768700a4591b3f565d1a6904ae9ef0c6bedf26565cf19f090

SHA512
babbc65a6fbd3691d4919752c3a00aa56caa75eb2c7a691e4944b0f9ca582872b17b6656e88781120ab00e436fc58f002c4921712a48164c7b373c38c7c2d4f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\THL7XCWxQ1.bat

Filesize
203B

MD5
be31f7c09412e714862d81319bac2a12

SHA1
43d6a36af0868eed5e5bf5ba8d75f067af42f88d

SHA256
bf489653e9e53112a6c8271da6be591927ec63b8ef8fe1c263f745818c06845f

SHA512
031533a76f389fd5c34fe4f83cfdeac56dc6ed848b09adf3643c105703f714f3c17192b48882f07c274f8bc573643e0f5de5d2f5fe93a5b2df01587291df2a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0lqxfgxp.yi5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\eG7Plib0M1.bat

Filesize
203B

MD5
027ba8f220ec490433c438c84a4d3f2b

SHA1
140e6a24d00e835a15f3fd1e0447d4e471e4d998

SHA256
d28ca9060f16222a194eafe18d976002cab978e5a80c9bffd48982d0938114c9

SHA512
9a68f5c9a7ac3f31a9f1636b57e4919d78eb3afcbd068843262370ffee892d17b85501edb79b60010c25b79eb271bb746399ee45808eb659768901109d45d750

Download Submit
C:\Users\Admin\AppData\Local\Temp\jFXOGCU6Cq.bat

Filesize
203B

MD5
47c03185320b6d4d7ede6076a3a6e97e

SHA1
2cfbf79ce626d4f7795bd62a47f9e05e3db01514

SHA256
ea75e4aa63c3dfe90018f66e64315bc174ff913d03078aa8cc1d4bca4f94bbdc

SHA512
cab0f064f19ecc1154ac172988990685b749441fc0ad2808f62883a2c387f28254696fe375369f3035d00dfa582f2fd7b1dc37e5ffa8262e94b8825e5b527607

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat

Filesize
203B

MD5
1ef7510bfe855505cbe74547e538d9c8

SHA1
6721b6e62afa5bbb05bb9d94958ab148013f787a

SHA256
b2380eddfa4699a8996233d6e13df3b6a24203059e096142277dc004526ad980

SHA512
c9111544e39043d914a22a892c7a85c1b09304ac3ae0ad1f04396a2342686646c6197877966de17313e04469dc677297906d05908dee9c1e6ddd415274fc710e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjLuxY44un.bat

Filesize
199B

MD5
0fa0479de9acc566d5a600113bf59aa2

SHA1
5f3811f8f8e8b324eb6fa9856efe736a3e96c8b1

SHA256
f311bb2043e00e4dc8591536fa8dc598c9fe52536d3f8a252974a11a2388a6ca

SHA512
a2cfeaac5f29b35b472f2ed7d96af99191fc419780c8fcab0cf26f53f19125cc3dee71f63e7cfdcaeabc4740619f387c9c52d980a2709931ef8c14500f47413e

Download Submit
C:\Users\Admin\AppData\Local\Temp\syea0WjfTx.bat

Filesize
203B

MD5
d786e6798d1a50dd983ea3ab7927cb91

SHA1
46332598bd792ce6f0e303978f62fd56ac7a1aab

SHA256
4c646827a6a5755faf77af43a8711041d25c036cb0afe32e701ca4189709f1f2

SHA512
ce858f955ba5a1157cd1d548b5d0d368e5ffa687d522bed24b43022f3dbe83aab0dd81700e40458688870065a0161970fcc4fad736de6099f04bb92eed03c362

Download Submit
C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat

Filesize
203B

MD5
3170d25983b3fef57a4324455b7b2745

SHA1
9bf021305e65d127a11abfee11c3b0558d24aaa5

SHA256
5798b231c82567355a312cfa00a37839b23aca361993cee39f0656e347971d67

SHA512
2812fa66f0a94829ceedb11ca2cd9754878db80db70ea516c5f8a78cb313b9f37aa28ba50605c07ff054344cf44e6c9982e52ceb0604ad3e17957bfdaafcc39c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/320-319-0x000000001D210000-0x000000001D312000-memory.dmp

Filesize
1.0MB

Download
memory/1016-376-0x000000001AFF0000-0x000000001B002000-memory.dmp

Filesize
72KB

Download
memory/1136-16-0x0000000002590000-0x000000000259C000-memory.dmp

Filesize
48KB

Download
memory/1136-13-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download
memory/1136-14-0x0000000002580000-0x0000000002592000-memory.dmp

Filesize
72KB

Download
memory/1136-17-0x00000000025B0000-0x00000000025BC000-memory.dmp

Filesize
48KB

Download
memory/1136-15-0x00000000025A0000-0x00000000025AC000-memory.dmp

Filesize
48KB

Download
memory/1136-12-0x00007FFA96613000-0x00007FFA96615000-memory.dmp

Filesize
8KB

Download
memory/1324-326-0x000000001D100000-0x000000001D202000-memory.dmp

Filesize
1.0MB

Download
memory/1400-383-0x000000001ADF0000-0x000000001AE02000-memory.dmp

Filesize
72KB

Download
memory/2312-340-0x000000001D400000-0x000000001D502000-memory.dmp

Filesize
1.0MB

Download
memory/2384-333-0x000000001D300000-0x000000001D402000-memory.dmp

Filesize
1.0MB

Download
memory/2752-349-0x000000001CD00000-0x000000001CE02000-memory.dmp

Filesize
1.0MB

Download
memory/2752-344-0x000000001CD00000-0x000000001CE02000-memory.dmp

Filesize
1.0MB

Download
memory/2752-343-0x000000001ADF0000-0x000000001AE02000-memory.dmp

Filesize
72KB

Download
memory/4976-36-0x00000218E3040000-0x00000218E3062000-memory.dmp

Filesize
136KB

Download