dcrat | 88739398ffebafc2a948effe84d7986db68565212418e2e4148967e9b908757a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88739398ffebafc2a948effe84d7986db68565212418e2e4148967e9b908757a.exe
Size

1.3MB
MD5

f668dc616f071b2c96af3e0d2b9a867b
SHA1

2c063fed00886dc3be0018698066c93fb14e9b57
SHA256

88739398ffebafc2a948effe84d7986db68565212418e2e4148967e9b908757a
SHA512

ab40d505c5627d32091d6a982207b7080a0cbc2d3b19beee794f82a96aecc1b0da87c3bfb77a27ccdca515e4009cbd7207691be2a8e5bfcb4e27cd475b431460
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	244	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3812	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	728	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3300	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3160	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	2996	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2996	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b7a-10.dat	dcrat
behavioral2/memory/2580-13-0x0000000000C40000-0x0000000000D50000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1688	powershell.exe
2876	powershell.exe
2180	powershell.exe
3244	powershell.exe
3368	powershell.exe
3932	powershell.exe
1696	powershell.exe
3600	powershell.exe
1420	powershell.exe
3460	powershell.exe
3120	powershell.exe
3636	powershell.exe
1228	powershell.exe
4184	powershell.exe
976	powershell.exe
4960	powershell.exe
4268	powershell.exe
676	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	88739398ffebafc2a948effe84d7986db68565212418e2e4148967e9b908757a.exe

Executes dropped EXE 14 IoCs

pid	Process
2580	DllCommonsvc.exe
2856	upfc.exe
3152	upfc.exe
3732	upfc.exe
4708	upfc.exe
4404	upfc.exe
3932	upfc.exe
4988	upfc.exe
4024	upfc.exe
4420	upfc.exe
2848	upfc.exe
5100	upfc.exe
4936	upfc.exe
4580	upfc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
56	raw.githubusercontent.com
17	raw.githubusercontent.com
18	raw.githubusercontent.com
40	raw.githubusercontent.com
47	raw.githubusercontent.com
54	raw.githubusercontent.com
53	raw.githubusercontent.com
55	raw.githubusercontent.com
25	raw.githubusercontent.com
39	raw.githubusercontent.com
43	raw.githubusercontent.com
44	raw.githubusercontent.com
52	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\es-ES\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\ModifiableWindowsApps\unsecapp.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\e1ef82546f0b02	DllCommonsvc.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\Web\Screen\TextInputHost.exe	DllCommonsvc.exe
File created	C:\Windows\Web\Screen\22eafd247d37c3	DllCommonsvc.exe
File created	C:\Windows\uk-UA\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\uk-UA\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\Speech_OneCore\Engines\SR\es-ES-N\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Speech_OneCore\Engines\SR\es-ES-N\0a1fd5f707cd16	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88739398ffebafc2a948effe84d7986db68565212418e2e4148967e9b908757a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	88739398ffebafc2a948effe84d7986db68565212418e2e4148967e9b908757a.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	upfc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1332	schtasks.exe
2564	schtasks.exe
60	schtasks.exe
1700	schtasks.exe
1196	schtasks.exe
1264	schtasks.exe
2232	schtasks.exe
1004	schtasks.exe
216	schtasks.exe
3704	schtasks.exe
3736	schtasks.exe
4044	schtasks.exe
3968	schtasks.exe
4868	schtasks.exe
2856	schtasks.exe
220	schtasks.exe
2040	schtasks.exe
4636	schtasks.exe
3160	schtasks.exe
644	schtasks.exe
244	schtasks.exe
5112	schtasks.exe
2416	schtasks.exe
64	schtasks.exe
3812	schtasks.exe
3676	schtasks.exe
1564	schtasks.exe
3456	schtasks.exe
2560	schtasks.exe
2336	schtasks.exe
1600	schtasks.exe
516	schtasks.exe
5092	schtasks.exe
3468	schtasks.exe
1460	schtasks.exe
3332	schtasks.exe
4004	schtasks.exe
2664	schtasks.exe
1852	schtasks.exe
3080	schtasks.exe
3588	schtasks.exe
1464	schtasks.exe
3936	schtasks.exe
1632	schtasks.exe
1608	schtasks.exe
3060	schtasks.exe
2052	schtasks.exe
728	schtasks.exe
1752	schtasks.exe
1468	schtasks.exe
3300	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2580	DllCommonsvc.exe
2580	DllCommonsvc.exe
2580	DllCommonsvc.exe
2580	DllCommonsvc.exe
2580	DllCommonsvc.exe
2580	DllCommonsvc.exe
2580	DllCommonsvc.exe
2580	DllCommonsvc.exe
2580	DllCommonsvc.exe
2580	DllCommonsvc.exe
2580	DllCommonsvc.exe
2580	DllCommonsvc.exe
2580	DllCommonsvc.exe
4268	powershell.exe
4268	powershell.exe
2180	powershell.exe
2180	powershell.exe
676	powershell.exe
676	powershell.exe
3368	powershell.exe
3368	powershell.exe
1228	powershell.exe
1228	powershell.exe
976	powershell.exe
976	powershell.exe
3460	powershell.exe
3460	powershell.exe
3120	powershell.exe
3120	powershell.exe
4184	powershell.exe
4184	powershell.exe
1696	powershell.exe
1696	powershell.exe
3636	powershell.exe
3636	powershell.exe
2876	powershell.exe
2876	powershell.exe
3600	powershell.exe
3600	powershell.exe
4960	powershell.exe
4960	powershell.exe
1420	powershell.exe
1420	powershell.exe
4268	powershell.exe
4268	powershell.exe
3244	powershell.exe
3244	powershell.exe
3932	powershell.exe
3932	powershell.exe
1688	powershell.exe
1688	powershell.exe
2856	upfc.exe
2856	upfc.exe
1688	powershell.exe
2180	powershell.exe
1228	powershell.exe
1696	powershell.exe
676	powershell.exe
976	powershell.exe
3460	powershell.exe
4184	powershell.exe
3120	powershell.exe
3368	powershell.exe
1420	powershell.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	DllCommonsvc.exe
Token: SeDebugPrivilege	4268	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	3368	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	3120	powershell.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	2856	upfc.exe
Token: SeDebugPrivilege	3152	upfc.exe
Token: SeDebugPrivilege	3732	upfc.exe
Token: SeDebugPrivilege	4708	upfc.exe
Token: SeDebugPrivilege	4404	upfc.exe
Token: SeDebugPrivilege	3932	upfc.exe
Token: SeDebugPrivilege	4988	upfc.exe
Token: SeDebugPrivilege	4024	upfc.exe
Token: SeDebugPrivilege	4420	upfc.exe
Token: SeDebugPrivilege	2848	upfc.exe
Token: SeDebugPrivilege	5100	upfc.exe
Token: SeDebugPrivilege	4936	upfc.exe
Token: SeDebugPrivilege	4580	upfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 1864	4504	88739398ffebafc2a948effe84d7986db68565212418e2e4148967e9b908757a.exe	82
PID 4504 wrote to memory of 1864	4504	88739398ffebafc2a948effe84d7986db68565212418e2e4148967e9b908757a.exe	82
PID 4504 wrote to memory of 1864	4504	88739398ffebafc2a948effe84d7986db68565212418e2e4148967e9b908757a.exe	82
PID 1864 wrote to memory of 5008	1864	WScript.exe	83
PID 1864 wrote to memory of 5008	1864	WScript.exe	83
PID 1864 wrote to memory of 5008	1864	WScript.exe	83
PID 5008 wrote to memory of 2580	5008	cmd.exe	85
PID 5008 wrote to memory of 2580	5008	cmd.exe	85
PID 2580 wrote to memory of 4268	2580	DllCommonsvc.exe	138
PID 2580 wrote to memory of 4268	2580	DllCommonsvc.exe	138
PID 2580 wrote to memory of 2180	2580	DllCommonsvc.exe	139
PID 2580 wrote to memory of 2180	2580	DllCommonsvc.exe	139
PID 2580 wrote to memory of 1228	2580	DllCommonsvc.exe	140
PID 2580 wrote to memory of 1228	2580	DllCommonsvc.exe	140
PID 2580 wrote to memory of 1696	2580	DllCommonsvc.exe	141
PID 2580 wrote to memory of 1696	2580	DllCommonsvc.exe	141
PID 2580 wrote to memory of 3244	2580	DllCommonsvc.exe	142
PID 2580 wrote to memory of 3244	2580	DllCommonsvc.exe	142
PID 2580 wrote to memory of 676	2580	DllCommonsvc.exe	143
PID 2580 wrote to memory of 676	2580	DllCommonsvc.exe	143
PID 2580 wrote to memory of 1688	2580	DllCommonsvc.exe	144
PID 2580 wrote to memory of 1688	2580	DllCommonsvc.exe	144
PID 2580 wrote to memory of 4184	2580	DllCommonsvc.exe	145
PID 2580 wrote to memory of 4184	2580	DllCommonsvc.exe	145
PID 2580 wrote to memory of 976	2580	DllCommonsvc.exe	146
PID 2580 wrote to memory of 976	2580	DllCommonsvc.exe	146
PID 2580 wrote to memory of 3368	2580	DllCommonsvc.exe	147
PID 2580 wrote to memory of 3368	2580	DllCommonsvc.exe	147
PID 2580 wrote to memory of 4960	2580	DllCommonsvc.exe	148
PID 2580 wrote to memory of 4960	2580	DllCommonsvc.exe	148
PID 2580 wrote to memory of 3600	2580	DllCommonsvc.exe	149
PID 2580 wrote to memory of 3600	2580	DllCommonsvc.exe	149
PID 2580 wrote to memory of 1420	2580	DllCommonsvc.exe	155
PID 2580 wrote to memory of 1420	2580	DllCommonsvc.exe	155
PID 2580 wrote to memory of 3460	2580	DllCommonsvc.exe	162
PID 2580 wrote to memory of 3460	2580	DllCommonsvc.exe	162
PID 2580 wrote to memory of 3120	2580	DllCommonsvc.exe	163
PID 2580 wrote to memory of 3120	2580	DllCommonsvc.exe	163
PID 2580 wrote to memory of 3636	2580	DllCommonsvc.exe	164
PID 2580 wrote to memory of 3636	2580	DllCommonsvc.exe	164
PID 2580 wrote to memory of 3932	2580	DllCommonsvc.exe	165
PID 2580 wrote to memory of 3932	2580	DllCommonsvc.exe	165
PID 2580 wrote to memory of 2876	2580	DllCommonsvc.exe	167
PID 2580 wrote to memory of 2876	2580	DllCommonsvc.exe	167
PID 2580 wrote to memory of 2856	2580	DllCommonsvc.exe	174
PID 2580 wrote to memory of 2856	2580	DllCommonsvc.exe	174
PID 2856 wrote to memory of 4688	2856	upfc.exe	179
PID 2856 wrote to memory of 4688	2856	upfc.exe	179
PID 4688 wrote to memory of 2748	4688	cmd.exe	181
PID 4688 wrote to memory of 2748	4688	cmd.exe	181
PID 4688 wrote to memory of 3152	4688	cmd.exe	184
PID 4688 wrote to memory of 3152	4688	cmd.exe	184
PID 3152 wrote to memory of 1428	3152	upfc.exe	185
PID 3152 wrote to memory of 1428	3152	upfc.exe	185
PID 1428 wrote to memory of 3888	1428	cmd.exe	187
PID 1428 wrote to memory of 3888	1428	cmd.exe	187
PID 1428 wrote to memory of 3732	1428	cmd.exe	189
PID 1428 wrote to memory of 3732	1428	cmd.exe	189
PID 3732 wrote to memory of 1980	3732	upfc.exe	191
PID 3732 wrote to memory of 1980	3732	upfc.exe	191
PID 1980 wrote to memory of 2548	1980	cmd.exe	193
PID 1980 wrote to memory of 2548	1980	cmd.exe	193
PID 1980 wrote to memory of 4708	1980	cmd.exe	194
PID 1980 wrote to memory of 4708	1980	cmd.exe	194

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\88739398ffebafc2a948effe84d7986db68565212418e2e4148967e9b908757a.exe
"C:\Users\Admin\AppData\Local\Temp\88739398ffebafc2a948effe84d7986db68565212418e2e4148967e9b908757a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\PackageManifests\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\es-ES\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\uk-UA\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech_OneCore\Engines\SR\es-ES-N\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Screen\TextInputHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
    - - C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2748
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3888
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2548
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rgoiaSdxpd.bat"
        12⤵
        
        PID:4360
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4500
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat"
        14⤵
        
        PID:1196
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3880
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3fa1oyizme.bat"
        16⤵
        
        PID:2764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4448
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4WSxKcEorb.bat"
        18⤵
        
        PID:2468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1464
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mrWoaKD2ur.bat"
        20⤵
        
        PID:384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4460
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W0gPze1DKI.bat"
        22⤵
        
        PID:4316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:660
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W0gPze1DKI.bat"
        24⤵
        
        PID:4940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4492
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat"
        26⤵
        
        PID:1172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3380
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat"
        28⤵
        
        PID:2384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2092
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\PackageManifests\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\PackageManifests\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\7-Zip\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\uk-UA\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\uk-UA\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\uk-UA\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech_OneCore\Engines\SR\es-ES-N\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\SR\es-ES-N\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech_OneCore\Engines\SR\es-ES-N\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Videos\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Videos\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Videos\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Screen\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\Web\Screen\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\Screen\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
291B

MD5
84a5397257302d83c3812f7ee8169465

SHA1
04f0bfd3bc952d44fbbc2a5c973cc20aad3e5651

SHA256
6814b5179c4110914600f4df5e107dbcb033185225c90061165cd7c8e3837a99

SHA512
96abd03099af0dfc1e23b408252eee6299013a6a40cf1d613a065b49a9785ed19c0b6b67ad23dc23b3f4c2ca218bcd0f66c36b19e380d8d6735d9976a41fbb84

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat

Filesize
195B

MD5
069955dab8101bf679eedf0ffe80bd92

SHA1
d7e8fa3207f5a87bcd6cb007f863e818c246fccd

SHA256
1099eeacab438709087fe69fd90a6b267fb1e328dfc0e4fbee825a456acfbdc9

SHA512
a97a80acb2500be7b02fa1445b02ba1543e4bbdf6110e514666c00c017a9cae481d23906caf52c7c389f7f73cd6fb601712c6ec1766ee14b6ce816c84c611d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fa1oyizme.bat

Filesize
195B

MD5
25a2ea8066f3971d5a5a6686d0852dc8

SHA1
08af8c294df690c0b8442c6d78ef8ce94caba22f

SHA256
906350cf0f3693ba562b6668538e920bd3cf791f0dcd66824bf779d4e68bbe70

SHA512
71e0c81bef1d7b899ca6f3345f1cfe331ad016c225feb37ae6afa6701fbd0db9aa149d169db45c4df1e9f437be2e7e706922b503675ee83ff81ba72b6e048bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4WSxKcEorb.bat

Filesize
195B

MD5
012ca8c7a6829221f1e96fb397e62ee4

SHA1
567bd79c7032b681fe0fc0891279f02cbbf7f117

SHA256
9c78e7e8d9b6e5a02e8156fdda563c99f949c5471e54bf01b4c65153c74752d8

SHA512
986af193499417d00d0229482212f094b3a650b484c3d2c9ca5ee4e7c9a5610ba0af251199bc1f9a09f57f80d9fc1409d45a126213b0831710a1d28bab2385a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat

Filesize
195B

MD5
24906768f6234a7ca2b352978ff70431

SHA1
051dbf03eff6c7b2161d327efa3460208aa30121

SHA256
e9c5f0f27b0c8aacc841c0f7d6506dd1f1981f77b29e58dcdf170069379b22ac

SHA512
8e07b9d9aa14382530643f6c26057f82c403adc77e6584dabfb9ed81b25a7c2b5261b7dd758682247058ed08fedb7a52a4a70b7b4bad8027fe5933326e90a2b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat

Filesize
195B

MD5
216e7565139e32a721406210dcf30687

SHA1
a63316ceb3b2657146ef8f5c842271600e8fddc3

SHA256
894862d8435f8311797935b144116c6f8bea7fb7165813fef4e4d7064dbd879a

SHA512
caafcfc1d8e87bb25cb228d931a57ad770280addeb739a7c66dc11b2ab48693dcaa384897380ee78a0b79c59d3587d882c0b086f672c271f2766eeb6ddde997a

Download Submit
C:\Users\Admin\AppData\Local\Temp\W0gPze1DKI.bat

Filesize
195B

MD5
0a0e2d0dfae4d7b7e8156c13d22e7f6b

SHA1
3d6a174304a01e8237906bb0c790f78c9c135e12

SHA256
ceb64d01565d9ef180cca36e93da3d1312b490c2c7d4ca161a8d849d4ec15805

SHA512
6a65df79da7bfbcb76e0071d57582615022d6a6332ebfcbdb9a7e7ed3dc5f208e664f365261a96aa2969f236adf6586a2d8a1d043f2c48da779d169a20082ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_klkirog3.2ga.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat

Filesize
195B

MD5
b65248756a958b5e5c20f4407d4ce943

SHA1
8b225d694d833805dbcd886c10e85925eb462918

SHA256
2c9e012f5514a88bc6a83d94f6f07bf98ac3a0719a4d7fd21749bdce1350a806

SHA512
55f0d15d0f2f7dcf4aec109a502248cfe94b6e4dfde62d72fdcaab337f5e0827044627491b9deedd97f02d72fd7afabe65aca22067fc22a96ecb5850db10f07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrWoaKD2ur.bat

Filesize
195B

MD5
d74869b8ea6082a7bb299071f586e474

SHA1
f81dcb872acd2c6cb4a308231c2671a2c48c349f

SHA256
28ba7123ed0884d1b82d5293a1e2b1fd0b765167d01d8b2175648a3bec0cf92c

SHA512
213fc387337c2b3e13d2c5d321ab7d152cc14981095162a86d90beebfa6d6f810db9aa98a8697872fb974402c258cf1750cb085932ff1dbee5cfbe19c264a90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat

Filesize
195B

MD5
216e9984ab1cf3382316951bd17d3f2b

SHA1
b683e33635f3ee8fb1a15bf9a47a70c99cc19c14

SHA256
9ed82f9ab835851d6b51c9fb06487773d98349e7274e4b1b84cbba7e7d685107

SHA512
1ed0c06cb8ba3e05b98d6aab6957778e1b8be91efb693568d3e37e07ae5a031aeaf0535b086852c24b075d264e98be2312b4468cedf4179fa72d913fbffaffc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgoiaSdxpd.bat

Filesize
195B

MD5
cf8e0d47c3e6b547df6132f86c3af19f

SHA1
91ec70550eb1960a81f69757ebf5fe65d2ff424c

SHA256
54a951cec11b032cfc37a28a004ca16b0d1c653871a95a5ccacd0a187d6880ac

SHA512
a3777e08a960136dacd09d68cbb2b669397afae4d0ef884312bc688721441901223e36b34e39e80a327bbb980f9b1de942457a1598c4e30118fc435858cf6b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat

Filesize
195B

MD5
6ec225a9032cd335fd69472ffc485ca5

SHA1
27bb502d2b4a1a03a574d6c1fe7599fe2cdb7b13

SHA256
e46a932e51e8c223a7eb2f1e2883eab361ea46b5c796a6ac4346c63da6c77d38

SHA512
bb5cf15e4c72455312f74ce05a730ed9e7cd8a46a0a71da27fe04b0d4201bf3dffbdae700dd7701c6de620cef6fe609d2586da7810f4c644252dbd73ae9d782f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1696-69-0x00000163DCC20000-0x00000163DCC42000-memory.dmp

Filesize
136KB

Download
memory/2580-13-0x0000000000C40000-0x0000000000D50000-memory.dmp

Filesize
1.1MB

Download
memory/2580-14-0x00000000016A0000-0x00000000016B2000-memory.dmp

Filesize
72KB

Download
memory/2580-15-0x00000000016B0000-0x00000000016BC000-memory.dmp

Filesize
48KB

Download
memory/2580-16-0x0000000002F70000-0x0000000002F7C000-memory.dmp

Filesize
48KB

Download
memory/2580-17-0x0000000002F80000-0x0000000002F8C000-memory.dmp

Filesize
48KB

Download
memory/2580-12-0x00007FFCFCD53000-0x00007FFCFCD55000-memory.dmp

Filesize
8KB

Download
memory/2856-187-0x0000000001670000-0x0000000001682000-memory.dmp

Filesize
72KB

Download
memory/4420-312-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download