dcrat | 62c76567a5f3335768312a4da0fb800ad8ab7963f65e27cc229f5c328f4883e8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_62c76567a5f3335768312a4da0fb800ad8ab7963f65e27cc229f5c328f4883e8.exe
Size

1.3MB
MD5

33e9d845b2ada02d77b8bad8b09bb8ae
SHA1

fc838751c1a504f679475aed16c9f5e7909e8b9c
SHA256

62c76567a5f3335768312a4da0fb800ad8ab7963f65e27cc229f5c328f4883e8
SHA512

cc687e1f3d46dc95b2e035a9e8e7e828ae4ca3a156a70dfa1f2c85336cbb941ce491f711945398c17be1076ff9e7b71448ecf88c6281645f5213778641f95d93
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	1640	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	1640	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c9b-10.dat	dcrat
behavioral2/memory/4628-13-0x0000000000990000-0x0000000000AA0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2888	powershell.exe
4808	powershell.exe
4888	powershell.exe
4128	powershell.exe
4884	powershell.exe
912	powershell.exe
1012	powershell.exe
4472	powershell.exe
3576	powershell.exe
2412	powershell.exe
3304	powershell.exe
2984	powershell.exe
988	powershell.exe
756	powershell.exe
4376	powershell.exe
1176	powershell.exe
3116	powershell.exe
4956	powershell.exe
2624	powershell.exe
4872	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_62c76567a5f3335768312a4da0fb800ad8ab7963f65e27cc229f5c328f4883e8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 13 IoCs

pid	Process
4628	DllCommonsvc.exe
1280	fontdrvhost.exe
5152	fontdrvhost.exe
3236	fontdrvhost.exe
5672	fontdrvhost.exe
5964	fontdrvhost.exe
2400	fontdrvhost.exe
4552	fontdrvhost.exe
4012	fontdrvhost.exe
4736	fontdrvhost.exe
4872	fontdrvhost.exe
5176	fontdrvhost.exe
5524	fontdrvhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
47	raw.githubusercontent.com
53	raw.githubusercontent.com
54	raw.githubusercontent.com
55	raw.githubusercontent.com
20	raw.githubusercontent.com
38	raw.githubusercontent.com
43	raw.githubusercontent.com
44	raw.githubusercontent.com
56	raw.githubusercontent.com
14	raw.githubusercontent.com
15	raw.githubusercontent.com
39	raw.githubusercontent.com
52	raw.githubusercontent.com

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Security\BrowserCore\en-US\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\121e5b5079f7c0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Update\Download\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Update\Download\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\sysmon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\taskhostw.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\taskhostw.exe	DllCommonsvc.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\ImmersiveControlPanel\Settings\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\ImmersiveControlPanel\Settings\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\debug\sysmon.exe	DllCommonsvc.exe
File created	C:\Windows\debug\121e5b5079f7c0	DllCommonsvc.exe
File created	C:\Windows\SKB\LanguageModels\upfc.exe	DllCommonsvc.exe
File created	C:\Windows\SKB\LanguageModels\ea1d8f6d871115	DllCommonsvc.exe
File created	C:\Windows\Microsoft.NET\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Windows\Microsoft.NET\9e8d7a4ca61bd9	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_62c76567a5f3335768312a4da0fb800ad8ab7963f65e27cc229f5c328f4883e8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	JaffaCakes118_62c76567a5f3335768312a4da0fb800ad8ab7963f65e27cc229f5c328f4883e8.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4204	schtasks.exe
4688	schtasks.exe
3916	schtasks.exe
4828	schtasks.exe
960	schtasks.exe
1652	schtasks.exe
2644	schtasks.exe
1308	schtasks.exe
1376	schtasks.exe
2204	schtasks.exe
2144	schtasks.exe
2924	schtasks.exe
1328	schtasks.exe
2120	schtasks.exe
1324	schtasks.exe
2248	schtasks.exe
4144	schtasks.exe
4072	schtasks.exe
4708	schtasks.exe
4716	schtasks.exe
2080	schtasks.exe
1284	schtasks.exe
1848	schtasks.exe
4228	schtasks.exe
1380	schtasks.exe
5028	schtasks.exe
2020	schtasks.exe
4244	schtasks.exe
716	schtasks.exe
3632	schtasks.exe
2836	schtasks.exe
4876	schtasks.exe
5020	schtasks.exe
1112	schtasks.exe
3000	schtasks.exe
2900	schtasks.exe
2068	schtasks.exe
4008	schtasks.exe
3972	schtasks.exe
4560	schtasks.exe
1924	schtasks.exe
2400	schtasks.exe
788	schtasks.exe
5040	schtasks.exe
1764	schtasks.exe
5008	schtasks.exe
4760	schtasks.exe
1136	schtasks.exe
4080	schtasks.exe
4980	schtasks.exe
1804	schtasks.exe
2812	schtasks.exe
2024	schtasks.exe
5012	schtasks.exe
432	schtasks.exe
3572	schtasks.exe
2860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4628	DllCommonsvc.exe
4128	powershell.exe
4128	powershell.exe
4472	powershell.exe
4472	powershell.exe
988	powershell.exe
988	powershell.exe
2888	powershell.exe
2888	powershell.exe
1012	powershell.exe
1012	powershell.exe
2412	powershell.exe
2412	powershell.exe
2984	powershell.exe
2984	powershell.exe
4956	powershell.exe
4956	powershell.exe
1176	powershell.exe
1176	powershell.exe
3576	powershell.exe
3576	powershell.exe
2624	powershell.exe
2624	powershell.exe
4888	powershell.exe
4888	powershell.exe
4376	powershell.exe
4376	powershell.exe
3304	powershell.exe
3304	powershell.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	4628	DllCommonsvc.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	3576	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	4376	powershell.exe
Token: SeDebugPrivilege	3304	powershell.exe
Token: SeDebugPrivilege	3116	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	1280	fontdrvhost.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	5152	fontdrvhost.exe
Token: SeDebugPrivilege	3236	fontdrvhost.exe
Token: SeDebugPrivilege	5672	fontdrvhost.exe
Token: SeDebugPrivilege	5964	fontdrvhost.exe
Token: SeDebugPrivilege	2400	fontdrvhost.exe
Token: SeDebugPrivilege	4552	fontdrvhost.exe
Token: SeDebugPrivilege	4012	fontdrvhost.exe
Token: SeDebugPrivilege	4736	fontdrvhost.exe
Token: SeDebugPrivilege	4872	fontdrvhost.exe
Token: SeDebugPrivilege	5176	fontdrvhost.exe
Token: SeDebugPrivilege	5524	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 668	1180	JaffaCakes118_62c76567a5f3335768312a4da0fb800ad8ab7963f65e27cc229f5c328f4883e8.exe	82
PID 1180 wrote to memory of 668	1180	JaffaCakes118_62c76567a5f3335768312a4da0fb800ad8ab7963f65e27cc229f5c328f4883e8.exe	82
PID 1180 wrote to memory of 668	1180	JaffaCakes118_62c76567a5f3335768312a4da0fb800ad8ab7963f65e27cc229f5c328f4883e8.exe	82
PID 668 wrote to memory of 3932	668	WScript.exe	83
PID 668 wrote to memory of 3932	668	WScript.exe	83
PID 668 wrote to memory of 3932	668	WScript.exe	83
PID 3932 wrote to memory of 4628	3932	cmd.exe	85
PID 3932 wrote to memory of 4628	3932	cmd.exe	85
PID 4628 wrote to memory of 756	4628	DllCommonsvc.exe	144
PID 4628 wrote to memory of 756	4628	DllCommonsvc.exe	144
PID 4628 wrote to memory of 4872	4628	DllCommonsvc.exe	145
PID 4628 wrote to memory of 4872	4628	DllCommonsvc.exe	145
PID 4628 wrote to memory of 2412	4628	DllCommonsvc.exe	146
PID 4628 wrote to memory of 2412	4628	DllCommonsvc.exe	146
PID 4628 wrote to memory of 912	4628	DllCommonsvc.exe	147
PID 4628 wrote to memory of 912	4628	DllCommonsvc.exe	147
PID 4628 wrote to memory of 4376	4628	DllCommonsvc.exe	148
PID 4628 wrote to memory of 4376	4628	DllCommonsvc.exe	148
PID 4628 wrote to memory of 3304	4628	DllCommonsvc.exe	149
PID 4628 wrote to memory of 3304	4628	DllCommonsvc.exe	149
PID 4628 wrote to memory of 2888	4628	DllCommonsvc.exe	150
PID 4628 wrote to memory of 2888	4628	DllCommonsvc.exe	150
PID 4628 wrote to memory of 1012	4628	DllCommonsvc.exe	151
PID 4628 wrote to memory of 1012	4628	DllCommonsvc.exe	151
PID 4628 wrote to memory of 2984	4628	DllCommonsvc.exe	152
PID 4628 wrote to memory of 2984	4628	DllCommonsvc.exe	152
PID 4628 wrote to memory of 4808	4628	DllCommonsvc.exe	153
PID 4628 wrote to memory of 4808	4628	DllCommonsvc.exe	153
PID 4628 wrote to memory of 4472	4628	DllCommonsvc.exe	154
PID 4628 wrote to memory of 4472	4628	DllCommonsvc.exe	154
PID 4628 wrote to memory of 988	4628	DllCommonsvc.exe	155
PID 4628 wrote to memory of 988	4628	DllCommonsvc.exe	155
PID 4628 wrote to memory of 1176	4628	DllCommonsvc.exe	156
PID 4628 wrote to memory of 1176	4628	DllCommonsvc.exe	156
PID 4628 wrote to memory of 3116	4628	DllCommonsvc.exe	157
PID 4628 wrote to memory of 3116	4628	DllCommonsvc.exe	157
PID 4628 wrote to memory of 4888	4628	DllCommonsvc.exe	158
PID 4628 wrote to memory of 4888	4628	DllCommonsvc.exe	158
PID 4628 wrote to memory of 4128	4628	DllCommonsvc.exe	159
PID 4628 wrote to memory of 4128	4628	DllCommonsvc.exe	159
PID 4628 wrote to memory of 3576	4628	DllCommonsvc.exe	160
PID 4628 wrote to memory of 3576	4628	DllCommonsvc.exe	160
PID 4628 wrote to memory of 4956	4628	DllCommonsvc.exe	161
PID 4628 wrote to memory of 4956	4628	DllCommonsvc.exe	161
PID 4628 wrote to memory of 2624	4628	DllCommonsvc.exe	162
PID 4628 wrote to memory of 2624	4628	DllCommonsvc.exe	162
PID 4628 wrote to memory of 4884	4628	DllCommonsvc.exe	163
PID 4628 wrote to memory of 4884	4628	DllCommonsvc.exe	163
PID 4628 wrote to memory of 1280	4628	DllCommonsvc.exe	183
PID 4628 wrote to memory of 1280	4628	DllCommonsvc.exe	183
PID 1280 wrote to memory of 4556	1280	fontdrvhost.exe	185
PID 1280 wrote to memory of 4556	1280	fontdrvhost.exe	185
PID 4556 wrote to memory of 2240	4556	cmd.exe	187
PID 4556 wrote to memory of 2240	4556	cmd.exe	187
PID 4556 wrote to memory of 5152	4556	cmd.exe	190
PID 4556 wrote to memory of 5152	4556	cmd.exe	190
PID 5152 wrote to memory of 5524	5152	fontdrvhost.exe	193
PID 5152 wrote to memory of 5524	5152	fontdrvhost.exe	193
PID 5524 wrote to memory of 532	5524	cmd.exe	195
PID 5524 wrote to memory of 532	5524	cmd.exe	195
PID 5524 wrote to memory of 3236	5524	cmd.exe	198
PID 5524 wrote to memory of 3236	5524	cmd.exe	198
PID 3236 wrote to memory of 2020	3236	fontdrvhost.exe	201
PID 3236 wrote to memory of 2020	3236	fontdrvhost.exe	201

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62c76567a5f3335768312a4da0fb800ad8ab7963f65e27cc229f5c328f4883e8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62c76567a5f3335768312a4da0fb800ad8ab7963f65e27cc229f5c328f4883e8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ImmersiveControlPanel\Settings\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Download\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\SIGNUP\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Roaming\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SKB\LanguageModels\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4884
    - - C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1280
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2240
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:532
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat"
        10⤵
        
        PID:2020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2688
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"
        12⤵
        
        PID:2764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:5632
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat"
        14⤵
        
        PID:3112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2780
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat"
        16⤵
        
        PID:1492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4492
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat"
        18⤵
        
        PID:5760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4440
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat"
        20⤵
        
        PID:5644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4996
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"
        22⤵
        
        PID:960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4716
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sJ59Arupck.bat"
        24⤵
        
        PID:3508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:5428
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"
        26⤵
        
        PID:5408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3972
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat"
        28⤵
        
        PID:4312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:5688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\ImmersiveControlPanel\Settings\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\Settings\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\ImmersiveControlPanel\Settings\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Links\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\Links\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Links\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Update\Download\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Download\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\Download\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\SIGNUP\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\SIGNUP\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Default\AppData\Roaming\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Default\AppData\Roaming\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\debug\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Windows\SKB\LanguageModels\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Windows\SKB\LanguageModels\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Default\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Default\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat

Filesize
198B

MD5
32400db8f5e9f0878c4badfa0df0bce9

SHA1
c9788d0c2534371ca7ac5add1b43edddf24b5c62

SHA256
c943cff19147f2986327a4d92474f3ebbbc50e099315d5b0fa77f5cb19c1c828

SHA512
33c3c1be6f2c34745b71f7c21d7de479deb1fdf784b244877447647044c5cacae2dc68617cfe5299cae4ca8b35e558356d6a9e15783c6aa1816656b3b45951ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat

Filesize
198B

MD5
5bc1d88621987b32718e8c00ad31b2cb

SHA1
3b0ffa98f664c6043052a3047333f39968f84a07

SHA256
baae63d8a38bceb6ed01839cf4db7ae75facf6bcc978bf7847435795c56555ad

SHA512
54a04a45df116caed0386f0e57951cded594b6e007a1cd262f5b15e3bac612caa2eef4517aac041e92670cbf2a29345743ddce30f3fa015130a96404366b0611

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat

Filesize
198B

MD5
403bea719d27aefdad9faffdc2486599

SHA1
8187ee4d6538e0d1bd66d7cac34360ea36596f10

SHA256
964c94e610a2c9ee219997ad2ea539ca4545eea4e95b71cca4f1258800568fcc

SHA512
9e5e031358e29f4cc5966fb8276d0134993ef91fd4c1de618dde3cda8413b72dfdf4dabb1b6e10f6e1802a312a063ad0ffa02ab77249adea30951090781e3942

Download Submit
C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat

Filesize
198B

MD5
f5ef1d409e59f6526232387e79592d94

SHA1
15d0034ca2128cab970a22eb6d91cc7c607f0fe1

SHA256
33398c40d3fa539200bf0ec28e6b016bda25c81b0edd203a58661c98cf6a2772

SHA512
c662595069a2bde57adba01203ba354d540188e2eb4ec1f4bc09bf192252be4c9ec53bee6deb348e4679c7ac2f9ae9e79d44f726acaf7a8e3cdaeed5f3aaacb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat

Filesize
198B

MD5
9a671a314e99b5d8a9781ac624995eff

SHA1
ba9a7b967fc1d41ac6c43535982ad71694794531

SHA256
a34b04ee202b5666bbea0c391aed63e5ac72b273a6a61eb9eec4300a9c4af599

SHA512
3a2dfbb7be8594f82d5595455e55839b3ab98ebb5e91adbc3a62385bb769ea8ec201b87d73aa3bfc37b1c84c9b1a50bd4a67cfa617d0ac9ed7033d3ce715bc4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat

Filesize
198B

MD5
9d553201cda3d67cd2d4993afed1a0e9

SHA1
078039a7c8611ef22fca396898ce8641d5e4992c

SHA256
a36195bc49c05e1e2a65b28c6370283ca4e2a0475c3dee1f3c91e6d166d80f49

SHA512
324e1af4c99a2ab82c3153bd4503b242084552494355f31738f6036bbd49ffadd07941639eed5902af237f96d1570feaeca52c86134685c6e455d390866773bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eboiu10k.t4r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat

Filesize
198B

MD5
f4a545bc5b6cdfb5031b6d439c3dd091

SHA1
d05f5dc4dbc2eadf6ffd42e86ac1dae7c36a655e

SHA256
f75a3f364cd02bd3cc73057b94f6ec752d12123a1880285de49f7f7134442d25

SHA512
79b4fa5e4d8c5380d16929bfff6be0729a533496327e3184d4dc3cc78ec2cef9acbd5bdbdc001752ccf6e94ae5d67821a4fefd1e1648f0352aeccc8be3cd593b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat

Filesize
198B

MD5
24e15daa51b48127308f794e81f6fad3

SHA1
12aa12b0e974f51b35f5321df10a3820f663b00e

SHA256
f356dc56c9f62c2796290dac46674e10a6e5193a02182e3dab3b8176de4d065c

SHA512
90afd88029c5a2256b2a84b4ee889240e2fa965fb8153fb413b9aba61fccceda904e410e72acbf9479afe5dab2b28ce3529c95c40c86b933f7a5d47b302b85fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\sJ59Arupck.bat

Filesize
198B

MD5
1af6ce2816aa2f1506b9c5a06f486ed8

SHA1
73d8674363f94c4d7e7e2832fcb7347eee4ac3c9

SHA256
6233fedd95c0afcecd071dc79aec2696bd6730c1976c1bd186700d81955f9bf0

SHA512
6d75a9e6f5dff3db5fa646670067e20b2b0689ee2d7fa47f3ce0994dc21991008cf17fe9e161ca159745163bc55d2e48e18f031a245e7e5f3dbd537810c4b1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat

Filesize
198B

MD5
c6f4675563c28b198efd1a4b0e1bcf71

SHA1
1ec1b708c235320d9a4ca125f4ab170ff05af20c

SHA256
fb7e6c184adb3157f3b5c6396f45e226e1c65206392ff9a809026308116a0712

SHA512
0a58e2c3f79d0ea536a37f7a6212151a550e9c6d69cdaa59592327a0fe3392c29906be6c22dd2f2bb49ecb3059eff1251758fa21f8429df245d691f87a3b47d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat

Filesize
198B

MD5
ce933687c53bbfa85c793cc218f028b5

SHA1
50fede5a77764f0ceaeca30a393dedb931efdc98

SHA256
3ce729b20c3af845088f6cd0fed281da8e0559ed1662bcc97b56c2c70a409253

SHA512
37e5843a0fb6a176163546c253fefb343c49bd052adb4868bbc78b4bfdf8e1ffc8ed45beeb27cd7e9d6b3a7fbd7b1bf8545e21093d1348cc8757f3bd215be898

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/2400-323-0x0000000002F80000-0x0000000002F92000-memory.dmp

Filesize
72KB

Download
memory/3236-303-0x0000000000EF0000-0x0000000000F02000-memory.dmp

Filesize
72KB

Download
memory/4128-76-0x0000022AEB460000-0x0000022AEB482000-memory.dmp

Filesize
136KB

Download
memory/4628-14-0x0000000002BA0000-0x0000000002BB2000-memory.dmp

Filesize
72KB

Download
memory/4628-12-0x00007FF989533000-0x00007FF989535000-memory.dmp

Filesize
8KB

Download
memory/4628-13-0x0000000000990000-0x0000000000AA0000-memory.dmp

Filesize
1.1MB

Download
memory/4628-15-0x000000001B6A0000-0x000000001B6AC000-memory.dmp

Filesize
48KB

Download
memory/4628-16-0x0000000002BB0000-0x0000000002BBC000-memory.dmp

Filesize
48KB

Download
memory/4628-17-0x000000001B6B0000-0x000000001B6BC000-memory.dmp

Filesize
48KB

Download
memory/5176-354-0x0000000001530000-0x0000000001542000-memory.dmp

Filesize
72KB

Download
memory/5524-361-0x0000000003060000-0x0000000003072000-memory.dmp

Filesize
72KB

Download
memory/5672-310-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download