dcrat | 0bc56d66255767a1f61cfa18f8d1ddde72120d10d17f4a1d90bcd46fec018993

Analysis

max time kernel
145s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0bc56d66255767a1f61cfa18f8d1ddde72120d10d17f4a1d90bcd46fec018993.exe
Size

1.3MB
MD5

d9bfb64c5275f93e557fedf9b1994f6c
SHA1

e00cd8b23a3c520537337abc480ecb36aa729ad6
SHA256

0bc56d66255767a1f61cfa18f8d1ddde72120d10d17f4a1d90bcd46fec018993
SHA512

beca037a27682ec1a1fcd4b01da95f1057d63aecd13b045fa0b2c52cbc092f7bda079583149427bd8dbabf708f436d8911ac5e7e34aa6f39cc10bd4c5410d51a
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3868	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	1284	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	1284	schtasks.exe	89

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b7b-10.dat	dcrat
behavioral2/memory/1352-13-0x00000000005E0000-0x00000000006F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3172	powershell.exe
1772	powershell.exe
3460	powershell.exe
2528	powershell.exe
4328	powershell.exe
780	powershell.exe
4416	powershell.exe
1248	powershell.exe
4740	powershell.exe
1692	powershell.exe
3468	powershell.exe
1052	powershell.exe
2412	powershell.exe
1944	powershell.exe
4312	powershell.exe
4368	powershell.exe
2248	powershell.exe
2296	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	JaffaCakes118_0bc56d66255767a1f61cfa18f8d1ddde72120d10d17f4a1d90bcd46fec018993.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sysmon.exe

Executes dropped EXE 13 IoCs

pid	Process
1352	DllCommonsvc.exe
2848	sysmon.exe
6052	sysmon.exe
1840	sysmon.exe
4684	sysmon.exe
5196	sysmon.exe
5248	sysmon.exe
5124	sysmon.exe
3992	sysmon.exe
5928	sysmon.exe
5392	sysmon.exe
2528	sysmon.exe
3856	sysmon.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
27	raw.githubusercontent.com
47	raw.githubusercontent.com
20	raw.githubusercontent.com
16	raw.githubusercontent.com
21	raw.githubusercontent.com
22	raw.githubusercontent.com
23	raw.githubusercontent.com
28	raw.githubusercontent.com
45	raw.githubusercontent.com
46	raw.githubusercontent.com
15	raw.githubusercontent.com
48	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\MailContactsCalendarSync\System.exe	DllCommonsvc.exe
File created	C:\Windows\System32\MailContactsCalendarSync\27d1bcfc3c54e0	DllCommonsvc.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\sihost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Update\Install\{8A1C963D-7054-4DC6-AA98-9FBFCE5E4C3B}\Registry.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Update\Install\{8A1C963D-7054-4DC6-AA98-9FBFCE5E4C3B}\ee2ad38f3d4382	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\WindowsApps\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\66fc9ff0ee96c2	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\121e5b5079f7c0	DllCommonsvc.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\TAPI\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\appcompat\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\appcompat\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\sysmon.exe	DllCommonsvc.exe
File created	C:\Windows\ja-JP\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\ja-JP\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\rescache\_merged\1008669510\services.exe	DllCommonsvc.exe
File created	C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\121e5b5079f7c0	DllCommonsvc.exe
File created	C:\Windows\TAPI\7a0fd90576e088	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0bc56d66255767a1f61cfa18f8d1ddde72120d10d17f4a1d90bcd46fec018993.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	JaffaCakes118_0bc56d66255767a1f61cfa18f8d1ddde72120d10d17f4a1d90bcd46fec018993.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	sysmon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
212	schtasks.exe
1760	schtasks.exe
2092	schtasks.exe
5100	schtasks.exe
4848	schtasks.exe
692	schtasks.exe
2276	schtasks.exe
2788	schtasks.exe
400	schtasks.exe
2848	schtasks.exe
4348	schtasks.exe
972	schtasks.exe
3548	schtasks.exe
2804	schtasks.exe
548	schtasks.exe
5112	schtasks.exe
2304	schtasks.exe
3868	schtasks.exe
852	schtasks.exe
4512	schtasks.exe
2512	schtasks.exe
896	schtasks.exe
4488	schtasks.exe
3432	schtasks.exe
372	schtasks.exe
5004	schtasks.exe
4456	schtasks.exe
4412	schtasks.exe
4868	schtasks.exe
3040	schtasks.exe
3360	schtasks.exe
4916	schtasks.exe
4572	schtasks.exe
4804	schtasks.exe
2176	schtasks.exe
4408	schtasks.exe
1388	schtasks.exe
2320	schtasks.exe
2580	schtasks.exe
1028	schtasks.exe
2340	schtasks.exe
2140	schtasks.exe
4028	schtasks.exe
860	schtasks.exe
1056	schtasks.exe
2720	schtasks.exe
2032	schtasks.exe
4880	schtasks.exe
652	schtasks.exe
4944	schtasks.exe
1240	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
3460	powershell.exe
3460	powershell.exe
4328	powershell.exe
4328	powershell.exe
3460	powershell.exe
2528	powershell.exe
2528	powershell.exe
1052	powershell.exe
1052	powershell.exe
4740	powershell.exe
4740	powershell.exe
2412	powershell.exe
2412	powershell.exe
1248	powershell.exe
1248	powershell.exe
4368	powershell.exe
4368	powershell.exe
1944	powershell.exe
1944	powershell.exe
3468	powershell.exe
3468	powershell.exe
2248	powershell.exe
2248	powershell.exe
780	powershell.exe
780	powershell.exe
1692	powershell.exe
1692	powershell.exe
4416	powershell.exe
4416	powershell.exe
4312	powershell.exe
4312	powershell.exe
2296	powershell.exe
2296	powershell.exe
3172	powershell.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	1352	DllCommonsvc.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	4328	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	3468	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	2848	sysmon.exe
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	3172	powershell.exe
Token: SeDebugPrivilege	6052	sysmon.exe
Token: SeDebugPrivilege	1840	sysmon.exe
Token: SeDebugPrivilege	4684	sysmon.exe
Token: SeDebugPrivilege	5196	sysmon.exe
Token: SeDebugPrivilege	5248	sysmon.exe
Token: SeDebugPrivilege	5124	sysmon.exe
Token: SeDebugPrivilege	3992	sysmon.exe
Token: SeDebugPrivilege	5928	sysmon.exe
Token: SeDebugPrivilege	5392	sysmon.exe
Token: SeDebugPrivilege	2528	sysmon.exe
Token: SeDebugPrivilege	3856	sysmon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 1080	780	JaffaCakes118_0bc56d66255767a1f61cfa18f8d1ddde72120d10d17f4a1d90bcd46fec018993.exe	83
PID 780 wrote to memory of 1080	780	JaffaCakes118_0bc56d66255767a1f61cfa18f8d1ddde72120d10d17f4a1d90bcd46fec018993.exe	83
PID 780 wrote to memory of 1080	780	JaffaCakes118_0bc56d66255767a1f61cfa18f8d1ddde72120d10d17f4a1d90bcd46fec018993.exe	83
PID 1080 wrote to memory of 2244	1080	WScript.exe	91
PID 1080 wrote to memory of 2244	1080	WScript.exe	91
PID 1080 wrote to memory of 2244	1080	WScript.exe	91
PID 2244 wrote to memory of 1352	2244	cmd.exe	93
PID 2244 wrote to memory of 1352	2244	cmd.exe	93
PID 1352 wrote to memory of 3172	1352	DllCommonsvc.exe	145
PID 1352 wrote to memory of 3172	1352	DllCommonsvc.exe	145
PID 1352 wrote to memory of 1772	1352	DllCommonsvc.exe	146
PID 1352 wrote to memory of 1772	1352	DllCommonsvc.exe	146
PID 1352 wrote to memory of 4368	1352	DllCommonsvc.exe	147
PID 1352 wrote to memory of 4368	1352	DllCommonsvc.exe	147
PID 1352 wrote to memory of 4328	1352	DllCommonsvc.exe	148
PID 1352 wrote to memory of 4328	1352	DllCommonsvc.exe	148
PID 1352 wrote to memory of 3460	1352	DllCommonsvc.exe	149
PID 1352 wrote to memory of 3460	1352	DllCommonsvc.exe	149
PID 1352 wrote to memory of 4312	1352	DllCommonsvc.exe	150
PID 1352 wrote to memory of 4312	1352	DllCommonsvc.exe	150
PID 1352 wrote to memory of 1692	1352	DllCommonsvc.exe	151
PID 1352 wrote to memory of 1692	1352	DllCommonsvc.exe	151
PID 1352 wrote to memory of 4740	1352	DllCommonsvc.exe	152
PID 1352 wrote to memory of 4740	1352	DllCommonsvc.exe	152
PID 1352 wrote to memory of 1944	1352	DllCommonsvc.exe	153
PID 1352 wrote to memory of 1944	1352	DllCommonsvc.exe	153
PID 1352 wrote to memory of 2296	1352	DllCommonsvc.exe	154
PID 1352 wrote to memory of 2296	1352	DllCommonsvc.exe	154
PID 1352 wrote to memory of 2412	1352	DllCommonsvc.exe	155
PID 1352 wrote to memory of 2412	1352	DllCommonsvc.exe	155
PID 1352 wrote to memory of 1248	1352	DllCommonsvc.exe	157
PID 1352 wrote to memory of 1248	1352	DllCommonsvc.exe	157
PID 1352 wrote to memory of 2528	1352	DllCommonsvc.exe	158
PID 1352 wrote to memory of 2528	1352	DllCommonsvc.exe	158
PID 1352 wrote to memory of 2248	1352	DllCommonsvc.exe	160
PID 1352 wrote to memory of 2248	1352	DllCommonsvc.exe	160
PID 1352 wrote to memory of 1052	1352	DllCommonsvc.exe	161
PID 1352 wrote to memory of 1052	1352	DllCommonsvc.exe	161
PID 1352 wrote to memory of 4416	1352	DllCommonsvc.exe	163
PID 1352 wrote to memory of 4416	1352	DllCommonsvc.exe	163
PID 1352 wrote to memory of 780	1352	DllCommonsvc.exe	164
PID 1352 wrote to memory of 780	1352	DllCommonsvc.exe	164
PID 1352 wrote to memory of 3468	1352	DllCommonsvc.exe	166
PID 1352 wrote to memory of 3468	1352	DllCommonsvc.exe	166
PID 1352 wrote to memory of 2848	1352	DllCommonsvc.exe	181
PID 1352 wrote to memory of 2848	1352	DllCommonsvc.exe	181
PID 2848 wrote to memory of 5856	2848	sysmon.exe	189
PID 2848 wrote to memory of 5856	2848	sysmon.exe	189
PID 5856 wrote to memory of 5912	5856	cmd.exe	191
PID 5856 wrote to memory of 5912	5856	cmd.exe	191
PID 5856 wrote to memory of 6052	5856	cmd.exe	193
PID 5856 wrote to memory of 6052	5856	cmd.exe	193
PID 6052 wrote to memory of 4292	6052	sysmon.exe	195
PID 6052 wrote to memory of 4292	6052	sysmon.exe	195
PID 4292 wrote to memory of 4548	4292	cmd.exe	197
PID 4292 wrote to memory of 4548	4292	cmd.exe	197
PID 4292 wrote to memory of 1840	4292	cmd.exe	199
PID 4292 wrote to memory of 1840	4292	cmd.exe	199
PID 1840 wrote to memory of 4812	1840	sysmon.exe	201
PID 1840 wrote to memory of 4812	1840	sysmon.exe	201
PID 4812 wrote to memory of 5156	4812	cmd.exe	203
PID 4812 wrote to memory of 5156	4812	cmd.exe	203
PID 4812 wrote to memory of 4684	4812	cmd.exe	205
PID 4812 wrote to memory of 4684	4812	cmd.exe	205

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bc56d66255767a1f61cfa18f8d1ddde72120d10d17f4a1d90bcd46fec018993.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0bc56d66255767a1f61cfa18f8d1ddde72120d10d17f4a1d90bcd46fec018993.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\TextInputHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\MailContactsCalendarSync\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Install\{8A1C963D-7054-4DC6-AA98-9FBFCE5E4C3B}\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\appcompat\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\setup\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\sihost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3468
    - - C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5912
        
        C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dhQfvaPZ4N.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4548
        
        C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fdSjcfTSOA.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:5156
        
        C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDCDGXc9ch.bat"
        12⤵
        
        PID:2720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4680
        
        C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat"
        14⤵
        
        PID:2924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:5224
        
        C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsMShxucCb.bat"
        16⤵
        
        PID:1088
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1128
        
        C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat"
        18⤵
        
        PID:5296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:660
        
        C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat"
        20⤵
        
        PID:3296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:5824
        
        C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat"
        22⤵
        
        PID:4448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:6088
        
        C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat"
        24⤵
        
        PID:2888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4636
        
        C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat"
        26⤵
        
        PID:2964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:5208
        
        C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\providercommon\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\providercommon\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\providercommon\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\TAPI\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\MailContactsCalendarSync\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\System32\MailContactsCalendarSync\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\System32\MailContactsCalendarSync\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\Install\{8A1C963D-7054-4DC6-AA98-9FBFCE5E4C3B}\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Install\{8A1C963D-7054-4DC6-AA98-9FBFCE5E4C3B}\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Update\Install\{8A1C963D-7054-4DC6-AA98-9FBFCE5E4C3B}\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\appcompat\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\appcompat\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\appcompat\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
160B

MD5
0801140f712d2030ed88ba23e38bbd0d

SHA1
4cf878db9e10542849b22ecfb6d7b24ab4433a77

SHA256
b3f65831eea08bf9948d28f9752592724d9148d7032a99e22930b00b6a3dc34b

SHA512
7584e8373882508af0a5b13da3f05cffbca5e0ce75e90f985dbcccda90e1526a4dac586f50356e9f829b385aa0059fc23e363c3f098384cde3e49a3dfaf5bc86

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat

Filesize
226B

MD5
3910110bfae7956dc444bdc33ef52ee3

SHA1
131dfe4f2954eaeb355ae358585515fb20419474

SHA256
eb1f1f8da9661b0d00ddcccba3617aacb9f079fcc6985ba41709143e768d189b

SHA512
453de8386eed182ded307198dbaa22fcb6b62dff2e5842f43c96e285052da4f2cf7625a40c7a500c61ae393e2e423e8702285904027e2efcb93444f36683ba18

Download Submit
C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat

Filesize
226B

MD5
212578728a48399d72a9c41c6f3806c3

SHA1
7327537d5b9c176cbf36e87061e13512450e2878

SHA256
5db0391b1c393be1b3d2be17aa2a59c08a59b9d05ce2561bd737f5687a71ea11

SHA512
3c28bca202f83e0d93f909db9fce671f6359094527f900cf8e0274112b38e3ae0a5433b48e37553c17e2619e6d9b7490fd0217d182410fadc8da4600a74a101c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDCDGXc9ch.bat

Filesize
226B

MD5
118b8748a61a3421c9292a48a541b81f

SHA1
1bf9527daeb35b959490f63622a5e0700c2e8f96

SHA256
ea8fde8162bd444e15d5f2dea79f94e04c9eeb796fb3a63708c8d711a3e99a9b

SHA512
7702bcb335fd9783c79ca8da62dd396bbc27a7724b572b753420240be056aff74acd60aec8ffb16a78002950c459fbe594a21a227d7b0c0beadb69bfa4997796

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat

Filesize
226B

MD5
aaf0ad423dbe812d4df659a693e0dacc

SHA1
3ac8bd7929010e98fa20ef94c2f1e23b4857ee2f

SHA256
ec7dfdf35c11744afd1aba265a4017c9479edb8c1c631ce3b80f712e027fc33e

SHA512
5fe1d2da36acbd647aa67ca6d1fe548fe2e591d9ecfda78e6967d188e49d586958dc89c0628798a696bba75d9f1e0d4a46f63889a019b343e8ac428e53e525ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsMShxucCb.bat

Filesize
226B

MD5
c852e90ba67e15a60ad09ef37c29dae5

SHA1
33a8d56c4920fa1481976c1a360f75b9ff713e39

SHA256
24eab6fdbfe55a6f89fca088fbf26ec37c0819dde13ae38df256464ff213b7b1

SHA512
6a08d237757b3612e68045ec01cb271f21df97772be1bfe9d82d2cb9459e2528daffefaa3487505cad8f80f24a093676f0eab6aa04dd477fb3ce5927dbdaa864

Download Submit
C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat

Filesize
226B

MD5
06ad32d1299a9059cc66a1afe642cc46

SHA1
4be64f47b20b9c89b8ab9c2d4c32958bc0de4883

SHA256
b4c25eb2f3b06a4bd2c7e1ecfe5f8840b600fc49795998d57d54fdc33a165911

SHA512
ba514827f3d89af971381d1b2b9cad73c70533fcfb74870439469d2253aa5d4e0c6a06e8a8a966b9770cf9e49edbda049743c670a7109ea26fa12231fa7db385

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat

Filesize
226B

MD5
02c5d2dc4603c4a57450f6b904acf810

SHA1
a154fed1ba6f706073184b0abd71856dedbd8c77

SHA256
490b4b69f0a260414574a8848322f6bc131f875140bfabbaecb7ac984c5b739e

SHA512
4096861bc3edfdce21e48066367abd56ff397964af1354393659616ccba2c4c1e94079aba8e1a58c97a0884617ba23afaca1c85039d86b6ffba8c474d71c65b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jq5i11d1.zpp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat

Filesize
226B

MD5
934fd1195d57bfaaefd4da0553f01650

SHA1
8b6356976a408691aea38915c791a562a54291d6

SHA256
d0c6b6caa51e782dc76c7938448d94e073d3a42bb4897681833808d5c2d3ac8b

SHA512
24a79544aaa16ecfc24f31f8920e0dd53c3be8aabf15a19f10e26c323b3e9d89c5592b63bf218d003fd2704d854d0d828ce62259bdd2c0e50f0a4f8814c4c722

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhQfvaPZ4N.bat

Filesize
226B

MD5
964d5af7864e760676996ea6e45c3e83

SHA1
1220bd2139dbdfa291dbc6e0bf3c840ac5d13171

SHA256
b0138d902e4d2faff278796cadb0d59243653648d029d6f3525918ea839e415b

SHA512
603040149206477d39c5429c4096de6d73eebde9dae7238a2ba412cbeec059ebac948dc864764421f709d0fccab32ddff17378ea3e6d8393c696991372eeaa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdSjcfTSOA.bat

Filesize
226B

MD5
9c37d17b88748ea2f24ca3a012e85cf0

SHA1
973ef59f91e9ce4cb7a0b0aba9eaad0b4d4949c4

SHA256
d5a2cb3bb27fca02f6e34a50c21f01488118612c7146a8ed3ae41456fb4bb186

SHA512
d875fff1efbd39f4b533f60281bc66fc1570e585182162a4500044e77ebb927dbcc85fd5e446dc61c391e95601378a44bd46b6b69633571d214847337dfc4fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat

Filesize
226B

MD5
8e25d2992eb246d44000f9034ace1e11

SHA1
80e09a008366373b7b8eb169b53beadfd5b8b6c9

SHA256
647f33fead74ee114a7be171f8605114eb73e639f47a343a3e3db3990a152737

SHA512
78d62a2ef0f8ff94a40b65e0ec7c74627c5893b2c68f1469e9d9408faf8d23134046d4566eb7abdfc2b44502ada8ca8ab9572a74059c8c5bf4f82c086a095cb2

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1352-13-0x00000000005E0000-0x00000000006F0000-memory.dmp

Filesize
1.1MB

Download
memory/1352-16-0x0000000001070000-0x000000000107C000-memory.dmp

Filesize
48KB

Download
memory/1352-15-0x0000000000F50000-0x0000000000F5C000-memory.dmp

Filesize
48KB

Download
memory/1352-14-0x0000000000EF0000-0x0000000000F02000-memory.dmp

Filesize
72KB

Download
memory/1352-17-0x0000000001080000-0x000000000108C000-memory.dmp

Filesize
48KB

Download
memory/1352-12-0x00007FFC725F3000-0x00007FFC725F5000-memory.dmp

Filesize
8KB

Download
memory/2848-154-0x0000000001130000-0x0000000001142000-memory.dmp

Filesize
72KB

Download
memory/3460-68-0x0000020DC7720000-0x0000020DC7742000-memory.dmp

Filesize
136KB

Download
memory/5248-283-0x0000000001400000-0x0000000001412000-memory.dmp

Filesize
72KB

Download
memory/5928-302-0x0000000002F20000-0x0000000002F32000-memory.dmp

Filesize
72KB

Download