dcrat | 898fbc56731bb5b16a00131f3cc234cbcd757a12a341f92b64b4fe40a8f9fe80

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_898fbc56731bb5b16a00131f3cc234cbcd757a12a341f92b64b4fe40a8f9fe80.exe
Size

1.3MB
MD5

68f623843118310e13bc61372a3be5fd
SHA1

707d6c2e1267f8d504fc4232e56e7bff80d8eb74
SHA256

898fbc56731bb5b16a00131f3cc234cbcd757a12a341f92b64b4fe40a8f9fe80
SHA512

2408b0b4c9e58d08b17f54173125966f593812ec501f88cf1d1dd4dd99be0281ff6f962f01b921c7ed1218dfa771f2743de75c873f15c622bec08d456202140c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	1180	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	1180	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b9a-9.dat	dcrat
behavioral2/memory/1352-13-0x0000000000B50000-0x0000000000C60000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2128	powershell.exe
4952	powershell.exe
1612	powershell.exe
3532	powershell.exe
3776	powershell.exe
1948	powershell.exe
4868	powershell.exe
4192	powershell.exe
1744	powershell.exe
2504	powershell.exe
1424	powershell.exe
2624	powershell.exe
2312	powershell.exe
1524	powershell.exe
3504	powershell.exe
4928	powershell.exe
2760	powershell.exe
1056	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_898fbc56731bb5b16a00131f3cc234cbcd757a12a341f92b64b4fe40a8f9fe80.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Idle.exe

Executes dropped EXE 15 IoCs

pid	Process
1352	DllCommonsvc.exe
5372	Idle.exe
5976	Idle.exe
4972	Idle.exe
3952	Idle.exe
3748	Idle.exe
2772	Idle.exe
764	Idle.exe
5452	Idle.exe
5620	Idle.exe
464	Idle.exe
5212	Idle.exe
5544	Idle.exe
3220	Idle.exe
3940	Idle.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
38	raw.githubusercontent.com
39	raw.githubusercontent.com
46	raw.githubusercontent.com
17	raw.githubusercontent.com
56	raw.githubusercontent.com
45	raw.githubusercontent.com
53	raw.githubusercontent.com
57	raw.githubusercontent.com
16	raw.githubusercontent.com
40	raw.githubusercontent.com
44	raw.githubusercontent.com
24	raw.githubusercontent.com
54	raw.githubusercontent.com
55	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\upfc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\ea1d8f6d871115	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\6ccacd8608530f	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Offline Web Pages\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\Offline Web Pages\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_898fbc56731bb5b16a00131f3cc234cbcd757a12a341f92b64b4fe40a8f9fe80.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	JaffaCakes118_898fbc56731bb5b16a00131f3cc234cbcd757a12a341f92b64b4fe40a8f9fe80.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	Idle.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2988	schtasks.exe
3296	schtasks.exe
1508	schtasks.exe
1824	schtasks.exe
3168	schtasks.exe
1884	schtasks.exe
4832	schtasks.exe
4032	schtasks.exe
1104	schtasks.exe
4100	schtasks.exe
2732	schtasks.exe
468	schtasks.exe
3412	schtasks.exe
4456	schtasks.exe
876	schtasks.exe
4468	schtasks.exe
2256	schtasks.exe
2320	schtasks.exe
1600	schtasks.exe
636	schtasks.exe
2888	schtasks.exe
3736	schtasks.exe
1368	schtasks.exe
2020	schtasks.exe
1972	schtasks.exe
3512	schtasks.exe
1996	schtasks.exe
1540	schtasks.exe
1812	schtasks.exe
4436	schtasks.exe
1132	schtasks.exe
1048	schtasks.exe
3200	schtasks.exe
2384	schtasks.exe
1900	schtasks.exe
400	schtasks.exe
1372	schtasks.exe
4548	schtasks.exe
4400	schtasks.exe
4528	schtasks.exe
1072	schtasks.exe
1520	schtasks.exe
2720	schtasks.exe
4712	schtasks.exe
4680	schtasks.exe
4292	schtasks.exe
4996	schtasks.exe
3600	schtasks.exe
3684	schtasks.exe
4164	schtasks.exe
3772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
1352	DllCommonsvc.exe
3504	powershell.exe
3504	powershell.exe
4868	powershell.exe
4868	powershell.exe
4928	powershell.exe
4928	powershell.exe
4952	powershell.exe
4952	powershell.exe
4192	powershell.exe
4192	powershell.exe
2128	powershell.exe
2128	powershell.exe
1744	powershell.exe
1744	powershell.exe
2760	powershell.exe
2760	powershell.exe
3776	powershell.exe
3776	powershell.exe
1056	powershell.exe
1056	powershell.exe
2312	powershell.exe
2312	powershell.exe
1524	powershell.exe
1524	powershell.exe
2504	powershell.exe
2504	powershell.exe
1612	powershell.exe
1612	powershell.exe
1424	powershell.exe
1424	powershell.exe
3532	powershell.exe
3532	powershell.exe
1948	powershell.exe
1948	powershell.exe
2624	powershell.exe
2624	powershell.exe
1744	powershell.exe
2624	powershell.exe
3504	powershell.exe
3504	powershell.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	1352	DllCommonsvc.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	3532	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	5372	Idle.exe
Token: SeDebugPrivilege	5976	Idle.exe
Token: SeDebugPrivilege	4972	Idle.exe
Token: SeDebugPrivilege	3952	Idle.exe
Token: SeDebugPrivilege	3748	Idle.exe
Token: SeDebugPrivilege	2772	Idle.exe
Token: SeDebugPrivilege	764	Idle.exe
Token: SeDebugPrivilege	5452	Idle.exe
Token: SeDebugPrivilege	5620	Idle.exe
Token: SeDebugPrivilege	464	Idle.exe
Token: SeDebugPrivilege	5212	Idle.exe
Token: SeDebugPrivilege	5544	Idle.exe
Token: SeDebugPrivilege	3220	Idle.exe
Token: SeDebugPrivilege	3940	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 4804	3508	JaffaCakes118_898fbc56731bb5b16a00131f3cc234cbcd757a12a341f92b64b4fe40a8f9fe80.exe	83
PID 3508 wrote to memory of 4804	3508	JaffaCakes118_898fbc56731bb5b16a00131f3cc234cbcd757a12a341f92b64b4fe40a8f9fe80.exe	83
PID 3508 wrote to memory of 4804	3508	JaffaCakes118_898fbc56731bb5b16a00131f3cc234cbcd757a12a341f92b64b4fe40a8f9fe80.exe	83
PID 4804 wrote to memory of 3260	4804	WScript.exe	85
PID 4804 wrote to memory of 3260	4804	WScript.exe	85
PID 4804 wrote to memory of 3260	4804	WScript.exe	85
PID 3260 wrote to memory of 1352	3260	cmd.exe	87
PID 3260 wrote to memory of 1352	3260	cmd.exe	87
PID 1352 wrote to memory of 1524	1352	DllCommonsvc.exe	141
PID 1352 wrote to memory of 1524	1352	DllCommonsvc.exe	141
PID 1352 wrote to memory of 3504	1352	DllCommonsvc.exe	142
PID 1352 wrote to memory of 3504	1352	DllCommonsvc.exe	142
PID 1352 wrote to memory of 1424	1352	DllCommonsvc.exe	143
PID 1352 wrote to memory of 1424	1352	DllCommonsvc.exe	143
PID 1352 wrote to memory of 4928	1352	DllCommonsvc.exe	144
PID 1352 wrote to memory of 4928	1352	DllCommonsvc.exe	144
PID 1352 wrote to memory of 2624	1352	DllCommonsvc.exe	145
PID 1352 wrote to memory of 2624	1352	DllCommonsvc.exe	145
PID 1352 wrote to memory of 4868	1352	DllCommonsvc.exe	146
PID 1352 wrote to memory of 4868	1352	DllCommonsvc.exe	146
PID 1352 wrote to memory of 4952	1352	DllCommonsvc.exe	147
PID 1352 wrote to memory of 4952	1352	DllCommonsvc.exe	147
PID 1352 wrote to memory of 1612	1352	DllCommonsvc.exe	148
PID 1352 wrote to memory of 1612	1352	DllCommonsvc.exe	148
PID 1352 wrote to memory of 4192	1352	DllCommonsvc.exe	149
PID 1352 wrote to memory of 4192	1352	DllCommonsvc.exe	149
PID 1352 wrote to memory of 2312	1352	DllCommonsvc.exe	150
PID 1352 wrote to memory of 2312	1352	DllCommonsvc.exe	150
PID 1352 wrote to memory of 2760	1352	DllCommonsvc.exe	151
PID 1352 wrote to memory of 2760	1352	DllCommonsvc.exe	151
PID 1352 wrote to memory of 3532	1352	DllCommonsvc.exe	152
PID 1352 wrote to memory of 3532	1352	DllCommonsvc.exe	152
PID 1352 wrote to memory of 1056	1352	DllCommonsvc.exe	153
PID 1352 wrote to memory of 1056	1352	DllCommonsvc.exe	153
PID 1352 wrote to memory of 1744	1352	DllCommonsvc.exe	154
PID 1352 wrote to memory of 1744	1352	DllCommonsvc.exe	154
PID 1352 wrote to memory of 2504	1352	DllCommonsvc.exe	155
PID 1352 wrote to memory of 2504	1352	DllCommonsvc.exe	155
PID 1352 wrote to memory of 3776	1352	DllCommonsvc.exe	156
PID 1352 wrote to memory of 3776	1352	DllCommonsvc.exe	156
PID 1352 wrote to memory of 1948	1352	DllCommonsvc.exe	157
PID 1352 wrote to memory of 1948	1352	DllCommonsvc.exe	157
PID 1352 wrote to memory of 2128	1352	DllCommonsvc.exe	158
PID 1352 wrote to memory of 2128	1352	DllCommonsvc.exe	158
PID 1352 wrote to memory of 1896	1352	DllCommonsvc.exe	176
PID 1352 wrote to memory of 1896	1352	DllCommonsvc.exe	176
PID 1896 wrote to memory of 5052	1896	cmd.exe	179
PID 1896 wrote to memory of 5052	1896	cmd.exe	179
PID 1896 wrote to memory of 5372	1896	cmd.exe	181
PID 1896 wrote to memory of 5372	1896	cmd.exe	181
PID 5372 wrote to memory of 5552	5372	Idle.exe	183
PID 5372 wrote to memory of 5552	5372	Idle.exe	183
PID 5552 wrote to memory of 5616	5552	cmd.exe	185
PID 5552 wrote to memory of 5616	5552	cmd.exe	185
PID 5552 wrote to memory of 5976	5552	cmd.exe	193
PID 5552 wrote to memory of 5976	5552	cmd.exe	193
PID 5976 wrote to memory of 3300	5976	Idle.exe	199
PID 5976 wrote to memory of 3300	5976	Idle.exe	199
PID 3300 wrote to memory of 4928	3300	cmd.exe	201
PID 3300 wrote to memory of 4928	3300	cmd.exe	201
PID 3300 wrote to memory of 4972	3300	cmd.exe	206
PID 3300 wrote to memory of 4972	3300	cmd.exe	206
PID 4972 wrote to memory of 448	4972	Idle.exe	208
PID 4972 wrote to memory of 448	4972	Idle.exe	208

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_898fbc56731bb5b16a00131f3cc234cbcd757a12a341f92b64b4fe40a8f9fe80.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_898fbc56731bb5b16a00131f3cc234cbcd757a12a341f92b64b4fe40a8f9fe80.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3260
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Saved Games\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Saved Games\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sihost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HNDNw1HFuq.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1896
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:5052
      - C:\Recovery\WindowsRE\Idle.exe
        
        "C:\Recovery\WindowsRE\Idle.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\guIa2jZB2U.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:5616
        
        C:\Recovery\WindowsRE\Idle.exe
        
        "C:\Recovery\WindowsRE\Idle.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4928
        
        C:\Recovery\WindowsRE\Idle.exe
        
        "C:\Recovery\WindowsRE\Idle.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NADK710Kqv.bat"
        11⤵
        
        PID:448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1672
        
        C:\Recovery\WindowsRE\Idle.exe
        
        "C:\Recovery\WindowsRE\Idle.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat"
        13⤵
        
        PID:2284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4832
        
        C:\Recovery\WindowsRE\Idle.exe
        
        "C:\Recovery\WindowsRE\Idle.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j2qd1ZwTnL.bat"
        15⤵
        
        PID:2444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:3796
        
        C:\Recovery\WindowsRE\Idle.exe
        
        "C:\Recovery\WindowsRE\Idle.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P6ENo64DAh.bat"
        17⤵
        
        PID:5016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:5168
        
        C:\Recovery\WindowsRE\Idle.exe
        
        "C:\Recovery\WindowsRE\Idle.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat"
        19⤵
        
        PID:5328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4032
        
        C:\Recovery\WindowsRE\Idle.exe
        
        "C:\Recovery\WindowsRE\Idle.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\guIa2jZB2U.bat"
        21⤵
        
        PID:5496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:5752
        
        C:\Recovery\WindowsRE\Idle.exe
        
        "C:\Recovery\WindowsRE\Idle.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat"
        23⤵
        
        PID:2256
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:5648
        
        C:\Recovery\WindowsRE\Idle.exe
        
        "C:\Recovery\WindowsRE\Idle.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"
        25⤵
        
        PID:5224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1752
        
        C:\Recovery\WindowsRE\Idle.exe
        
        "C:\Recovery\WindowsRE\Idle.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat"
        27⤵
        
        PID:2332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4844
        
        C:\Recovery\WindowsRE\Idle.exe
        
        "C:\Recovery\WindowsRE\Idle.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PCaGvPqXNx.bat"
        29⤵
        
        PID:3684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:4236
        
        C:\Recovery\WindowsRE\Idle.exe
        
        "C:\Recovery\WindowsRE\Idle.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat"
        31⤵
        
        PID:2316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:1932
        
        C:\Recovery\WindowsRE\Idle.exe
        
        "C:\Recovery\WindowsRE\Idle.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Downloads\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Saved Games\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Saved Games\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Templates\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default\Templates\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Templates\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Saved Games\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Saved Games\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\providercommon\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat

Filesize
195B

MD5
e5b2675ac77378895f81218e8ecb42d1

SHA1
0d78ae9c95ec0a65fa4c63529bd8ffcb00985399

SHA256
267ac70f62f87c73ecc98ff43ab9df153ff4536269379a79c1c1611912631fb4

SHA512
4f7978bf1505185030d5ca7b7b68560e6616f8b90f1ccc0886e3e8868eaff81fc121a12db79105ac2725861a589fa55fb9dd4861ff8d3fb8cfb3d4438271f2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\HNDNw1HFuq.bat

Filesize
195B

MD5
6e2b2e7a2852447c5709c1653df3c771

SHA1
a9a70087833a13169f8089a1d0c4ab5ccf946acb

SHA256
bb0daea595638e05bb0fef6c08f03bee76c7a096312355432682efe29a6c663a

SHA512
0b3fcbc545694d46d56bc22bc6cfde7465e7d57effc511a228b0edbe012854488d0744d621eb433439b95e50c623b029e0fb80fbd32dbe316e80772608b9b6a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat

Filesize
195B

MD5
9fb6b48d002507a2ced9828b189a2c5e

SHA1
b34927faa5ed903b3851a1a75b39b3dcc56b8cbe

SHA256
5daa4d52f6437845807d0ffcbeeb1b1a9880757acc4cba41377cd309ac37f7a8

SHA512
f2e578e727c6e269d37748be1d61cd5bce5bf60f32f2f929b01e95330ee7d63aba9a3473fec9eeeeb23b6dcf2a80b44a11eb566210beadff8e37aaf50d82c841

Download Submit
C:\Users\Admin\AppData\Local\Temp\NADK710Kqv.bat

Filesize
195B

MD5
bf01856bd0b08145fc431defd15cb4dd

SHA1
af7a2da4219134d583364adf9f59fb8afedc8317

SHA256
f8a0000c524bf224e01968317704cd239dc8607ed880d8d94adbf4ee5c73d660

SHA512
391f4c1b8b7786cc398705645b6a138f75710a3541d3dfa2aef22708a44e020fe9945b865d9587279ebcf47fbc8f905214225346dca9490ba9dbf7bdff39aee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\P6ENo64DAh.bat

Filesize
195B

MD5
3c8317debfcf6a3c3af60d583e6d1f84

SHA1
e55cd8f6f607ffda5439d2266b8a397ff5678938

SHA256
c6043d48db75538f26a6ca5840b20ddda2d13bb9fbb68a90cfca4165252dac45

SHA512
83136395410e3118ff10a215814c276b3cc5589f98944505f2d539caac329d5ed5ff2aad5927979b8a32b322dd2a74728de631534aa585bb1a15d3104b7de801

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCaGvPqXNx.bat

Filesize
195B

MD5
27aa76c7530d9906a1d0d3f896f9d908

SHA1
fa72adaaed7b337cb73afb28bf1c067e08289f84

SHA256
5b385b0fbbc1ba76c3cfcdc36f628f8ab56699075e1234b4498130fd69f0997d

SHA512
8e2f5457e81fc5305d90129cd01aab5ea63c1e187b7e75f177b39505c7770513d5dc976d7134638159d73a7de6e04036bf37de51e687d9511540b974b13b1bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat

Filesize
195B

MD5
9ea15fa7686c5d3918eb12fca93a2336

SHA1
1706f5db81356b08bc632686140d7f36e263a653

SHA256
64d1a135fde81d82d45224e3c95d8017d95574a5032e2e3551148e1a2af4eeb1

SHA512
ffd4e01471b17eb467a438dbc04ab066127f91a04c7de31afb44a0e8d21b96a0ab65f21ec880e7f7bf31d36564ad3638b86d123b06fd79c976033b94092eabfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat

Filesize
195B

MD5
4e78d563e294626c7778552aecf0fa15

SHA1
12ae0801cd331984be4043dc27cce0ef2d68da2d

SHA256
4d1addf722688299e7febf83350c4a945da81a26381f0bca4804347a3f19f4cb

SHA512
20af35c5986404bdb38c697c939281f0dfb75724da03a9cb0fa0d050f11220e188d7440e4b41c5c251aa00e6b409a4b1969631a05760e347ae0555029e0bf6c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fcoa243b.df4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat

Filesize
195B

MD5
2903e8cf6e8fcd522facd9537a67d10d

SHA1
229a427c20c23da5ec217974f2ea43904e45631c

SHA256
8fd50d1906ebceebca9fc6d44bb90852fa3f6c74dd7f20080ce2317741704f3b

SHA512
999db405ec99fb48ba5edb591aab1fc5c655aec5358359bbca4440c633f53b24f58752fbd3a1de7725a46ef3917615e69d2c3ffef66f5225e96359a62bf518bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\guIa2jZB2U.bat

Filesize
195B

MD5
8d8344c97ff8774ea8153fa10820c0ed

SHA1
d4251e194d9c091565ec03113e09534dc10c70d2

SHA256
42cd584ee289169e84bbdbd142a78cb4c154ff84d558e3e34354c4833f4952e6

SHA512
a26d9e4d17705725aa0df1b67de68bd579e6de10c385a318b8e0ba5f698ed51d925adaa070d289bc713dabf5c3f6aaa55146b3f4ac2dd9c41e759b92d34080cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\j2qd1ZwTnL.bat

Filesize
195B

MD5
01631e9b690bd2f506182dd1bb9ccea1

SHA1
dd963293d82c8722cec2945c8378a94d5478d0da

SHA256
ced9724682af18abcee572437cd1fcdaf194f10c4a7b4b26b9ffa72321d5349f

SHA512
17a73a5f163e36960b0ebf79da9b8672a4901e98fa6ed3ee33fd7199f1373ef360261e76943e32b5caa5d3c94f1946a485d8a0e99d7927b2a4da9bafd7fd5a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat

Filesize
195B

MD5
f758aa670120273fc4400e614e5d9262

SHA1
e45681904af08018f17d419e86242a777d11a438

SHA256
72a5b05183d1a43aac84bd82d5afc4d76530e9e011fd6e116b16d710cce2382c

SHA512
e7e5226899bf95067d56fa2d2a93357f9813e954546f0486de01c4672eb2ccb4cea1c3876f5c6db2bf39b1ba932f03d914f269a6eea7425fb71fda52863bb304

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat

Filesize
195B

MD5
aebfc4bf64675d5832a3e1831e635ea4

SHA1
dd6465a3b230667ca250f47886cd36cc680079a6

SHA256
cab6732bbee01f0b2631f827c6741f54e1bbd38080d30289866b5eb9fc52e177

SHA512
acf39996f3ee443eb46957ac47847301256773c91936898c07935e0c6b8da339e7fe75d267e95803b3c1dbe7c2d504a0bdd77237e41b9ef7be136ae77035240c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/464-321-0x0000000002BE0000-0x0000000002BF2000-memory.dmp

Filesize
72KB

Download
memory/764-306-0x000000001C2B0000-0x000000001C459000-memory.dmp

Filesize
1.7MB

Download
memory/1352-12-0x00007FFFAD8B3000-0x00007FFFAD8B5000-memory.dmp

Filesize
8KB

Download
memory/1352-13-0x0000000000B50000-0x0000000000C60000-memory.dmp

Filesize
1.1MB

Download
memory/1352-17-0x0000000002E50000-0x0000000002E5C000-memory.dmp

Filesize
48KB

Download
memory/1352-16-0x0000000001480000-0x000000000148C000-memory.dmp

Filesize
48KB

Download
memory/1352-15-0x0000000002E60000-0x0000000002E6C000-memory.dmp

Filesize
48KB

Download
memory/1352-14-0x0000000001470000-0x0000000001482000-memory.dmp

Filesize
72KB

Download
memory/2772-293-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/2772-298-0x000000001BC30000-0x000000001BDD9000-memory.dmp

Filesize
1.7MB

Download
memory/3504-68-0x0000024546ED0000-0x0000024546EF2000-memory.dmp

Filesize
136KB

Download
memory/3748-290-0x000000001BEC0000-0x000000001C069000-memory.dmp

Filesize
1.7MB

Download
memory/3952-283-0x000000001CB20000-0x000000001CCC9000-memory.dmp

Filesize
1.7MB

Download
memory/3952-278-0x0000000003370000-0x0000000003382000-memory.dmp

Filesize
72KB

Download
memory/4972-275-0x000000001BD90000-0x000000001BF39000-memory.dmp

Filesize
1.7MB

Download
memory/5372-255-0x00000000031B0000-0x00000000031C2000-memory.dmp

Filesize
72KB

Download
memory/5452-308-0x0000000000FA0000-0x0000000000FB2000-memory.dmp

Filesize
72KB

Download
memory/5976-269-0x000000001C600000-0x000000001C76A000-memory.dmp

Filesize
1.4MB

Download