dcrat | 366bbe6fce1ca7967c69bc2d0727e5d85db3410d0590322518aeccacc94be1a3

Analysis

max time kernel
145s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_366bbe6fce1ca7967c69bc2d0727e5d85db3410d0590322518aeccacc94be1a3.exe
Size

1.3MB
MD5

776b7b5288172dc0d90e99b63fe7ea36
SHA1

38c663a2786bd633ec2671d8a4c9a95b8c12ac01
SHA256

366bbe6fce1ca7967c69bc2d0727e5d85db3410d0590322518aeccacc94be1a3
SHA512

34868b0ae3b1509de9f034c689e9decb24df2ec18d8a5434a272c5eba99362d642737f3af9a0db210fee301f79fb83f523978bd110f5a201c134a134747f7d0a
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2652	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	2652	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c92-10.dat	dcrat
behavioral2/memory/3756-13-0x0000000000010000-0x0000000000120000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4296	powershell.exe
3464	powershell.exe
4712	powershell.exe
1004	powershell.exe
5112	powershell.exe
1328	powershell.exe
3192	powershell.exe
2932	powershell.exe
2472	powershell.exe
4580	powershell.exe
1520	powershell.exe
4740	powershell.exe
3032	powershell.exe
1336	powershell.exe
1984	powershell.exe
4280	powershell.exe
2192	powershell.exe
5008	powershell.exe
2948	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	JaffaCakes118_366bbe6fce1ca7967c69bc2d0727e5d85db3410d0590322518aeccacc94be1a3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	powershell.exe

Executes dropped EXE 16 IoCs

pid	Process
3756	DllCommonsvc.exe
4596	DllCommonsvc.exe
2992	powershell.exe
232	powershell.exe
512	powershell.exe
632	powershell.exe
1772	powershell.exe
3388	powershell.exe
3676	powershell.exe
4008	powershell.exe
5140	powershell.exe
3932	powershell.exe
4312	powershell.exe
1996	powershell.exe
212	powershell.exe
1304	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
53	raw.githubusercontent.com
54	raw.githubusercontent.com
49	raw.githubusercontent.com
40	raw.githubusercontent.com
45	raw.githubusercontent.com
51	raw.githubusercontent.com
39	raw.githubusercontent.com
17	raw.githubusercontent.com
32	raw.githubusercontent.com
41	raw.githubusercontent.com
52	raw.githubusercontent.com
16	raw.githubusercontent.com
44	raw.githubusercontent.com
24	raw.githubusercontent.com

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\29c1c3cc0f7685	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\de-DE\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sysmon.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\unsecapp.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\explorer.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\de-DE\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\121e5b5079f7c0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\sppsvc.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Migration\WTR\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\088424020bedd6	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_366bbe6fce1ca7967c69bc2d0727e5d85db3410d0590322518aeccacc94be1a3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	JaffaCakes118_366bbe6fce1ca7967c69bc2d0727e5d85db3410d0590322518aeccacc94be1a3.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3196	schtasks.exe
3432	schtasks.exe
5024	schtasks.exe
4420	schtasks.exe
2232	schtasks.exe
944	schtasks.exe
1612	schtasks.exe
3436	schtasks.exe
4036	schtasks.exe
4976	schtasks.exe
2952	schtasks.exe
2880	schtasks.exe
4144	schtasks.exe
1936	schtasks.exe
4552	schtasks.exe
2420	schtasks.exe
5012	schtasks.exe
5072	schtasks.exe
4036	schtasks.exe
2368	schtasks.exe
4524	schtasks.exe
2176	schtasks.exe
3564	schtasks.exe
4012	schtasks.exe
3616	schtasks.exe
2296	schtasks.exe
1204	schtasks.exe
3220	schtasks.exe
3596	schtasks.exe
696	schtasks.exe
5060	schtasks.exe
1852	schtasks.exe
4108	schtasks.exe
2680	schtasks.exe
1344	schtasks.exe
4660	schtasks.exe
2924	schtasks.exe
412	schtasks.exe
3292	schtasks.exe
1704	schtasks.exe
1116	schtasks.exe
856	schtasks.exe
60	schtasks.exe
3204	schtasks.exe
5088	schtasks.exe
1744	schtasks.exe
4188	schtasks.exe
3616	schtasks.exe
2296	schtasks.exe
3424	schtasks.exe
5000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3756	DllCommonsvc.exe
2472	powershell.exe
2472	powershell.exe
4280	powershell.exe
4280	powershell.exe
2932	powershell.exe
2932	powershell.exe
1984	powershell.exe
1984	powershell.exe
1520	powershell.exe
1520	powershell.exe
4580	powershell.exe
4580	powershell.exe
5112	powershell.exe
5112	powershell.exe
2192	powershell.exe
2192	powershell.exe
4296	powershell.exe
4296	powershell.exe
3464	powershell.exe
3464	powershell.exe
2948	powershell.exe
2948	powershell.exe
1336	powershell.exe
1336	powershell.exe
4596	DllCommonsvc.exe
4596	DllCommonsvc.exe
2472	powershell.exe
1520	powershell.exe
4580	powershell.exe
2932	powershell.exe
4280	powershell.exe
2192	powershell.exe
4296	powershell.exe
5112	powershell.exe
1984	powershell.exe
1336	powershell.exe
3464	powershell.exe
2948	powershell.exe
1328	powershell.exe
1328	powershell.exe
3192	powershell.exe
3192	powershell.exe
5008	powershell.exe
5008	powershell.exe
1004	powershell.exe
1004	powershell.exe
4712	powershell.exe
4712	powershell.exe
4740	powershell.exe
4740	powershell.exe
1328	powershell.exe
3032	powershell.exe
3032	powershell.exe
3032	powershell.exe
3192	powershell.exe
2992	powershell.exe
2992	powershell.exe
4712	powershell.exe
5008	powershell.exe
1004	powershell.exe
4740	powershell.exe
232	powershell.exe
512	powershell.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	3756	DllCommonsvc.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeDebugPrivilege	3464	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	4596	DllCommonsvc.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	3192	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	232	powershell.exe
Token: SeDebugPrivilege	512	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeDebugPrivilege	4008	powershell.exe
Token: SeDebugPrivilege	5140	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	212	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1888	1488	JaffaCakes118_366bbe6fce1ca7967c69bc2d0727e5d85db3410d0590322518aeccacc94be1a3.exe	83
PID 1488 wrote to memory of 1888	1488	JaffaCakes118_366bbe6fce1ca7967c69bc2d0727e5d85db3410d0590322518aeccacc94be1a3.exe	83
PID 1488 wrote to memory of 1888	1488	JaffaCakes118_366bbe6fce1ca7967c69bc2d0727e5d85db3410d0590322518aeccacc94be1a3.exe	83
PID 1888 wrote to memory of 3300	1888	WScript.exe	85
PID 1888 wrote to memory of 3300	1888	WScript.exe	85
PID 1888 wrote to memory of 3300	1888	WScript.exe	85
PID 3300 wrote to memory of 3756	3300	cmd.exe	87
PID 3300 wrote to memory of 3756	3300	cmd.exe	87
PID 3756 wrote to memory of 2948	3756	DllCommonsvc.exe	123
PID 3756 wrote to memory of 2948	3756	DllCommonsvc.exe	123
PID 3756 wrote to memory of 1336	3756	DllCommonsvc.exe	124
PID 3756 wrote to memory of 1336	3756	DllCommonsvc.exe	124
PID 3756 wrote to memory of 5112	3756	DllCommonsvc.exe	125
PID 3756 wrote to memory of 5112	3756	DllCommonsvc.exe	125
PID 3756 wrote to memory of 1984	3756	DllCommonsvc.exe	126
PID 3756 wrote to memory of 1984	3756	DllCommonsvc.exe	126
PID 3756 wrote to memory of 2472	3756	DllCommonsvc.exe	127
PID 3756 wrote to memory of 2472	3756	DllCommonsvc.exe	127
PID 3756 wrote to memory of 2932	3756	DllCommonsvc.exe	128
PID 3756 wrote to memory of 2932	3756	DllCommonsvc.exe	128
PID 3756 wrote to memory of 4580	3756	DllCommonsvc.exe	129
PID 3756 wrote to memory of 4580	3756	DllCommonsvc.exe	129
PID 3756 wrote to memory of 1520	3756	DllCommonsvc.exe	130
PID 3756 wrote to memory of 1520	3756	DllCommonsvc.exe	130
PID 3756 wrote to memory of 4280	3756	DllCommonsvc.exe	131
PID 3756 wrote to memory of 4280	3756	DllCommonsvc.exe	131
PID 3756 wrote to memory of 2192	3756	DllCommonsvc.exe	132
PID 3756 wrote to memory of 2192	3756	DllCommonsvc.exe	132
PID 3756 wrote to memory of 3464	3756	DllCommonsvc.exe	133
PID 3756 wrote to memory of 3464	3756	DllCommonsvc.exe	133
PID 3756 wrote to memory of 4296	3756	DllCommonsvc.exe	134
PID 3756 wrote to memory of 4296	3756	DllCommonsvc.exe	134
PID 3756 wrote to memory of 4596	3756	DllCommonsvc.exe	146
PID 3756 wrote to memory of 4596	3756	DllCommonsvc.exe	146
PID 4596 wrote to memory of 1328	4596	DllCommonsvc.exe	166
PID 4596 wrote to memory of 1328	4596	DllCommonsvc.exe	166
PID 4596 wrote to memory of 1004	4596	DllCommonsvc.exe	167
PID 4596 wrote to memory of 1004	4596	DllCommonsvc.exe	167
PID 4596 wrote to memory of 3192	4596	DllCommonsvc.exe	168
PID 4596 wrote to memory of 3192	4596	DllCommonsvc.exe	168
PID 4596 wrote to memory of 5008	4596	DllCommonsvc.exe	169
PID 4596 wrote to memory of 5008	4596	DllCommonsvc.exe	169
PID 4596 wrote to memory of 3032	4596	DllCommonsvc.exe	171
PID 4596 wrote to memory of 3032	4596	DllCommonsvc.exe	171
PID 4596 wrote to memory of 4740	4596	DllCommonsvc.exe	172
PID 4596 wrote to memory of 4740	4596	DllCommonsvc.exe	172
PID 4596 wrote to memory of 4712	4596	DllCommonsvc.exe	173
PID 4596 wrote to memory of 4712	4596	DllCommonsvc.exe	173
PID 4596 wrote to memory of 2992	4596	DllCommonsvc.exe	180
PID 4596 wrote to memory of 2992	4596	DllCommonsvc.exe	180
PID 2992 wrote to memory of 6092	2992	powershell.exe	186
PID 2992 wrote to memory of 6092	2992	powershell.exe	186
PID 6092 wrote to memory of 5096	6092	cmd.exe	188
PID 6092 wrote to memory of 5096	6092	cmd.exe	188
PID 6092 wrote to memory of 232	6092	cmd.exe	192
PID 6092 wrote to memory of 232	6092	cmd.exe	192
PID 232 wrote to memory of 3216	232	powershell.exe	198
PID 232 wrote to memory of 3216	232	powershell.exe	198
PID 3216 wrote to memory of 4736	3216	cmd.exe	200
PID 3216 wrote to memory of 4736	3216	cmd.exe	200
PID 3216 wrote to memory of 512	3216	cmd.exe	202
PID 3216 wrote to memory of 512	3216	cmd.exe	202
PID 512 wrote to memory of 2276	512	powershell.exe	206
PID 512 wrote to memory of 2276	512	powershell.exe	206

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_366bbe6fce1ca7967c69bc2d0727e5d85db3410d0590322518aeccacc94be1a3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_366bbe6fce1ca7967c69bc2d0727e5d85db3410d0590322518aeccacc94be1a3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3300
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\de-DE\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4296
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4596
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3192
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5008
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4712
      - C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:6092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:5096
        
        C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4736
        
        C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"
        11⤵
        
        PID:2276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1884
        
        C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"
        13⤵
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2372
        
        C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat"
        15⤵
        
        PID:1480
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:5760
        
        C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"
        17⤵
        
        PID:5436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3660
        
        C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat"
        19⤵
        
        PID:1004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:720
        
        C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"
        21⤵
        
        PID:5188
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:6008
        
        C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat"
        23⤵
        
        PID:1828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1112
        
        C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"
        25⤵
        
        PID:2984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1992
        
        C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat"
        27⤵
        
        PID:3944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2688
        
        C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat"
        29⤵
        
        PID:5692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:2060
        
        C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat"
        31⤵
        
        PID:3936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:5196
        
        C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\providercommon\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\de-DE\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\de-DE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Admin\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat

Filesize
226B

MD5
88a36da01749a32d3a4d6ec3e42e57ac

SHA1
f33ac3b99b70b743767a6e9fe2081092e168889c

SHA256
c81ce002b6ffd64da2d06048dc02e825ea2d094bd7ab849926ce7d83d1f977e9

SHA512
ef88d71af2c937b1e0107be1f8f417ee85233b48360d4dd9890d522b1f2d79c19d90e07669d92085c4ddfb7628a047695689083b49ec3da32555f8f78cf28e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat

Filesize
226B

MD5
c2b777282709a30cd4d9c4cfe854276d

SHA1
3c749ce52574af1f6c132c79a3e7aaf2bb5ae87e

SHA256
452011e135816c66daa2afdc7dff08c60f6f784446d724ed3ff7a65fcc5b7105

SHA512
6d3667d2bff27a2f85fb328d41dba37610ffa4743aa4d077778015025467801cd9439252dfd3d060cf0f8176fe6d47c9e97b78d12e8186b4b748bc98d0a57193

Download Submit
C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat

Filesize
226B

MD5
03c9c5a20b1cd5127eee44da8309d060

SHA1
0adfac0b74c63f55b6ce3656ea9ce351a5c5398f

SHA256
f723fe558a14d5792ff6281c21f6395ad8ba8d59833fb65333a0ba8d7e4f41d5

SHA512
5e38f300750e665f3daa36178cd95e7d3ba38e0a3b13af12786e2b3cce5345d8fa6a61aef6043e582f0441dde334aa96571f76149c95966f2536cb1aaa65eb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat

Filesize
226B

MD5
c41aafec969ce8c0b9cffd4178b17023

SHA1
5edae54233a23297442bc6114908b878aa11e8db

SHA256
fb11554608faf31232cfe55fef2dd1d3bd96f714914dd9263b7f99c21fc2ec50

SHA512
22dbfd27189a0e895cd62c11b086792c8b96c5f569af82b1784686769598c1d9628406a8990cbbe90b2fbc3d113703e98a00cfcb9b338ce64f903b34dd94a635

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bzb5nhuo.2pq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat

Filesize
226B

MD5
c12bdef61b11519759b74fadf7c8d010

SHA1
48bc0ac7e2d64bc0913a8011b4520ffa3e921cfd

SHA256
d9a90eff6380048d67652b90e92c3373e1e039c7318781c58250061ec952b35f

SHA512
a27205583d4400cce92d3726a82eaf84e568c7cd5f56bc91e81058fa2c031a400c3e828ab09a47622113b14edfcdcc5978d5c762084717414a10766e48e1674b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat

Filesize
226B

MD5
c17199a1c4c53661d11327265760a63a

SHA1
c3b073fa36cb40ed9b1228c17dbc2408ccf22a45

SHA256
459f420fc2f74198b6b5c27bf9f366c845cfa5a5d3b75ab494f5d4e07a9b2f9a

SHA512
d15b66979279d63f6b5c104ab40941bb9659da1d2886234c0df06bfb178c2547f9bd94aea3a4e2c49c97bd04459ec7a9b1bdea1510d7daba9dad5812f3913ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat

Filesize
226B

MD5
2312ea0af3d31b01d67878f7d7bd6985

SHA1
76529cf9d65841ea2ca58a9a50b721da849ea4d3

SHA256
2f373674130be2daded9995f75a646a18e954462b4852703e2a053fc7ae77b28

SHA512
eee035d4f705bec92c9dcdb7ee5fe00116750541e331017aed60d9a946bb0d35599d8687431742b6f89f9c13f19aac2064fe35709399a7e79fca76128f916ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat

Filesize
226B

MD5
e2bd4d91d2e3ce3242c2785922c5179a

SHA1
db1a3dfec5f04e51b28c0e7a39540e3e1da98722

SHA256
7ff938a09a1f4680de26674b1c8c3228f9f3ddcaec895f6558ddf19817981a39

SHA512
8a512e061a3396164f9b7371f7a3cfcd1b80f1dd35747f3d89511898aacdc46acf051e020657859a4da0a434e6afc7f3705fb072c887cbe46aa2ac36acf6bba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\muCkezbCVz.bat

Filesize
226B

MD5
f8403b5ede1486115efe0c86bb118ddc

SHA1
12bcbbf432cccbda927630392193bce1e4733f4c

SHA256
7c0e789574a4e02c70f2f3f5f60cc6fb04bd883d0f22530fa741737072b8ad9c

SHA512
b2d73ca211f4cfeab53527fd674a53c66cfe018a84a557d23bf0bdf9451303e24159c26a26b97f1afb18328b778e2ae85b08d490a71396b5093447b5313bf702

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat

Filesize
226B

MD5
6ca6379ec6343705493fc4f6d1256d57

SHA1
ef1121a83a278619931beb5e8c2b9d40afc43687

SHA256
878788d88b68bd439e343242d550a3411e4b253643993282bd4fc570e1f369f6

SHA512
d65cccaabc498a286cceef30a5356d3f65032ee0f233c58268c8496d4e41638d340df05eb1fcc742621e19f608fc06d1690d330dcc767551f2032c01b68ab03a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/212-363-0x000000001BF70000-0x000000001C119000-memory.dmp

Filesize
1.7MB

Download
memory/232-286-0x000000001BD70000-0x000000001BE72000-memory.dmp

Filesize
1.0MB

Download
memory/232-287-0x000000001C4C0000-0x000000001C62A000-memory.dmp

Filesize
1.4MB

Download
memory/512-294-0x000000001C250000-0x000000001C352000-memory.dmp

Filesize
1.0MB

Download
memory/512-295-0x000000001C9A0000-0x000000001CB0A000-memory.dmp

Filesize
1.4MB

Download
memory/632-302-0x000000001CC40000-0x000000001CDAA000-memory.dmp

Filesize
1.4MB

Download
memory/1772-309-0x000000001BB80000-0x000000001BCEA000-memory.dmp

Filesize
1.4MB

Download
memory/3388-317-0x000000001BD70000-0x000000001BEDA000-memory.dmp

Filesize
1.4MB

Download
memory/3676-323-0x000000001BE40000-0x000000001BFAA000-memory.dmp

Filesize
1.4MB

Download
memory/3756-15-0x000000001AC40000-0x000000001AC4C000-memory.dmp

Filesize
48KB

Download
memory/3756-13-0x0000000000010000-0x0000000000120000-memory.dmp

Filesize
1.1MB

Download
memory/3756-14-0x000000001AC20000-0x000000001AC32000-memory.dmp

Filesize
72KB

Download
memory/3756-12-0x00007FFA0FBE3000-0x00007FFA0FBE5000-memory.dmp

Filesize
8KB

Download
memory/3756-16-0x000000001AC30000-0x000000001AC3C000-memory.dmp

Filesize
48KB

Download
memory/3756-17-0x000000001AC50000-0x000000001AC5C000-memory.dmp

Filesize
48KB

Download
memory/3932-340-0x00000000013A0000-0x00000000013B2000-memory.dmp

Filesize
72KB

Download
memory/4008-330-0x000000001C190000-0x000000001C2FA000-memory.dmp

Filesize
1.4MB

Download
memory/4580-48-0x000001A0359D0000-0x000001A0359F2000-memory.dmp

Filesize
136KB

Download
memory/5140-333-0x0000000003040000-0x0000000003052000-memory.dmp

Filesize
72KB

Download