dcrat | f3c99ae5f461d58f39621d15dcaf101af3b823175ffc0e79d9aa5fdcc40e0259

Analysis

max time kernel
146s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_f3c99ae5f461d58f39621d15dcaf101af3b823175ffc0e79d9aa5fdcc40e0259.exe
Size

1.3MB
MD5

4b758200e4c704472c229db414552fb6
SHA1

42f0a674fab415c3e1b93bf9e4798d7fdda7a741
SHA256

f3c99ae5f461d58f39621d15dcaf101af3b823175ffc0e79d9aa5fdcc40e0259
SHA512

6f87113b56100f89426a2a5c5207eafc8e663b21d09a2850cacbf5673d022fb4e97a627decae92eb318a3f542769a1019889dd61d18a46180bce4d36f55e9b57
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3832	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3924	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	3992	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	3992	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023cab-9.dat	dcrat
behavioral2/memory/1080-13-0x0000000000A00000-0x0000000000B10000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1464	powershell.exe
1348	powershell.exe
2940	powershell.exe
696	powershell.exe
4968	powershell.exe
260	powershell.exe
2824	powershell.exe
212	powershell.exe
1456	powershell.exe
4788	powershell.exe
2668	powershell.exe
364	powershell.exe
4676	powershell.exe
2620	powershell.exe
1492	powershell.exe
440	powershell.exe
1740	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	JaffaCakes118_f3c99ae5f461d58f39621d15dcaf101af3b823175ffc0e79d9aa5fdcc40e0259.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe

Executes dropped EXE 15 IoCs

pid	Process
1080	DllCommonsvc.exe
1172	SppExtComObj.exe
3912	SppExtComObj.exe
5064	SppExtComObj.exe
4564	SppExtComObj.exe
2128	SppExtComObj.exe
3676	SppExtComObj.exe
4260	SppExtComObj.exe
1144	SppExtComObj.exe
452	SppExtComObj.exe
3180	SppExtComObj.exe
4396	SppExtComObj.exe
4832	SppExtComObj.exe
1736	SppExtComObj.exe
4960	SppExtComObj.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
33	raw.githubusercontent.com
55	raw.githubusercontent.com
57	raw.githubusercontent.com
40	raw.githubusercontent.com
41	raw.githubusercontent.com
54	raw.githubusercontent.com
58	raw.githubusercontent.com
23	raw.githubusercontent.com
45	raw.githubusercontent.com
47	raw.githubusercontent.com
56	raw.githubusercontent.com
22	raw.githubusercontent.com
39	raw.githubusercontent.com
46	raw.githubusercontent.com

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\unsecapp.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Crashpad\attachments\taskhostw.exe	DllCommonsvc.exe
File created	C:\Program Files\Crashpad\attachments\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\cc11b995f2a76d	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\twain_32\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\twain_32\5b884080fd4f94	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f3c99ae5f461d58f39621d15dcaf101af3b823175ffc0e79d9aa5fdcc40e0259.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	JaffaCakes118_f3c99ae5f461d58f39621d15dcaf101af3b823175ffc0e79d9aa5fdcc40e0259.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4936	schtasks.exe
4720	schtasks.exe
1764	schtasks.exe
1996	schtasks.exe
2124	schtasks.exe
4012	schtasks.exe
4972	schtasks.exe
2140	schtasks.exe
1316	schtasks.exe
1388	schtasks.exe
3924	schtasks.exe
2336	schtasks.exe
2888	schtasks.exe
2036	schtasks.exe
3164	schtasks.exe
5060	schtasks.exe
3308	schtasks.exe
3348	schtasks.exe
4728	schtasks.exe
908	schtasks.exe
3284	schtasks.exe
4112	schtasks.exe
1448	schtasks.exe
2128	schtasks.exe
2068	schtasks.exe
1772	schtasks.exe
2332	schtasks.exe
904	schtasks.exe
3648	schtasks.exe
1120	schtasks.exe
2288	schtasks.exe
3152	schtasks.exe
4128	schtasks.exe
3364	schtasks.exe
3180	schtasks.exe
3692	schtasks.exe
2232	schtasks.exe
3832	schtasks.exe
1428	schtasks.exe
1912	schtasks.exe
2076	schtasks.exe
2084	schtasks.exe
2412	schtasks.exe
1892	schtasks.exe
1688	schtasks.exe
3400	schtasks.exe
1592	schtasks.exe
2268	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1080	DllCommonsvc.exe
1080	DllCommonsvc.exe
1080	DllCommonsvc.exe
1080	DllCommonsvc.exe
1080	DllCommonsvc.exe
1080	DllCommonsvc.exe
1080	DllCommonsvc.exe
1080	DllCommonsvc.exe
1080	DllCommonsvc.exe
1080	DllCommonsvc.exe
1080	DllCommonsvc.exe
1080	DllCommonsvc.exe
1080	DllCommonsvc.exe
2824	powershell.exe
2824	powershell.exe
1348	powershell.exe
364	powershell.exe
1348	powershell.exe
364	powershell.exe
2620	powershell.exe
2620	powershell.exe
1492	powershell.exe
1492	powershell.exe
2940	powershell.exe
2940	powershell.exe
1464	powershell.exe
1464	powershell.exe
1456	powershell.exe
1456	powershell.exe
1740	powershell.exe
1740	powershell.exe
696	powershell.exe
696	powershell.exe
440	powershell.exe
440	powershell.exe
260	powershell.exe
212	powershell.exe
260	powershell.exe
212	powershell.exe
4788	powershell.exe
4788	powershell.exe
4968	powershell.exe
4968	powershell.exe
4676	powershell.exe
4676	powershell.exe
2668	powershell.exe
2668	powershell.exe
4676	powershell.exe
1492	powershell.exe
2824	powershell.exe
2620	powershell.exe
364	powershell.exe
1740	powershell.exe
2940	powershell.exe
1464	powershell.exe
1348	powershell.exe
696	powershell.exe
4968	powershell.exe
1456	powershell.exe
4788	powershell.exe
212	powershell.exe
440	powershell.exe
260	powershell.exe
2668	powershell.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	1080	DllCommonsvc.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	364	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	212	powershell.exe
Token: SeDebugPrivilege	260	powershell.exe
Token: SeDebugPrivilege	440	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	1172	SppExtComObj.exe
Token: SeDebugPrivilege	3912	SppExtComObj.exe
Token: SeDebugPrivilege	5064	SppExtComObj.exe
Token: SeDebugPrivilege	4564	SppExtComObj.exe
Token: SeDebugPrivilege	2128	SppExtComObj.exe
Token: SeDebugPrivilege	3676	SppExtComObj.exe
Token: SeDebugPrivilege	4260	SppExtComObj.exe
Token: SeDebugPrivilege	1144	SppExtComObj.exe
Token: SeDebugPrivilege	452	SppExtComObj.exe
Token: SeDebugPrivilege	3180	SppExtComObj.exe
Token: SeDebugPrivilege	4396	SppExtComObj.exe
Token: SeDebugPrivilege	4832	SppExtComObj.exe
Token: SeDebugPrivilege	1736	SppExtComObj.exe
Token: SeDebugPrivilege	4960	SppExtComObj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 1744	4852	JaffaCakes118_f3c99ae5f461d58f39621d15dcaf101af3b823175ffc0e79d9aa5fdcc40e0259.exe	82
PID 4852 wrote to memory of 1744	4852	JaffaCakes118_f3c99ae5f461d58f39621d15dcaf101af3b823175ffc0e79d9aa5fdcc40e0259.exe	82
PID 4852 wrote to memory of 1744	4852	JaffaCakes118_f3c99ae5f461d58f39621d15dcaf101af3b823175ffc0e79d9aa5fdcc40e0259.exe	82
PID 1744 wrote to memory of 664	1744	WScript.exe	83
PID 1744 wrote to memory of 664	1744	WScript.exe	83
PID 1744 wrote to memory of 664	1744	WScript.exe	83
PID 664 wrote to memory of 1080	664	cmd.exe	85
PID 664 wrote to memory of 1080	664	cmd.exe	85
PID 1080 wrote to memory of 260	1080	DllCommonsvc.exe	135
PID 1080 wrote to memory of 260	1080	DllCommonsvc.exe	135
PID 1080 wrote to memory of 1464	1080	DllCommonsvc.exe	136
PID 1080 wrote to memory of 1464	1080	DllCommonsvc.exe	136
PID 1080 wrote to memory of 2668	1080	DllCommonsvc.exe	137
PID 1080 wrote to memory of 2668	1080	DllCommonsvc.exe	137
PID 1080 wrote to memory of 1492	1080	DllCommonsvc.exe	138
PID 1080 wrote to memory of 1492	1080	DllCommonsvc.exe	138
PID 1080 wrote to memory of 364	1080	DllCommonsvc.exe	139
PID 1080 wrote to memory of 364	1080	DllCommonsvc.exe	139
PID 1080 wrote to memory of 4676	1080	DllCommonsvc.exe	140
PID 1080 wrote to memory of 4676	1080	DllCommonsvc.exe	140
PID 1080 wrote to memory of 1348	1080	DllCommonsvc.exe	141
PID 1080 wrote to memory of 1348	1080	DllCommonsvc.exe	141
PID 1080 wrote to memory of 2940	1080	DllCommonsvc.exe	142
PID 1080 wrote to memory of 2940	1080	DllCommonsvc.exe	142
PID 1080 wrote to memory of 2824	1080	DllCommonsvc.exe	143
PID 1080 wrote to memory of 2824	1080	DllCommonsvc.exe	143
PID 1080 wrote to memory of 2620	1080	DllCommonsvc.exe	144
PID 1080 wrote to memory of 2620	1080	DllCommonsvc.exe	144
PID 1080 wrote to memory of 212	1080	DllCommonsvc.exe	145
PID 1080 wrote to memory of 212	1080	DllCommonsvc.exe	145
PID 1080 wrote to memory of 1740	1080	DllCommonsvc.exe	146
PID 1080 wrote to memory of 1740	1080	DllCommonsvc.exe	146
PID 1080 wrote to memory of 1456	1080	DllCommonsvc.exe	147
PID 1080 wrote to memory of 1456	1080	DllCommonsvc.exe	147
PID 1080 wrote to memory of 4788	1080	DllCommonsvc.exe	148
PID 1080 wrote to memory of 4788	1080	DllCommonsvc.exe	148
PID 1080 wrote to memory of 696	1080	DllCommonsvc.exe	149
PID 1080 wrote to memory of 696	1080	DllCommonsvc.exe	149
PID 1080 wrote to memory of 440	1080	DllCommonsvc.exe	150
PID 1080 wrote to memory of 440	1080	DllCommonsvc.exe	150
PID 1080 wrote to memory of 4968	1080	DllCommonsvc.exe	151
PID 1080 wrote to memory of 4968	1080	DllCommonsvc.exe	151
PID 1080 wrote to memory of 1012	1080	DllCommonsvc.exe	168
PID 1080 wrote to memory of 1012	1080	DllCommonsvc.exe	168
PID 1012 wrote to memory of 1704	1012	cmd.exe	171
PID 1012 wrote to memory of 1704	1012	cmd.exe	171
PID 1012 wrote to memory of 1172	1012	cmd.exe	175
PID 1012 wrote to memory of 1172	1012	cmd.exe	175
PID 1172 wrote to memory of 4416	1172	SppExtComObj.exe	179
PID 1172 wrote to memory of 4416	1172	SppExtComObj.exe	179
PID 4416 wrote to memory of 2788	4416	cmd.exe	181
PID 4416 wrote to memory of 2788	4416	cmd.exe	181
PID 4416 wrote to memory of 3912	4416	cmd.exe	182
PID 4416 wrote to memory of 3912	4416	cmd.exe	182
PID 3912 wrote to memory of 2604	3912	SppExtComObj.exe	184
PID 3912 wrote to memory of 2604	3912	SppExtComObj.exe	184
PID 2604 wrote to memory of 836	2604	cmd.exe	186
PID 2604 wrote to memory of 836	2604	cmd.exe	186
PID 2604 wrote to memory of 5064	2604	cmd.exe	188
PID 2604 wrote to memory of 5064	2604	cmd.exe	188
PID 5064 wrote to memory of 4520	5064	SppExtComObj.exe	189
PID 5064 wrote to memory of 4520	5064	SppExtComObj.exe	189
PID 4520 wrote to memory of 4784	4520	cmd.exe	191
PID 4520 wrote to memory of 4784	4520	cmd.exe	191

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f3c99ae5f461d58f39621d15dcaf101af3b823175ffc0e79d9aa5fdcc40e0259.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f3c99ae5f461d58f39621d15dcaf101af3b823175ffc0e79d9aa5fdcc40e0259.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:664
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sihost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\attachments\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\TextInputHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4968
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LHxbykhmYE.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1012
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1704
      - C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2788
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:836
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4784
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat"
        13⤵
        
        PID:4052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3280
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kz6bOuYaab.bat"
        15⤵
        
        PID:4024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2508
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yJyIm7wr5G.bat"
        17⤵
        
        PID:5084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1656
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat"
        19⤵
        
        PID:4840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4036
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat"
        21⤵
        
        PID:3832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1400
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wNwF62sylT.bat"
        23⤵
        
        PID:412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1164
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat"
        25⤵
        
        PID:2168
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1524
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat"
        27⤵
        
        PID:4240
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:3412
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pi2dGiCBJ7.bat"
        29⤵
        
        PID:1876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:4944
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\574RqM7W2b.bat"
        31⤵
        
        PID:2944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:4772
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Gadgets\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Gadgets\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\twain_32\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\twain_32\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\providercommon\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\attachments\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Crashpad\attachments\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\providercommon\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\providercommon\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\providercommon\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat

Filesize
203B

MD5
d34898b587b50a85caa1efd06a5102c3

SHA1
c7b815ac9eb1ebb760c41f5c2594bfd5ee98f84e

SHA256
f5db4358d07e6f0fefabf5de1c6250d78ec9f7d05e97766a8f74dee2077065dc

SHA512
d54f5d26b58c6aad50b28458e0fc9ceb783545ab7f2b76dfde038ee5c8d45591222db884437259ca12c071013ab95b143f794bececd61db3826966908d394df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat

Filesize
203B

MD5
691c5b707acb69c2f1369a9a08623d24

SHA1
0cc41b3c3c1236cdcf73805aac6c8f624538b112

SHA256
9de49030ad18ce656a48c9cc54b7e03a43c6bf59de6dc4d165b8375065260da2

SHA512
97301e1c94dddc83a766f92ad9865f630024dc0d8f6ec4ca0bd863d0e196f4cd2e5418463c9cadf3a06cf1eb2a3df987dc4ef8b3cf06c7727eae619ae4980b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\574RqM7W2b.bat

Filesize
203B

MD5
16f7937161a7348823861bee9f8707b3

SHA1
6e8a380d82ed496c29db1da20b8c198e8a5f45af

SHA256
9d9e281fb759ef8e1dce66d5bf8c33989b96bb4b33c7b74110d4bd2c972965b3

SHA512
c29738c5e0b5a00cb8897eef6f868d6c423fca28bbe1ffbf0e7176cf3bf67fc898a38a282b801c3737310a41b6239d66f6083275cf789f8e9fb94e4b530e7bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kz6bOuYaab.bat

Filesize
203B

MD5
6852f5f5a4981a0217267246e3add736

SHA1
906ed947bb1ac346523ee1064008e55abc007d1f

SHA256
14d7d9d9f7e6e798fc0b746e1f1bd581ede4d0c66790270d5b81ed58f22e7bee

SHA512
d0885b0c6ded3a19732f526ca787e529f4264477ddfdc8b03effc618b5e1329e7f49d6ffb09b45471ccbbf53711967d6e2edbe15b389a799e1ffaaeef329716e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LHxbykhmYE.bat

Filesize
203B

MD5
d7c65af71fa9b6276974e45a7e522846

SHA1
404209cb768eb8d485280f0d0bc91d2c91e36c10

SHA256
cc24c1c194bd04a8f0d2d34d86a58799723e65066477c6d44469f91762540ccf

SHA512
8a7ddb3e8cac8712bbf45b040a47249a0a6f39f8e496503675d82a63fe04ac16822bc8d3093e40faf09dc60788afe48da4646652b088ab125b5cf44ac1d63624

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pi2dGiCBJ7.bat

Filesize
203B

MD5
1002a97feaf07e628f6687a6450eee80

SHA1
17d0f2656f3ee882f29db7e606901aff2f612dba

SHA256
491ed24334122fa8040100597a4098779fc8d1cb7375892e18abbe6d49a5fed1

SHA512
d78bfa8847fe2d78ce8a347bd3febb2aa33cb38a6445ed89e96cb36f674e155c95487656c3c6d8a7ecf9e619f6594575e796075ffdfe4f2d717aa9481d203ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat

Filesize
203B

MD5
65be0bc6024cf15bc5d09b8fcafa287f

SHA1
755b70d8d17c0d380e508ee16e052796fed1aadb

SHA256
e93ef119ea6119de75ee5a5e425794339507d040e4d0d29972a98040450874e5

SHA512
44200c9fc57657ba70feae4507659690138c261540c8cfddaf5d75f36a44016d037aa570917e8ee8f130fbde63f37716492b23be6c69ddc3f24f17ed8a83e0c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat

Filesize
203B

MD5
1214737d2077b4c032f19d04c321f9e0

SHA1
e28ad9c6bb5cbbd057d1c58244d5991aae7ce25a

SHA256
daedaff7d4561f61d5ba2e25e556d9b7f7bcb8a4135344f9071b7ec9a0e36d4f

SHA512
e45c1113f5721d2df2366c98c90ec97abfef6b51b8f88edf132c9c4c116cb4a9e7f30e911c04621c7ac7402742f5bb589b2105ffddb50b047700949c38c74efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pupe2piv.4ds.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat

Filesize
203B

MD5
4ff175000e63154009d9964e6dabcd03

SHA1
28d464fe31c0bf261be4817f3fec726a5da2d362

SHA256
98f20d8f3284a8dfd84e3174c99c69a808ef2e67f91b007a8a8fe7a83a1ea0ae

SHA512
52fff068356181c60ca11fbe767200d48e6914aeb512a6bd49315f13f4ad31298b5191ab5329f114aeab2646738bce8e663203af7d8c7ba275416b7e25066bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat

Filesize
203B

MD5
ed22c59e996b5711336ee558b4412487

SHA1
67d8ef269f5cc15b743718d1d76f2ea27d577521

SHA256
62564583ceafa372d79ebf61d666136cf8d889817eca7f5e509cecb32efebe58

SHA512
79f32d3247721063f456b7e86179dcb48b9c51500fd35d81d99946b8f4f7ed063243089f3f9ceca2078fb312c493e7fe27ce0276d42dc588975abf392df3f005

Download Submit
C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat

Filesize
203B

MD5
d93e209b283a5bc9c1988967561ffa24

SHA1
451c3091da6c4e0f19173d2aa9a7ac5ba7b5caad

SHA256
5f1562881642da9e13eb7c476250bac3676497b705b6d679363abf5e82758171

SHA512
2920d6580f3d4e48af59275c5056be1a8757be79c5a4e35693fb925efea83b6bbc7e39563c408827484e291ed7f48702e62dbc38d84b13430f2c0f97056915ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\wNwF62sylT.bat

Filesize
203B

MD5
2966ddbab21b262e8b99f00a8908f20f

SHA1
ad59d598f7c916cead206ef911c42f709657cc80

SHA256
1fe4539326f4083fbf2e8e9af35b06cba41b340470298e6eafbd98dc0f2cf5f8

SHA512
31b2a30ca03b6bb7efc8586cd486fca578b958de9d328114189bf9d8f531309fd7e36b7ee7d39fbd1e502c50b4a93d91589d5b5e2c2221b165905f1d5badd15e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yJyIm7wr5G.bat

Filesize
203B

MD5
32b57060db361ed21413577f45347d1c

SHA1
69996f6753ef2c049a42c9f046e4e575ec0d757b

SHA256
1f2e16e627dda93bc93547f352e7554fdc402723c72a5667ad54e3144e3bef68

SHA512
ce9334c71cf106864e40b5b67949bde5dd423fb80b80d9bdc0dca511897ccb5dd2d0b509fb419c26bb052049f393c162e66bfe1e9658e3bcb5dbf56acb1166d8

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1080-17-0x0000000002BE0000-0x0000000002BEC000-memory.dmp

Filesize
48KB

Download
memory/1080-16-0x0000000002BB0000-0x0000000002BBC000-memory.dmp

Filesize
48KB

Download
memory/1080-15-0x0000000002BD0000-0x0000000002BDC000-memory.dmp

Filesize
48KB

Download
memory/1080-14-0x0000000002BA0000-0x0000000002BB2000-memory.dmp

Filesize
72KB

Download
memory/1080-13-0x0000000000A00000-0x0000000000B10000-memory.dmp

Filesize
1.1MB

Download
memory/1080-12-0x00007FFDEE9E3000-0x00007FFDEE9E5000-memory.dmp

Filesize
8KB

Download
memory/2824-69-0x000002CCDBC80000-0x000002CCDBCA2000-memory.dmp

Filesize
136KB

Download
memory/4832-316-0x0000000001520000-0x0000000001532000-memory.dmp

Filesize
72KB

Download