dcrat | ea60a712b05cc76fc5def65eb63d390ec0b2381e8697a2e4ab5b35a92d5ccae3

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ea60a712b05cc76fc5def65eb63d390ec0b2381e8697a2e4ab5b35a92d5ccae3.exe
Size

1.3MB
MD5

5459f21169d40bd5368f12480400dde5
SHA1

84e58ac7c0bef5d3efe29d94511bf700520c1121
SHA256

ea60a712b05cc76fc5def65eb63d390ec0b2381e8697a2e4ab5b35a92d5ccae3
SHA512

c38c88cdf945b2e10a728e2e39ea6dc5bdf6a39f205dbef827377737b1f59d5881bb1a86477464a5fd26d7439b8c3823032fa1099c4d45a4cca408e8deff2c7b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	2432	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2432	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0009000000023bc8-10.dat	dcrat
behavioral2/memory/1808-13-0x0000000000610000-0x0000000000720000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1300	powershell.exe
2452	powershell.exe
4644	powershell.exe
4680	powershell.exe
2624	powershell.exe
2196	powershell.exe
3052	powershell.exe
3468	powershell.exe
4764	powershell.exe
1756	powershell.exe
2612	powershell.exe
4972	powershell.exe
4656	powershell.exe
3960	powershell.exe
4900	powershell.exe
2840	powershell.exe
2952	powershell.exe
1124	powershell.exe
4536	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	JaffaCakes118_ea60a712b05cc76fc5def65eb63d390ec0b2381e8697a2e4ab5b35a92d5ccae3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
1808	DllCommonsvc.exe
5736	cmd.exe
2780	cmd.exe
2012	cmd.exe
1132	cmd.exe
5464	cmd.exe
5212	cmd.exe
5540	cmd.exe
3100	cmd.exe
3848	cmd.exe
5752	cmd.exe
3940	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
43	raw.githubusercontent.com
47	raw.githubusercontent.com
39	raw.githubusercontent.com
45	raw.githubusercontent.com
46	raw.githubusercontent.com
19	raw.githubusercontent.com
20	raw.githubusercontent.com
31	raw.githubusercontent.com
35	raw.githubusercontent.com
36	raw.githubusercontent.com
48	raw.githubusercontent.com
53	raw.githubusercontent.com

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\Registry.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\ee2ad38f3d4382	DllCommonsvc.exe
File created	C:\Program Files\Crashpad\reports\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Crashpad\reports\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\OfficeClickToRun.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logs\MoSetup\services.exe	DllCommonsvc.exe
File created	C:\Windows\Logs\MoSetup\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\Containers\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\Containers\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ea60a712b05cc76fc5def65eb63d390ec0b2381e8697a2e4ab5b35a92d5ccae3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	JaffaCakes118_ea60a712b05cc76fc5def65eb63d390ec0b2381e8697a2e4ab5b35a92d5ccae3.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4072	schtasks.exe
2776	schtasks.exe
4176	schtasks.exe
4588	schtasks.exe
3432	schtasks.exe
3592	schtasks.exe
3980	schtasks.exe
4032	schtasks.exe
1136	schtasks.exe
1140	schtasks.exe
4396	schtasks.exe
1416	schtasks.exe
60	schtasks.exe
3628	schtasks.exe
4760	schtasks.exe
4060	schtasks.exe
64	schtasks.exe
468	schtasks.exe
4168	schtasks.exe
3652	schtasks.exe
3456	schtasks.exe
4976	schtasks.exe
3316	schtasks.exe
4432	schtasks.exe
2028	schtasks.exe
736	schtasks.exe
2300	schtasks.exe
3116	schtasks.exe
4512	schtasks.exe
3656	schtasks.exe
3836	schtasks.exe
1708	schtasks.exe
1936	schtasks.exe
1940	schtasks.exe
2516	schtasks.exe
2152	schtasks.exe
2684	schtasks.exe
3548	schtasks.exe
1768	schtasks.exe
3668	schtasks.exe
1200	schtasks.exe
4648	schtasks.exe
2524	schtasks.exe
4356	schtasks.exe
3020	schtasks.exe
1740	schtasks.exe
2912	schtasks.exe
224	schtasks.exe
4600	schtasks.exe
1944	schtasks.exe
676	schtasks.exe
1824	schtasks.exe
5024	schtasks.exe
864	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1808	DllCommonsvc.exe
1808	DllCommonsvc.exe
1808	DllCommonsvc.exe
1808	DllCommonsvc.exe
1808	DllCommonsvc.exe
1808	DllCommonsvc.exe
1808	DllCommonsvc.exe
1300	powershell.exe
1300	powershell.exe
3052	powershell.exe
3052	powershell.exe
4536	powershell.exe
4536	powershell.exe
1756	powershell.exe
1756	powershell.exe
3960	powershell.exe
3960	powershell.exe
2952	powershell.exe
2952	powershell.exe
2452	powershell.exe
2452	powershell.exe
2624	powershell.exe
2624	powershell.exe
4680	powershell.exe
4680	powershell.exe
4656	powershell.exe
4656	powershell.exe
4900	powershell.exe
4900	powershell.exe
4764	powershell.exe
4764	powershell.exe
1124	powershell.exe
1124	powershell.exe
2196	powershell.exe
2196	powershell.exe
2840	powershell.exe
2840	powershell.exe
4644	powershell.exe
4644	powershell.exe
4972	powershell.exe
4972	powershell.exe
2612	powershell.exe
2612	powershell.exe
3468	powershell.exe
3468	powershell.exe
2612	powershell.exe
2196	powershell.exe
4644	powershell.exe
4972	powershell.exe
4536	powershell.exe
4536	powershell.exe
3052	powershell.exe
3052	powershell.exe
1300	powershell.exe
1300	powershell.exe
3960	powershell.exe
3960	powershell.exe
1756	powershell.exe
1124	powershell.exe
1756	powershell.exe
2952	powershell.exe
2952	powershell.exe
2452	powershell.exe
2624	powershell.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	1808	DllCommonsvc.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	4536	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	3468	powershell.exe
Token: SeDebugPrivilege	5736	cmd.exe
Token: SeDebugPrivilege	2780	cmd.exe
Token: SeDebugPrivilege	2012	cmd.exe
Token: SeDebugPrivilege	1132	cmd.exe
Token: SeDebugPrivilege	5464	cmd.exe
Token: SeDebugPrivilege	5212	cmd.exe
Token: SeDebugPrivilege	5540	cmd.exe
Token: SeDebugPrivilege	3100	cmd.exe
Token: SeDebugPrivilege	3848	cmd.exe
Token: SeDebugPrivilege	5752	cmd.exe
Token: SeDebugPrivilege	3940	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 4188	880	JaffaCakes118_ea60a712b05cc76fc5def65eb63d390ec0b2381e8697a2e4ab5b35a92d5ccae3.exe	84
PID 880 wrote to memory of 4188	880	JaffaCakes118_ea60a712b05cc76fc5def65eb63d390ec0b2381e8697a2e4ab5b35a92d5ccae3.exe	84
PID 880 wrote to memory of 4188	880	JaffaCakes118_ea60a712b05cc76fc5def65eb63d390ec0b2381e8697a2e4ab5b35a92d5ccae3.exe	84
PID 4188 wrote to memory of 4524	4188	WScript.exe	85
PID 4188 wrote to memory of 4524	4188	WScript.exe	85
PID 4188 wrote to memory of 4524	4188	WScript.exe	85
PID 4524 wrote to memory of 1808	4524	cmd.exe	87
PID 4524 wrote to memory of 1808	4524	cmd.exe	87
PID 1808 wrote to memory of 3468	1808	DllCommonsvc.exe	143
PID 1808 wrote to memory of 3468	1808	DllCommonsvc.exe	143
PID 1808 wrote to memory of 1300	1808	DllCommonsvc.exe	144
PID 1808 wrote to memory of 1300	1808	DllCommonsvc.exe	144
PID 1808 wrote to memory of 3052	1808	DllCommonsvc.exe	145
PID 1808 wrote to memory of 3052	1808	DllCommonsvc.exe	145
PID 1808 wrote to memory of 1756	1808	DllCommonsvc.exe	147
PID 1808 wrote to memory of 1756	1808	DllCommonsvc.exe	147
PID 1808 wrote to memory of 2452	1808	DllCommonsvc.exe	148
PID 1808 wrote to memory of 2452	1808	DllCommonsvc.exe	148
PID 1808 wrote to memory of 2624	1808	DllCommonsvc.exe	149
PID 1808 wrote to memory of 2624	1808	DllCommonsvc.exe	149
PID 1808 wrote to memory of 4764	1808	DllCommonsvc.exe	150
PID 1808 wrote to memory of 4764	1808	DllCommonsvc.exe	150
PID 1808 wrote to memory of 2840	1808	DllCommonsvc.exe	151
PID 1808 wrote to memory of 2840	1808	DllCommonsvc.exe	151
PID 1808 wrote to memory of 2196	1808	DllCommonsvc.exe	155
PID 1808 wrote to memory of 2196	1808	DllCommonsvc.exe	155
PID 1808 wrote to memory of 4900	1808	DllCommonsvc.exe	156
PID 1808 wrote to memory of 4900	1808	DllCommonsvc.exe	156
PID 1808 wrote to memory of 4536	1808	DllCommonsvc.exe	157
PID 1808 wrote to memory of 4536	1808	DllCommonsvc.exe	157
PID 1808 wrote to memory of 4680	1808	DllCommonsvc.exe	158
PID 1808 wrote to memory of 4680	1808	DllCommonsvc.exe	158
PID 1808 wrote to memory of 3960	1808	DllCommonsvc.exe	159
PID 1808 wrote to memory of 3960	1808	DllCommonsvc.exe	159
PID 1808 wrote to memory of 1124	1808	DllCommonsvc.exe	160
PID 1808 wrote to memory of 1124	1808	DllCommonsvc.exe	160
PID 1808 wrote to memory of 4656	1808	DllCommonsvc.exe	161
PID 1808 wrote to memory of 4656	1808	DllCommonsvc.exe	161
PID 1808 wrote to memory of 2952	1808	DllCommonsvc.exe	162
PID 1808 wrote to memory of 2952	1808	DllCommonsvc.exe	162
PID 1808 wrote to memory of 4972	1808	DllCommonsvc.exe	163
PID 1808 wrote to memory of 4972	1808	DllCommonsvc.exe	163
PID 1808 wrote to memory of 4644	1808	DllCommonsvc.exe	164
PID 1808 wrote to memory of 4644	1808	DllCommonsvc.exe	164
PID 1808 wrote to memory of 2612	1808	DllCommonsvc.exe	165
PID 1808 wrote to memory of 2612	1808	DllCommonsvc.exe	165
PID 1808 wrote to memory of 1548	1808	DllCommonsvc.exe	180
PID 1808 wrote to memory of 1548	1808	DllCommonsvc.exe	180
PID 1548 wrote to memory of 1604	1548	cmd.exe	183
PID 1548 wrote to memory of 1604	1548	cmd.exe	183
PID 1548 wrote to memory of 5736	1548	cmd.exe	187
PID 1548 wrote to memory of 5736	1548	cmd.exe	187
PID 5736 wrote to memory of 6044	5736	cmd.exe	191
PID 5736 wrote to memory of 6044	5736	cmd.exe	191
PID 6044 wrote to memory of 6100	6044	cmd.exe	193
PID 6044 wrote to memory of 6100	6044	cmd.exe	193
PID 6044 wrote to memory of 2780	6044	cmd.exe	194
PID 6044 wrote to memory of 2780	6044	cmd.exe	194
PID 2780 wrote to memory of 948	2780	cmd.exe	196
PID 2780 wrote to memory of 948	2780	cmd.exe	196
PID 948 wrote to memory of 1584	948	cmd.exe	198
PID 948 wrote to memory of 1584	948	cmd.exe	198
PID 948 wrote to memory of 2012	948	cmd.exe	200
PID 948 wrote to memory of 2012	948	cmd.exe	200

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ea60a712b05cc76fc5def65eb63d390ec0b2381e8697a2e4ab5b35a92d5ccae3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ea60a712b05cc76fc5def65eb63d390ec0b2381e8697a2e4ab5b35a92d5ccae3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\reports\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\MoSetup\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Containers\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UAjIyMQG9S.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1548
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1604
      - C:\Users\Public\Music\cmd.exe
        
        "C:\Users\Public\Music\cmd.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:6044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:6100
        
        C:\Users\Public\Music\cmd.exe
        
        "C:\Users\Public\Music\cmd.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1584
        
        C:\Users\Public\Music\cmd.exe
        
        "C:\Users\Public\Music\cmd.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ixwcMXCIg.bat"
        11⤵
        
        PID:4032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:976
        
        C:\Users\Public\Music\cmd.exe
        
        "C:\Users\Public\Music\cmd.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\d5cQTyHbvx.bat"
        13⤵
        
        PID:5440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1412
        
        C:\Users\Public\Music\cmd.exe
        
        "C:\Users\Public\Music\cmd.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat"
        15⤵
        
        PID:5460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:3676
        
        C:\Users\Public\Music\cmd.exe
        
        "C:\Users\Public\Music\cmd.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XBBOHPKclM.bat"
        17⤵
        
        PID:2120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2028
        
        C:\Users\Public\Music\cmd.exe
        
        "C:\Users\Public\Music\cmd.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat"
        19⤵
        
        PID:4976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2164
        
        C:\Users\Public\Music\cmd.exe
        
        "C:\Users\Public\Music\cmd.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat"
        21⤵
        
        PID:3616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4564
        
        C:\Users\Public\Music\cmd.exe
        
        "C:\Users\Public\Music\cmd.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b9aNmsEibB.bat"
        23⤵
        
        PID:5328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1136
        
        C:\Users\Public\Music\cmd.exe
        
        "C:\Users\Public\Music\cmd.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o0FbW2pZd9.bat"
        25⤵
        
        PID:5996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:5632
        
        C:\Users\Public\Music\cmd.exe
        
        "C:\Users\Public\Music\cmd.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat"
        27⤵
        
        PID:944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\providercommon\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\providercommon\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\providercommon\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Music\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Crashpad\reports\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Crashpad\reports\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Libraries\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows NT\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\MoSetup\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Logs\MoSetup\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\MoSetup\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Containers\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Containers\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Containers\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2979eabc783eaca50de7be23dd4eafcf

SHA1
d709ce5f3a06b7958a67e20870bfd95b83cad2ea

SHA256
006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

SHA512
92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a5e1f1efff867a822c6a57ee928dd66

SHA1
b017854d8a1deb05f1447e9dd6002902fb66bf6b

SHA256
8222fe869b025493591ca2ffbabe089c2e682449e77b754fc864ba62d64ee957

SHA512
25fc0fd6a71595c44efe34d281c4bc4924ac82f76b9f697497d0019fa2c8e0cadf58f92ae4272f00b1ef1e97dfd93bd740a9e7f7d9dc93cb1cadbde5f93d1782

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ixwcMXCIg.bat

Filesize
194B

MD5
2df319dd5280e85f3d9f67ac6efdffe5

SHA1
bb49fe78f22faa8e5b9113c10ab355f273542c22

SHA256
97c808dd1f1c8b88a2a2e530657f1f26674edd075c3b43cb4ddf4cbd72ebbd2c

SHA512
a0de3ef72e79dc59d67d5b01058ef2a064ab17b8683c3159273de7fad991aafb1f0b2e362d39f3617e76dca5cc20e78dfd40e0bf5403b34cded3cd0a2c1bf464

Download Submit
C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat

Filesize
194B

MD5
3a27fe0057120c69bbf6c71269216598

SHA1
295db392d47eced4716b0fe422fb56147a2df849

SHA256
3aae0478c733a10ccf1cb7c899b24886b0e282c2f40b926891cac9208ce55c4d

SHA512
4d2c2eb46b0c227217f3ffecb9986a5b61709a22e1f239740f8e38ba587a409d48a084bbda6a41f3e0f608c5db90c74053e12aa76f0941304057588b26696bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAjIyMQG9S.bat

Filesize
194B

MD5
f2fc6acb1b728a19da1ffe6a9d3371e2

SHA1
5a573fe83cc3843f80690c3dd23d6da862f76a8c

SHA256
4b8072f7415ecbaacfb5ef8fda8dd7f6e957fe9ac52c85c904bb42491f1c2812

SHA512
1ce2e5e7d44838dfe586c631529f5dc93742fcb6473eea6c699ec436cb0b803fb6ed841accceae44f7f77206fe804db0dfff18d5f70b01d305712d29d51a4dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XBBOHPKclM.bat

Filesize
194B

MD5
440e776d7b89bf7930f8ab71a0575a61

SHA1
40accbab5b9cb9affc21d5ec1a810bf779feb4c6

SHA256
75c800a5cce8f59efc093353f3883857b4a88c9925300cc23bdee180157064bb

SHA512
4dcbfc17e7f3805fefde63841f73a7fbbb6d194ea331da7614c4b9d37ab2d5f7ac00066d1a4a08dd86527889714b22de4b077486d37793476505568a6e1ab3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rlbv1blc.hpl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat

Filesize
194B

MD5
3d4971ed7cd30f43030fd05b426785fd

SHA1
22384103400a870c445e16e58a4a24dbeb3070e2

SHA256
86f016c7a7151fef57b315c71a6bcae1f18a7d7f78d17fb773b3dbe7bfaba908

SHA512
6c10942cea51679eebdc6848dc7dd923649474de9aee9e26d90d7fcbbd3127676f1e517a857f5434c2c147f0519f5d30a742ba2c248431c4f5069291b571f96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9aNmsEibB.bat

Filesize
194B

MD5
2389133ed7d01fb669abf90d9c334d80

SHA1
ed3733f277930e6d1ee1f88069ff338f80754b5d

SHA256
0a0dbb5cb0defabf1bf74f53b02971ac1ba8c61f19fa9ce0982aee601d911913

SHA512
d5e0bc39c4b5f2e6568113b51557daee12129b410e9fb3cb9476bc6c65b6a86ff6c9ed7eb74c4b14961c234ff13b1ea1b930143dce613690d1041ee35afe16a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5cQTyHbvx.bat

Filesize
194B

MD5
bfbb64c3d029a8adfca9742f1d644fb4

SHA1
01647542dd4eeb7c60b2a9248b0da8e3e9205bf0

SHA256
dec31cc87d88daadf04a9cc5b68ec838be997ba6bdc132595f9719e4767775e6

SHA512
552980db273af81c24b6b86b35815f7db410c276647afb06dac7b19874b13de60ca8e0b18c125066b49c58edc649373634998a0b4f6357fe0b046a1db0944003

Download Submit
C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat

Filesize
194B

MD5
a98dee92b3af48de17d87c3c39a48d18

SHA1
f862fab511cf3dab101315374b6106ac257e42e6

SHA256
e1126faa137e71a4f138125b8e4cefc04beca1191ad6e67cb8898d26e5d8a575

SHA512
921826b054a72ee0db8240cf276f9b6c2c70683f279426bdf9e1862d4879b13a06d70849c294e837d6c3e1130c3022d298d0bda2c3112d794e00fa8b4e2f8fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat

Filesize
194B

MD5
340aa9b38f03cc3cd8b6f20855dc6156

SHA1
5dec66b07e776ede059e165d02679115b4ab6079

SHA256
177655853e09c1342acbca9989a4fe111f38d7a5af39c19a5ac84a4b775a5864

SHA512
53b69d0aa09598f881199855871412f4d97f4a83d7c2beb720de68bb7357604301051e4e087f621286f20c1f61f1f40d06fd6a0d0ea01658af6064d837bdf601

Download Submit
C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat

Filesize
194B

MD5
4ffb2bf4643b185c2b1dff6a247d457b

SHA1
6126640075bf6d8059705b04946887af72e3f2dd

SHA256
626bf60eba327e4221eefc91ed597b2985f49d7c7d3aab2d47f3123e152b1d5e

SHA512
f7c9bb88d91d0cdc8f80293e0ba1dc845d9e18c9a502a150a4b25054642d424758a47885cccc86feb11978ca08e2cc6571855c7d5f2cefd3b4c7afa7509dec10

Download Submit
C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat

Filesize
194B

MD5
454a80358c2155550e00b0d00edbd516

SHA1
33596336a004c3ab4c91c9871cd8607a7e0bf6f5

SHA256
66d2cc672d5a420584d1d36d50cb7e3443f4e2ca2b55fb4dae0d9632ea136120

SHA512
b7e707e96b3dc49f9404dc90d262f3124c9ff6adddd1a5b6a5476dc1bb00154f02bc1d9dee20737eb9fe18418cae6b68441dbfb29aff8354f5fe962530f841df

Download Submit
C:\Users\Admin\AppData\Local\Temp\o0FbW2pZd9.bat

Filesize
194B

MD5
f60af8a3d3e49248bcd6a44f039f5180

SHA1
83970306cfe0f9e2c4aa4fd1d1ed5586f0106bc3

SHA256
bc0908e346ce9669e8b990b4e53fb8b54e237072a6df6ea2ef042c79c069df83

SHA512
c4b88551af9066e0b2da0869f3aeb117092a5866cc4b5aadb41c51f7e508b45115e4bbe7f6b3298e609ba85d368836b05393b0986f869c35c92d986057910e9a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1132-295-0x0000000002F30000-0x0000000002F42000-memory.dmp

Filesize
72KB

Download
memory/1300-68-0x000001FF499F0000-0x000001FF49A12000-memory.dmp

Filesize
136KB

Download
memory/1808-14-0x00000000027F0000-0x0000000002802000-memory.dmp

Filesize
72KB

Download
memory/1808-15-0x0000000002850000-0x000000000285C000-memory.dmp

Filesize
48KB

Download
memory/1808-12-0x00007FFA36473000-0x00007FFA36475000-memory.dmp

Filesize
8KB

Download
memory/1808-13-0x0000000000610000-0x0000000000720000-memory.dmp

Filesize
1.1MB

Download
memory/1808-16-0x0000000002860000-0x000000000286C000-memory.dmp

Filesize
48KB

Download
memory/1808-17-0x0000000002870000-0x000000000287C000-memory.dmp

Filesize
48KB

Download
memory/3100-320-0x0000000002990000-0x00000000029A2000-memory.dmp

Filesize
72KB

Download
memory/3940-340-0x00000000016D0000-0x00000000016E2000-memory.dmp

Filesize
72KB

Download
memory/5736-274-0x000000001B330000-0x000000001B342000-memory.dmp

Filesize
72KB

Download
memory/5752-333-0x0000000000FF0000-0x0000000001002000-memory.dmp

Filesize
72KB

Download