dcrat | 8c7977155d7a631edef8428304b22f5d5a5a760bff9cecd70e07d3e0f4c804f1

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8c7977155d7a631edef8428304b22f5d5a5a760bff9cecd70e07d3e0f4c804f1.exe
Size

1.3MB
MD5

5215c3073c25e7e712f5bfef9ab74fa4
SHA1

502676b05b9933ade6ea183e2d09eefaf2a45cd3
SHA256

8c7977155d7a631edef8428304b22f5d5a5a760bff9cecd70e07d3e0f4c804f1
SHA512

5e9f5e9ef7149bc8bb5016830645a86fe57614bcf131becac9d1ef773ab3663188aa7eeb3011646c18f81447cf424cd3a3fba00530527ed553a7a44075f3b3f7
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3832	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	3292	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	3292	schtasks.exe	87

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c9e-10.dat	dcrat
behavioral2/memory/1400-13-0x0000000000C50000-0x0000000000D60000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3548	powershell.exe
960	powershell.exe
3200	powershell.exe
3580	powershell.exe
4644	powershell.exe
3248	powershell.exe
2216	powershell.exe
2356	powershell.exe
3416	powershell.exe
388	powershell.exe
5000	powershell.exe
3064	powershell.exe
1976	powershell.exe
3824	powershell.exe
3104	powershell.exe
3924	powershell.exe
1952	powershell.exe
4460	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8c7977155d7a631edef8428304b22f5d5a5a760bff9cecd70e07d3e0f4c804f1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	dwm.exe

Executes dropped EXE 15 IoCs

pid	Process
1400	DllCommonsvc.exe
2896	DllCommonsvc.exe
5408	dwm.exe
5760	dwm.exe
4744	dwm.exe
4828	dwm.exe
4140	dwm.exe
4644	dwm.exe
1564	dwm.exe
2600	dwm.exe
5544	dwm.exe
5860	dwm.exe
2364	dwm.exe
5228	dwm.exe
5240	dwm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
41	raw.githubusercontent.com
51	raw.githubusercontent.com
20	raw.githubusercontent.com
21	raw.githubusercontent.com
35	raw.githubusercontent.com
38	raw.githubusercontent.com
37	raw.githubusercontent.com
44	raw.githubusercontent.com
49	raw.githubusercontent.com
52	raw.githubusercontent.com
57	raw.githubusercontent.com
43	raw.githubusercontent.com
50	raw.githubusercontent.com
53	raw.githubusercontent.com

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\WaaSMedicAgent.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\System\fr-FR\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\c82b8037eab33d	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\e1ef82546f0b02	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\de-DE\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\System\fr-FR\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\de-DE\e1ef82546f0b02	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\56085415360792	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Prefetch\ReadyBoot\taskhostw.exe	DllCommonsvc.exe
File created	C:\Windows\Prefetch\ReadyBoot\ea9f0e6c9e2dcd	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8c7977155d7a631edef8428304b22f5d5a5a760bff9cecd70e07d3e0f4c804f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	JaffaCakes118_8c7977155d7a631edef8428304b22f5d5a5a760bff9cecd70e07d3e0f4c804f1.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4692	schtasks.exe
3268	schtasks.exe
4908	schtasks.exe
1964	schtasks.exe
3132	schtasks.exe
1276	schtasks.exe
2172	schtasks.exe
1984	schtasks.exe
1584	schtasks.exe
4440	schtasks.exe
3572	schtasks.exe
3340	schtasks.exe
2388	schtasks.exe
4552	schtasks.exe
4912	schtasks.exe
812	schtasks.exe
4424	schtasks.exe
2876	schtasks.exe
1476	schtasks.exe
4496	schtasks.exe
2008	schtasks.exe
2208	schtasks.exe
1556	schtasks.exe
64	schtasks.exe
1288	schtasks.exe
1396	schtasks.exe
2400	schtasks.exe
4632	schtasks.exe
3832	schtasks.exe
4788	schtasks.exe
2872	schtasks.exe
4828	schtasks.exe
4120	schtasks.exe
4128	schtasks.exe
3296	schtasks.exe
4028	schtasks.exe
2084	schtasks.exe
436	schtasks.exe
876	schtasks.exe
3208	schtasks.exe
2240	schtasks.exe
3408	schtasks.exe
3388	schtasks.exe
2064	schtasks.exe
1964	schtasks.exe
1060	schtasks.exe
4772	schtasks.exe
4724	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1400	DllCommonsvc.exe
3548	powershell.exe
2356	powershell.exe
3580	powershell.exe
3416	powershell.exe
3416	powershell.exe
3548	powershell.exe
2356	powershell.exe
3580	powershell.exe
2896	DllCommonsvc.exe
2896	DllCommonsvc.exe
2896	DllCommonsvc.exe
2896	DllCommonsvc.exe
2896	DllCommonsvc.exe
3824	powershell.exe
3824	powershell.exe
3924	powershell.exe
3924	powershell.exe
960	powershell.exe
960	powershell.exe
3200	powershell.exe
3200	powershell.exe
4644	powershell.exe
4644	powershell.exe
5000	powershell.exe
5000	powershell.exe
388	powershell.exe
388	powershell.exe
3104	powershell.exe
3104	powershell.exe
2216	powershell.exe
2216	powershell.exe
1976	powershell.exe
1976	powershell.exe
3248	powershell.exe
3248	powershell.exe
3064	powershell.exe
3064	powershell.exe
1952	powershell.exe
1952	powershell.exe
4460	powershell.exe
4460	powershell.exe
388	powershell.exe
3924	powershell.exe
3824	powershell.exe
960	powershell.exe
1952	powershell.exe
3200	powershell.exe
3104	powershell.exe
4644	powershell.exe
1976	powershell.exe
5000	powershell.exe
2216	powershell.exe
3248	powershell.exe
4460	powershell.exe
3064	powershell.exe
5408	dwm.exe
5760	dwm.exe
4744	dwm.exe
4828	dwm.exe
4140	dwm.exe
4644	dwm.exe
1564	dwm.exe
2600	dwm.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	1400	DllCommonsvc.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	2896	DllCommonsvc.exe
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeDebugPrivilege	3924	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeDebugPrivilege	5408	dwm.exe
Token: SeDebugPrivilege	5760	dwm.exe
Token: SeDebugPrivilege	4744	dwm.exe
Token: SeDebugPrivilege	4828	dwm.exe
Token: SeDebugPrivilege	4140	dwm.exe
Token: SeDebugPrivilege	4644	dwm.exe
Token: SeDebugPrivilege	1564	dwm.exe
Token: SeDebugPrivilege	2600	dwm.exe
Token: SeDebugPrivilege	5544	dwm.exe
Token: SeDebugPrivilege	5860	dwm.exe
Token: SeDebugPrivilege	2364	dwm.exe
Token: SeDebugPrivilege	5228	dwm.exe
Token: SeDebugPrivilege	5240	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 4848	2656	JaffaCakes118_8c7977155d7a631edef8428304b22f5d5a5a760bff9cecd70e07d3e0f4c804f1.exe	83
PID 2656 wrote to memory of 4848	2656	JaffaCakes118_8c7977155d7a631edef8428304b22f5d5a5a760bff9cecd70e07d3e0f4c804f1.exe	83
PID 2656 wrote to memory of 4848	2656	JaffaCakes118_8c7977155d7a631edef8428304b22f5d5a5a760bff9cecd70e07d3e0f4c804f1.exe	83
PID 4848 wrote to memory of 5000	4848	WScript.exe	84
PID 4848 wrote to memory of 5000	4848	WScript.exe	84
PID 4848 wrote to memory of 5000	4848	WScript.exe	84
PID 5000 wrote to memory of 1400	5000	cmd.exe	86
PID 5000 wrote to memory of 1400	5000	cmd.exe	86
PID 1400 wrote to memory of 3580	1400	DllCommonsvc.exe	98
PID 1400 wrote to memory of 3580	1400	DllCommonsvc.exe	98
PID 1400 wrote to memory of 2356	1400	DllCommonsvc.exe	99
PID 1400 wrote to memory of 2356	1400	DllCommonsvc.exe	99
PID 1400 wrote to memory of 3416	1400	DllCommonsvc.exe	100
PID 1400 wrote to memory of 3416	1400	DllCommonsvc.exe	100
PID 1400 wrote to memory of 3548	1400	DllCommonsvc.exe	101
PID 1400 wrote to memory of 3548	1400	DllCommonsvc.exe	101
PID 1400 wrote to memory of 1000	1400	DllCommonsvc.exe	106
PID 1400 wrote to memory of 1000	1400	DllCommonsvc.exe	106
PID 1000 wrote to memory of 3092	1000	cmd.exe	108
PID 1000 wrote to memory of 3092	1000	cmd.exe	108
PID 1000 wrote to memory of 2896	1000	cmd.exe	117
PID 1000 wrote to memory of 2896	1000	cmd.exe	117
PID 2896 wrote to memory of 3824	2896	DllCommonsvc.exe	157
PID 2896 wrote to memory of 3824	2896	DllCommonsvc.exe	157
PID 2896 wrote to memory of 3104	2896	DllCommonsvc.exe	158
PID 2896 wrote to memory of 3104	2896	DllCommonsvc.exe	158
PID 2896 wrote to memory of 2216	2896	DllCommonsvc.exe	159
PID 2896 wrote to memory of 2216	2896	DllCommonsvc.exe	159
PID 2896 wrote to memory of 5000	2896	DllCommonsvc.exe	160
PID 2896 wrote to memory of 5000	2896	DllCommonsvc.exe	160
PID 2896 wrote to memory of 3248	2896	DllCommonsvc.exe	161
PID 2896 wrote to memory of 3248	2896	DllCommonsvc.exe	161
PID 2896 wrote to memory of 388	2896	DllCommonsvc.exe	162
PID 2896 wrote to memory of 388	2896	DllCommonsvc.exe	162
PID 2896 wrote to memory of 3200	2896	DllCommonsvc.exe	164
PID 2896 wrote to memory of 3200	2896	DllCommonsvc.exe	164
PID 2896 wrote to memory of 960	2896	DllCommonsvc.exe	165
PID 2896 wrote to memory of 960	2896	DllCommonsvc.exe	165
PID 2896 wrote to memory of 4644	2896	DllCommonsvc.exe	166
PID 2896 wrote to memory of 4644	2896	DllCommonsvc.exe	166
PID 2896 wrote to memory of 3924	2896	DllCommonsvc.exe	168
PID 2896 wrote to memory of 3924	2896	DllCommonsvc.exe	168
PID 2896 wrote to memory of 1976	2896	DllCommonsvc.exe	169
PID 2896 wrote to memory of 1976	2896	DllCommonsvc.exe	169
PID 2896 wrote to memory of 3064	2896	DllCommonsvc.exe	170
PID 2896 wrote to memory of 3064	2896	DllCommonsvc.exe	170
PID 2896 wrote to memory of 4460	2896	DllCommonsvc.exe	172
PID 2896 wrote to memory of 4460	2896	DllCommonsvc.exe	172
PID 2896 wrote to memory of 1952	2896	DllCommonsvc.exe	173
PID 2896 wrote to memory of 1952	2896	DllCommonsvc.exe	173
PID 2896 wrote to memory of 1980	2896	DllCommonsvc.exe	185
PID 2896 wrote to memory of 1980	2896	DllCommonsvc.exe	185
PID 1980 wrote to memory of 4520	1980	cmd.exe	187
PID 1980 wrote to memory of 4520	1980	cmd.exe	187
PID 1980 wrote to memory of 5408	1980	cmd.exe	191
PID 1980 wrote to memory of 5408	1980	cmd.exe	191
PID 5408 wrote to memory of 5624	5408	dwm.exe	193
PID 5408 wrote to memory of 5624	5408	dwm.exe	193
PID 5624 wrote to memory of 5688	5624	cmd.exe	195
PID 5624 wrote to memory of 5688	5624	cmd.exe	195
PID 5624 wrote to memory of 5760	5624	cmd.exe	197
PID 5624 wrote to memory of 5760	5624	cmd.exe	197
PID 5760 wrote to memory of 6072	5760	dwm.exe	202
PID 5760 wrote to memory of 6072	5760	dwm.exe	202

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c7977155d7a631edef8428304b22f5d5a5a760bff9cecd70e07d3e0f4c804f1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c7977155d7a631edef8428304b22f5d5a5a760bff9cecd70e07d3e0f4c804f1.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\de-DE\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3548
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DK9kRiLdAj.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1000
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3092
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\winlogon.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\taskhostw.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\StartMenuExperienceHost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\explorer.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\WaaSMedicAgent.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\SppExtComObj.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\fr-FR\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\sihost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tUVBm5lpMC.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4520
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SvvYNrLnHE.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:5688
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat"
        11⤵
        
        PID:6072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:6128
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat"
        13⤵
        
        PID:3340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1740
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat"
        15⤵
        
        PID:1540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:3104
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L8pPJcA7Kt.bat"
        17⤵
        
        PID:3268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4496
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rcE1qBYVKA.bat"
        19⤵
        
        PID:3860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:312
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat"
        21⤵
        
        PID:4632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3032
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RIE4o2SCx.bat"
        23⤵
        
        PID:5576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:5648
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat"
        25⤵
        
        PID:1632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:5896
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dhQfvaPZ4N.bat"
        27⤵
        
        PID:6124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2580
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"
        29⤵
        
        PID:716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:3096
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat"
        31⤵
        
        PID:2588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:5012
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\de-DE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\de-DE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\ReadyBoot\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\ReadyBoot\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\NetHood\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default\NetHood\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\System\fr-FR\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\System\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\Videos\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
51cf8df21f531e31f7740b4ec487a48a

SHA1
40c6a73b22d71625a62df109aefc92a5f9b9d13e

SHA256
263d9b98a897d1d66da4832af640c4bf5ab0ae91125ba12243453dfe714f3d0d

SHA512
57a85461f6ea96b26a8b53d3a9cca18543e4ddbe996e8f412fc4cf7cf6e9ffe558c96da7b322a42f18bef62020e65aee119bed6102f75e2f605df09b02ec6368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
575c67abdb0b2c72de0d9dd38b94d791

SHA1
27783f259ffd096b21c02c70cb999bf860183124

SHA256
fdf985fb9c56b4462675c41f68555f8762dd7043b15750968208b88be87252bc

SHA512
61b23a15b52cf51b525993e8cfc0b9fd41d1bb28501c96a35f776bfa738390783ad266c2d0383a53770f3662dd118a45114d92afee63b4673e88008a6559b774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6019bc03fe1dc3367a67c76d08b55399

SHA1
3d0b6d4d99b6b8e49829a3992072c3d9df7ad672

SHA256
7f88db7b83b11cd8ea233efc3a1498635b68771482658255750df564a065f7d0

SHA512
6b5409780a23e977b0bbe463e351f1d474539100aeaa01b0b7fe72aa6dbfb3c0fec64fe9db65b63d188a279b65eae7f31ef0b6880c67ada9ab175da419f595eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c625954a51c4bbd8141206b00f6fc0a

SHA1
4128cb2f9d2984844e303e2e330e448334e5c273

SHA256
952515feb4929cfad2435c679a5fad19242e938e8a7c97afebb1f3d996bd3ec4

SHA512
3f7c4ea0551de5b6237ca13419413e6e73e85632e9bb09b5354d6310b5969f9c3a2dc27142e75e8572c2c65b2bc7615269fad27dcea2f91c389b6758e2630517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
21f5d3ab1d5d4c21a30ef164958c17cf

SHA1
bf1250e3d9fbff360df4fb0309265d4d7e9bd82d

SHA256
660dc0d677d560b86af0dbd19467419cacbba7d005cac2c8347e50b5f29ce5bd

SHA512
2a742ba0a4590db7215945ef8db3f0ec2ac5f69f05a3057638e8d2b2260b05902bda19502d1bb9c9945299cb1054910b11f57c19626bd9b191f6a6a4c9e6e4bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
363a75c940c54b3d142bfc5727c32c2c

SHA1
5edf98cadb02e659ce6e19a045ce7e8f3a476fe9

SHA256
93cefd4660b0cc010fdbd9235c6ad6e441db763efeb5814a2cbff4741a3afb1d

SHA512
99bb27fa0b716d65a72cf106f2458edf36e4a5494f5ea8f9a0e5f79e547d176718ba0757dbac4e8e42426f45f7ee61458acd58596402c1475e8bdb5d3f2aef60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6583da1637895131bd1bdff56b385851

SHA1
08561769ab389d450ba9a55cc00ce2d28e1610fd

SHA256
c89b3c34015307c4ce883ed0296abb29893b2f769a9b7ed178152e2c820388a0

SHA512
aca009f97c0f37bc73ac104b0627d16d45d85b3dea56b109c7e9ad0c89f071c1338be096dcf14aaeb2c65ea1527415bf21afafa883665b2e25648cc156b08ad1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8202723a82f7477bbb09846c2edcf583

SHA1
72bd9892d54f6d93c7798e86dbfa72b86e075c41

SHA256
8070ccb83f012da20d8b4bb6e085e163dbd4e93ab56787933acfd82aef5dcc99

SHA512
f2be04e53918961d879a7a7a6a80da7489954bb531ecf2d219ece4973ca8cf28076758e5d3940b59c2f5233059c830dcd8086a4a41a1266d44a7e9687a31bbbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d5de4f2c523c725c8fca2d8d8c8d2e09

SHA1
859182503539ec282952960fa783cd3534bf6092

SHA256
98948ea2b32363221f53e54ed638e0abd0a38ca34b4f992b2200f528e276a6ce

SHA512
3f10d0b68cf8ee8ebcfaed5ff158cd006fc596ff85cb3a3e605e54f20745770be4b9e7f8b1048474e71c1b35441649b5de2f4abeacf85bdb57930a00c0b1c526

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat

Filesize
194B

MD5
132e68ec1d97fa709e8e865ed159ba27

SHA1
7cd4ee8b19186263bed453913093fde212010430

SHA256
967c5bd2828479c654cb736c61da95114d4f3d3d7d2d98fa79726136fad72b72

SHA512
6e4b5c099f13a2d94b793b4d8b116ba02567f0db99ad37b8f24825433549b7c7cd21edecadff1b2fcbc25532cee48423e7d448b4e2edb8cee104e823fbcccb6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat

Filesize
194B

MD5
469f2905fbdca07afc672c89b0c49eb0

SHA1
b9046dfa037698a877f95167a359276305022f71

SHA256
f8ed284cfe1195208c7bfa59ff38d627b2c266e4c995ebc188b0d38ebff2313c

SHA512
f6fafc0f6da552873ffa03961a31b1449e488dcf6f5f85b79a7e37e8103b905eac6e2f34a3684520f739b34d0412f5c8b28b3618f94316bd6156ccd8f8151aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\8RIE4o2SCx.bat

Filesize
194B

MD5
05aae8eb19bc72fcde9e18d523b10874

SHA1
4a3081bc29e9a4a95f2e4221026f264ee4dbfcb5

SHA256
5efc4df9e19abe6510d8d55cbbd73a7b0a8088de0e9cf570258436b2554af16a

SHA512
d6d8ae911247fe58aabf85dc377abc33b010732fada11596a48337cdec445f07ecad6299eb60a7fcc2947418856a8ae84a10b65d3d2c5509f15d10138c001808

Download Submit
C:\Users\Admin\AppData\Local\Temp\DK9kRiLdAj.bat

Filesize
199B

MD5
b06999851e5d2a3520c9ed54cc058eab

SHA1
b4320098eeadd689f1d34f3bd8d12052191973f8

SHA256
8e62b3ec8a641564361a41a3f99242af85bfa875c005a1a305e280efe6d244f2

SHA512
0c76fbb2b749b32b900b49e1b2e82fb0724e425c25922290216993f6fc0aaab086e4028eb130aeb6fef41afbbe4ab85a4b78ba4dd434ecc292eb9ac72d978fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat

Filesize
194B

MD5
9b48876d385be54c251d6edebdfc6a66

SHA1
9f110a05f70f279eab6a6fd4d9ebfd293d6fbdda

SHA256
77b29dbb1b8788e0ee421cc3d5cc1ce9487a0278edc3b2547b3d466354ca5794

SHA512
2c9ed1d06be22a267debcf11d0c6f2573608f0295ba5ded8247cf327603df182578007d05c6b8b95e487ca0b053f5b2d51f12246999c930ee7316fdd7d264915

Download Submit
C:\Users\Admin\AppData\Local\Temp\L8pPJcA7Kt.bat

Filesize
194B

MD5
bdd9424f81fb92491cd296affec36c62

SHA1
fad285dd7ee228563d7146123ac7dcd29aa1e8c3

SHA256
115b9a4da0c1b95de7f5bfeb4bd685cfcc07a7184059ac0af98b15980ccb8dde

SHA512
15bcc3240f3f26fb94b7609389a30c377d3921dea94a064e2220677da277c5cdb81375d1b242bbb74bdbb399ce593066c6ae92ca0946e4207b5b23fde58ebb01

Download Submit
C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat

Filesize
194B

MD5
44123b5f27f4317a868427c9cb35418f

SHA1
a7027afe996cf4cc2cf4f420ee767693f2e1703b

SHA256
37d9704b5b461a8158279810c236cf6f0cc5d524946d47e32fadb6a8ab220a69

SHA512
5fe5a0782715b3825d8b8738cac2de52600fcdbdae69cc850b8a9e116eecd41bbfd16eb2501813a6002e57564d120faa0dbff83328d163c1f29c12bd0b9f38d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SvvYNrLnHE.bat

Filesize
194B

MD5
9d218e0ae9101cda090eefaa92b63387

SHA1
398e78b72b5fafd76af9a36b75ebb0713b158d2e

SHA256
708efa414e687affad3d721bbe909fda6cca3239ebbab98f8e7dd92400c9eb99

SHA512
5a39df37e185b83193855a28792eaa1e824150cec9b304146cebd284061226558e27ffe745ee6d0e71aa55879176d0fe8a8b5f1ccd60aa8f2c85d266bf91c766

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kgsusdgo.e0t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhQfvaPZ4N.bat

Filesize
194B

MD5
68b0f221eeb5c314c40ebc59b9d5ce3a

SHA1
1d691725fce61dd4ecd226fb4facc418ecb8759a

SHA256
aea83d91dac3d65c275db370e5416b8120da2182c91e58e6fec0076a5f25977a

SHA512
7da89fff65ce66be2d3755cdfd1d2815b99f3cf469c258322fcc25e53c0bff65f55624de9e01b000632b26045ca1bab251f567df9a7e7c78e62d168ddab24017

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat

Filesize
194B

MD5
c6068e56e9133a89a78012c5e865dc64

SHA1
41fdd78f7cf2338d7bca64601f8e5addf8074a07

SHA256
33f1c6b3935b2ec4e405895b1345bb70d491fc5a232512da15264d87ed8450ae

SHA512
677eda4f6a9b65230d33dc0f5f6533c7fc79f4948bb8b08057fe49669ea8bf89d3e49bcd0aac735ccdd6f4c850f739036c73fed3b7fba372f8b87f6e726b1d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcE1qBYVKA.bat

Filesize
194B

MD5
f637ef78afec748856afc3a4d597365e

SHA1
4d25880ebf8ff658580964ce3264515a08902976

SHA256
95b2e8d625c8a2a5604d470a2545a1385a7f931350db763b31713b6d051011a2

SHA512
579fba94543545e2fe18ab4490060d2208f1f3383019235d24b30927e3e1c1aa9e4af594190ae18b7193fde5256442373d51e826d68476024eb408f62137173a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tUVBm5lpMC.bat

Filesize
194B

MD5
76bd0b5860912a5d97dcad7d9ecd07ea

SHA1
81f333502cd31e54459ef8b1791033cfacb78bea

SHA256
dc48b80bfc7da2137e64bccb7f45ad7481b77cd5d1533656d63a39d1aba98b47

SHA512
a1cd1acd7bf06812ff476fda241150e7f7e4163aefcdaeb6133fbb9735ca0c47adf7d57106baa444d313ddde2cbeebaacefe02c7b34ccc06dc09485a769d7b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat

Filesize
194B

MD5
f98961d596dfc2eab762d7cb3cb2d539

SHA1
880e6319eee558396cc653c8da308e42389e703b

SHA256
f58c8df6e5e7abf29aee3ce9faacfc40a4b311813c26828a0e5fb149a7623873

SHA512
dfb30d2e2252b065a4494318cbf7cad281ec02be9e21205e910ca06668951b4f007430e322ef83fea131588f048db5a45b1ec49815e3b5886c2229237bb615ea

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/388-241-0x0000013230500000-0x000001323066A000-memory.dmp

Filesize
1.4MB

Download
memory/960-267-0x000001E7FE280000-0x000001E7FE3EA000-memory.dmp

Filesize
1.4MB

Download
memory/1400-15-0x000000001B860000-0x000000001B86C000-memory.dmp

Filesize
48KB

Download
memory/1400-13-0x0000000000C50000-0x0000000000D60000-memory.dmp

Filesize
1.1MB

Download
memory/1400-17-0x000000001B880000-0x000000001B88C000-memory.dmp

Filesize
48KB

Download
memory/1400-16-0x000000001B870000-0x000000001B87C000-memory.dmp

Filesize
48KB

Download
memory/1400-12-0x00007FFB89533000-0x00007FFB89535000-memory.dmp

Filesize
8KB

Download
memory/1400-14-0x000000001B850000-0x000000001B862000-memory.dmp

Filesize
72KB

Download
memory/1952-251-0x000001BE000A0000-0x000001BE0020A000-memory.dmp

Filesize
1.4MB

Download
memory/1976-260-0x0000019538140000-0x00000195382AA000-memory.dmp

Filesize
1.4MB

Download
memory/2216-276-0x0000011B7C8F0000-0x0000011B7CA5A000-memory.dmp

Filesize
1.4MB

Download
memory/2364-349-0x0000000000D90000-0x0000000000DA2000-memory.dmp

Filesize
72KB

Download
memory/2600-328-0x0000000000BE0000-0x0000000000BF2000-memory.dmp

Filesize
72KB

Download
memory/3064-272-0x0000014BA92C0000-0x0000014BA942A000-memory.dmp

Filesize
1.4MB

Download
memory/3104-250-0x0000022E7F7A0000-0x0000022E7F90A000-memory.dmp

Filesize
1.4MB

Download
memory/3200-255-0x0000023DA2FA0000-0x0000023DA310A000-memory.dmp

Filesize
1.4MB

Download
memory/3248-252-0x000001EE45940000-0x000001EE45AAA000-memory.dmp

Filesize
1.4MB

Download
memory/3548-37-0x00000293C6E70000-0x00000293C6E92000-memory.dmp

Filesize
136KB

Download
memory/3824-242-0x000001B0ED290000-0x000001B0ED3FA000-memory.dmp

Filesize
1.4MB

Download
memory/3924-243-0x0000013E73C90000-0x0000013E73DFA000-memory.dmp

Filesize
1.4MB

Download
memory/4140-309-0x0000000000BE0000-0x0000000000BF2000-memory.dmp

Filesize
72KB

Download
memory/4460-275-0x0000013278370000-0x00000132784DA000-memory.dmp

Filesize
1.4MB

Download
memory/4644-265-0x000002B828C60000-0x000002B828DCA000-memory.dmp

Filesize
1.4MB

Download
memory/4744-296-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/5000-266-0x000001F5527B0000-0x000001F55291A000-memory.dmp

Filesize
1.4MB

Download
memory/5228-356-0x0000000002CE0000-0x0000000002CF2000-memory.dmp

Filesize
72KB

Download
memory/5408-280-0x0000000001760000-0x0000000001772000-memory.dmp

Filesize
72KB

Download
memory/5408-286-0x000000001C320000-0x000000001C422000-memory.dmp

Filesize
1.0MB

Download
memory/5544-335-0x0000000002570000-0x0000000002582000-memory.dmp

Filesize
72KB

Download
memory/5860-342-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download