dcrat | a386df9b44a25983ffde31adb61b371008287affd2eb1539d957ccb4af7aaeb8

Analysis

max time kernel
147s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a386df9b44a25983ffde31adb61b371008287affd2eb1539d957ccb4af7aaeb8.exe
Size

1.3MB
MD5

c679e65d0cd7b378a46440885b2ed93c
SHA1

a872c9b57a6d23b37437b7556fcaedd5b4a6d835
SHA256

a386df9b44a25983ffde31adb61b371008287affd2eb1539d957ccb4af7aaeb8
SHA512

8219369a0241551071aa26db535934d7ea303e6d4c6f211d5a0539f4cdd739bdb192ce787066f340bb5597e38a9afb4078a72bb19d4be1070584cedd66f49688
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	720	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	1676	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c92-10.dat	dcrat
behavioral2/memory/4352-13-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4636	powershell.exe
3960	powershell.exe
2240	powershell.exe
4024	powershell.exe
1536	powershell.exe
1012	powershell.exe
3956	powershell.exe
3932	powershell.exe
2072	powershell.exe
4308	powershell.exe
1960	powershell.exe
1516	powershell.exe
1736	powershell.exe
2540	powershell.exe
3744	powershell.exe
3668	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	JaffaCakes118_a386df9b44a25983ffde31adb61b371008287affd2eb1539d957ccb4af7aaeb8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 16 IoCs

pid	Process
4352	DllCommonsvc.exe
4920	upfc.exe
468	upfc.exe
1160	upfc.exe
4956	upfc.exe
3600	upfc.exe
3528	upfc.exe
1888	upfc.exe
376	upfc.exe
2412	upfc.exe
1716	upfc.exe
4436	upfc.exe
3076	upfc.exe
1492	upfc.exe
4560	upfc.exe
4448	upfc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
40	raw.githubusercontent.com
17	raw.githubusercontent.com
24	raw.githubusercontent.com
35	raw.githubusercontent.com
45	raw.githubusercontent.com
46	raw.githubusercontent.com
52	raw.githubusercontent.com
16	raw.githubusercontent.com
39	raw.githubusercontent.com
41	raw.githubusercontent.com
51	raw.githubusercontent.com
53	raw.githubusercontent.com
54	raw.githubusercontent.com
55	raw.githubusercontent.com
47	raw.githubusercontent.com

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\it-IT\Registry.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\it-IT\ee2ad38f3d4382	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\unsecapp.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\29c1c3cc0f7685	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\Registry.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\ee2ad38f3d4382	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\uk-UA\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\TextInputHost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\e1ef82546f0b02	DllCommonsvc.exe
File created	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\22eafd247d37c3	DllCommonsvc.exe
File created	C:\Program Files\Google\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\Registry.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\uk-UA\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\5b884080fd4f94	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Boot\Resources\en-US\RuntimeBroker.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a386df9b44a25983ffde31adb61b371008287affd2eb1539d957ccb4af7aaeb8.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	JaffaCakes118_a386df9b44a25983ffde31adb61b371008287affd2eb1539d957ccb4af7aaeb8.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	upfc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1000	schtasks.exe
5112	schtasks.exe
1520	schtasks.exe
4628	schtasks.exe
5068	schtasks.exe
4524	schtasks.exe
4296	schtasks.exe
4844	schtasks.exe
1624	schtasks.exe
4144	schtasks.exe
1852	schtasks.exe
2992	schtasks.exe
2680	schtasks.exe
1244	schtasks.exe
4908	schtasks.exe
3192	schtasks.exe
3220	schtasks.exe
2472	schtasks.exe
2192	schtasks.exe
5024	schtasks.exe
1432	schtasks.exe
4048	schtasks.exe
4972	schtasks.exe
2368	schtasks.exe
1304	schtasks.exe
3660	schtasks.exe
5036	schtasks.exe
3292	schtasks.exe
4012	schtasks.exe
3616	schtasks.exe
4676	schtasks.exe
1544	schtasks.exe
5060	schtasks.exe
720	schtasks.exe
1004	schtasks.exe
4068	schtasks.exe
4644	schtasks.exe
224	schtasks.exe
4740	schtasks.exe
3596	schtasks.exe
4420	schtasks.exe
3988	schtasks.exe
1452	schtasks.exe
3348	schtasks.exe
2948	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4352	DllCommonsvc.exe
4352	DllCommonsvc.exe
4352	DllCommonsvc.exe
4352	DllCommonsvc.exe
4352	DllCommonsvc.exe
4352	DllCommonsvc.exe
4352	DllCommonsvc.exe
4352	DllCommonsvc.exe
4352	DllCommonsvc.exe
4352	DllCommonsvc.exe
4352	DllCommonsvc.exe
4352	DllCommonsvc.exe
4352	DllCommonsvc.exe
4352	DllCommonsvc.exe
4352	DllCommonsvc.exe
4352	DllCommonsvc.exe
4352	DllCommonsvc.exe
3932	powershell.exe
3932	powershell.exe
3960	powershell.exe
3960	powershell.exe
1536	powershell.exe
1536	powershell.exe
4308	powershell.exe
4308	powershell.exe
3956	powershell.exe
3744	powershell.exe
3744	powershell.exe
3956	powershell.exe
4024	powershell.exe
4024	powershell.exe
4636	powershell.exe
4636	powershell.exe
2240	powershell.exe
2240	powershell.exe
1012	powershell.exe
1012	powershell.exe
3668	powershell.exe
3668	powershell.exe
1516	powershell.exe
1516	powershell.exe
2540	powershell.exe
2540	powershell.exe
1736	powershell.exe
1736	powershell.exe
2072	powershell.exe
2072	powershell.exe
1960	powershell.exe
1960	powershell.exe
4308	powershell.exe
4636	powershell.exe
3956	powershell.exe
3960	powershell.exe
3932	powershell.exe
2540	powershell.exe
1536	powershell.exe
1736	powershell.exe
1012	powershell.exe
4024	powershell.exe
2240	powershell.exe
3668	powershell.exe
1516	powershell.exe
2072	powershell.exe
3744	powershell.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	4352	DllCommonsvc.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	3956	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	3668	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	4920	upfc.exe
Token: SeDebugPrivilege	468	upfc.exe
Token: SeDebugPrivilege	1160	upfc.exe
Token: SeDebugPrivilege	4956	upfc.exe
Token: SeDebugPrivilege	3600	upfc.exe
Token: SeDebugPrivilege	3528	upfc.exe
Token: SeDebugPrivilege	1888	upfc.exe
Token: SeDebugPrivilege	376	upfc.exe
Token: SeDebugPrivilege	2412	upfc.exe
Token: SeDebugPrivilege	1716	upfc.exe
Token: SeDebugPrivilege	4436	upfc.exe
Token: SeDebugPrivilege	3076	upfc.exe
Token: SeDebugPrivilege	1492	upfc.exe
Token: SeDebugPrivilege	4560	upfc.exe
Token: SeDebugPrivilege	4448	upfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1180	1100	JaffaCakes118_a386df9b44a25983ffde31adb61b371008287affd2eb1539d957ccb4af7aaeb8.exe	83
PID 1100 wrote to memory of 1180	1100	JaffaCakes118_a386df9b44a25983ffde31adb61b371008287affd2eb1539d957ccb4af7aaeb8.exe	83
PID 1100 wrote to memory of 1180	1100	JaffaCakes118_a386df9b44a25983ffde31adb61b371008287affd2eb1539d957ccb4af7aaeb8.exe	83
PID 1180 wrote to memory of 412	1180	WScript.exe	85
PID 1180 wrote to memory of 412	1180	WScript.exe	85
PID 1180 wrote to memory of 412	1180	WScript.exe	85
PID 412 wrote to memory of 4352	412	cmd.exe	87
PID 412 wrote to memory of 4352	412	cmd.exe	87
PID 4352 wrote to memory of 1960	4352	DllCommonsvc.exe	135
PID 4352 wrote to memory of 1960	4352	DllCommonsvc.exe	135
PID 4352 wrote to memory of 4636	4352	DllCommonsvc.exe	136
PID 4352 wrote to memory of 4636	4352	DllCommonsvc.exe	136
PID 4352 wrote to memory of 3960	4352	DllCommonsvc.exe	137
PID 4352 wrote to memory of 3960	4352	DllCommonsvc.exe	137
PID 4352 wrote to memory of 1516	4352	DllCommonsvc.exe	138
PID 4352 wrote to memory of 1516	4352	DllCommonsvc.exe	138
PID 4352 wrote to memory of 1736	4352	DllCommonsvc.exe	139
PID 4352 wrote to memory of 1736	4352	DllCommonsvc.exe	139
PID 4352 wrote to memory of 2240	4352	DllCommonsvc.exe	140
PID 4352 wrote to memory of 2240	4352	DllCommonsvc.exe	140
PID 4352 wrote to memory of 4024	4352	DllCommonsvc.exe	141
PID 4352 wrote to memory of 4024	4352	DllCommonsvc.exe	141
PID 4352 wrote to memory of 2540	4352	DllCommonsvc.exe	142
PID 4352 wrote to memory of 2540	4352	DllCommonsvc.exe	142
PID 4352 wrote to memory of 1536	4352	DllCommonsvc.exe	143
PID 4352 wrote to memory of 1536	4352	DllCommonsvc.exe	143
PID 4352 wrote to memory of 3932	4352	DllCommonsvc.exe	144
PID 4352 wrote to memory of 3932	4352	DllCommonsvc.exe	144
PID 4352 wrote to memory of 2072	4352	DllCommonsvc.exe	145
PID 4352 wrote to memory of 2072	4352	DllCommonsvc.exe	145
PID 4352 wrote to memory of 3744	4352	DllCommonsvc.exe	146
PID 4352 wrote to memory of 3744	4352	DllCommonsvc.exe	146
PID 4352 wrote to memory of 4308	4352	DllCommonsvc.exe	147
PID 4352 wrote to memory of 4308	4352	DllCommonsvc.exe	147
PID 4352 wrote to memory of 1012	4352	DllCommonsvc.exe	148
PID 4352 wrote to memory of 1012	4352	DllCommonsvc.exe	148
PID 4352 wrote to memory of 3956	4352	DllCommonsvc.exe	149
PID 4352 wrote to memory of 3956	4352	DllCommonsvc.exe	149
PID 4352 wrote to memory of 3668	4352	DllCommonsvc.exe	150
PID 4352 wrote to memory of 3668	4352	DllCommonsvc.exe	150
PID 4352 wrote to memory of 2940	4352	DllCommonsvc.exe	166
PID 4352 wrote to memory of 2940	4352	DllCommonsvc.exe	166
PID 2940 wrote to memory of 1336	2940	cmd.exe	169
PID 2940 wrote to memory of 1336	2940	cmd.exe	169
PID 2940 wrote to memory of 4920	2940	cmd.exe	171
PID 2940 wrote to memory of 4920	2940	cmd.exe	171
PID 4920 wrote to memory of 2280	4920	upfc.exe	177
PID 4920 wrote to memory of 2280	4920	upfc.exe	177
PID 2280 wrote to memory of 2312	2280	cmd.exe	179
PID 2280 wrote to memory of 2312	2280	cmd.exe	179
PID 2280 wrote to memory of 468	2280	cmd.exe	183
PID 2280 wrote to memory of 468	2280	cmd.exe	183
PID 468 wrote to memory of 3168	468	upfc.exe	189
PID 468 wrote to memory of 3168	468	upfc.exe	189
PID 3168 wrote to memory of 4324	3168	cmd.exe	191
PID 3168 wrote to memory of 4324	3168	cmd.exe	191
PID 3168 wrote to memory of 1160	3168	cmd.exe	195
PID 3168 wrote to memory of 1160	3168	cmd.exe	195
PID 1160 wrote to memory of 4700	1160	upfc.exe	197
PID 1160 wrote to memory of 4700	1160	upfc.exe	197
PID 4700 wrote to memory of 3204	4700	cmd.exe	199
PID 4700 wrote to memory of 3204	4700	cmd.exe	199
PID 4700 wrote to memory of 4956	4700	cmd.exe	202
PID 4700 wrote to memory of 4956	4700	cmd.exe	202

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a386df9b44a25983ffde31adb61b371008287affd2eb1539d957ccb4af7aaeb8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a386df9b44a25983ffde31adb61b371008287affd2eb1539d957ccb4af7aaeb8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:412
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\it-IT\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\TextInputHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\uk-UA\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\WDF\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3668
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ilWYProi9v.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1336
      - C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2312
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4324
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3204
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat"
        13⤵
        
        PID:1716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2816
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat"
        15⤵
        
        PID:948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:3932
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat"
        17⤵
        
        PID:3032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4108
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat"
        19⤵
        
        PID:3192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3176
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat"
        21⤵
        
        PID:4548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:872
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat"
        23⤵
        
        PID:2756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3856
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat"
        25⤵
        
        PID:2060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1000
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat"
        27⤵
        
        PID:4936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4188
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat"
        29⤵
        
        PID:1412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:4056
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OZJpL0Zeaq.bat"
        31⤵
        
        PID:4160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:3116
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat"
        33⤵
        
        PID:1508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:2012
        
        C:\Recovery\WindowsRE\upfc.exe
        
        "C:\Recovery\WindowsRE\upfc.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\it-IT\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\it-IT\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Google\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Users\Default\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Default\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\uk-UA\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\uk-UA\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\uk-UA\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\WDF\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\WDF\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\WDF\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\All Users\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
53d3ffffcddbe5e123d2c2ef25cdf45c

SHA1
1d73c2abb5da7f80cecfa20c15462909738a6bb8

SHA256
a4424bc0d11232a268fce5d0f4d0564e6d72a274625126d6feb944c9d82271ac

SHA512
289e2f3dda60891bb410763ef6bc80b52603cd49f9e80923e9a14c16af089f49a51a9ddf80d7cc1fa908b042d274272d3c9c5c9b27810cc48a27a3bed7b51630

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat

Filesize
195B

MD5
c0330bcdf395d8da322e6a48da9f1b7d

SHA1
208b5a4324658ccd60aa3e8341712482bfb99e6a

SHA256
8ccaa21cae82abba81948ebc6884c3b02c0de83a9ef21a753c5740c367210548

SHA512
7e755e1742f8e63067ef87953f05fdb2b1924820d25e646e5976875c40d02c921caa2734787fee1fb48a1028c2cc37c18fc43e20e334eb98a0b6c38655bc972e

Download Submit
C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat

Filesize
195B

MD5
454aca93b21027cd05b3ccc0c908a240

SHA1
c998fab4a7c852e2c921012b020990ba84ddfe7e

SHA256
3c6e5979218ed6ae591530473d074b71117257e77235cdf486065845c7cc4e4d

SHA512
391370b34b01573d9fb24a6786e50e35f30309c0fd7270a3f6697499a8b7406782488bce825c8211d86429eebe6e5456b4ee771e4ef78c65b5aa81e9e4e94b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat

Filesize
195B

MD5
9a62258525dc118fcd29a2238b3db573

SHA1
5dc70b33bb0af71577a6d1567c41abe869acad18

SHA256
00dc80cb30c53a63bfe70aae57d2a13decb0d9ab9b26a637aa1a66bed37edbb7

SHA512
95d0dd0ec23c13ce41bceb6027b3f3d529434b56ac48bff6120d958864fed3e129aeb7088f094a68c6e1fe684ec16a091e8553300db805ede988ea0e59b0ba42

Download Submit
C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat

Filesize
195B

MD5
794d3b7417128b3165f547be54063b28

SHA1
d275cd3fea7ccf38c7b8ef0007c21c3c920489dc

SHA256
19cf8169620917aea0ab57b67f5d2f149e1437ff2ba1d78b08b3bc0c7450919e

SHA512
bd23e78d916d36afd82d63aefdabd6dc7dce05c034bf1d9180064600b589b8b9e0827bf6343edcbb6d57020e50cecba6de48001ab800bfd5ea309b8724755d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat

Filesize
195B

MD5
df8c6efbb10cc5b25317bcb2d5f38a59

SHA1
74947b57f947b172258edcff9e1c00b345566d03

SHA256
586b88c4b738f9d0b20b4ef190f44cc445be4570e851be9588fad2e49ed4fb80

SHA512
501b53856f476751358b37036132ba95b2e0fa79d43873c5bcfa1eb4aa73e6f3133ddcd1f49ca345238b71fa8782dc0ab10b1e49c5bc355763403ca9733d72e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OZJpL0Zeaq.bat

Filesize
195B

MD5
65719eeae21f2252434f0af81e50580a

SHA1
9306f8f22042b590f121b877d4b9cf6c8f59afc1

SHA256
7fb0690bb442e9480f5cfe7f06650771d2f723f5e10df4839ee64848090d734b

SHA512
50f27f3e90aa084352cec33af2b01dbbb146b2224ec4b1ad5a0d6065a20da576a811165805d9f981b6a857450eb62b32a85622fc3d1eef9b87b4124c3eac591e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat

Filesize
195B

MD5
bd52f5f37daa774f8b6e6b7b91976d16

SHA1
2512aec29f7654d606221e5da5090fdef12050c9

SHA256
6059aa18553be7211ce4819e9ba33620984f381d32627e7ad051e990db1a9769

SHA512
b9a909ed0b5fc57099cbd78ad978de6799f1af2a6e2937cbdcd74d35f181a5259df0811449e9c435ceda8f6695dba58bc7969795ecc8e022ae4ffc113b18ef25

Download Submit
C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat

Filesize
195B

MD5
77b60b7015620c09e0ae12037b25d82f

SHA1
c7c35ab6f2528dd72af68a4b8443dbc3fc5b6e17

SHA256
e07bac5a9d229f12ae1888e09ae6092dd62a9a9a93b72f147155a2e98b994793

SHA512
f98c3519f221099b364bc3ebc4919d51adcd82be5612ac9699f9d0fcd15cbad577856320a4a2df2dfc1d085bb82cbabe8a938623409b2ec5cbb6728ca1148683

Download Submit
C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat

Filesize
195B

MD5
20742d6677b9b29d985a95081d89e487

SHA1
b7ab5cc8bd796a95beee441fcf2954f9949dfa7b

SHA256
0111d72b6afa83639f3e1bae2f208f037b1421c0bdcce97d5c0079cd99dd50ca

SHA512
7ca02577454f16090d537879b0143aaffa6857707c6230cebd6ff9a88690967e780f4818bdf7bb3e2712a4e566c8ed7bacd1fcc3c388e4b04f17c29e41cd0993

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ale4g3b.epw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat

Filesize
195B

MD5
c1640faf72fafc678d83ba0df2cbb71c

SHA1
db23827ed1ae165458a09f895cda2b152f9d66a2

SHA256
e5d3040321bde5e006189497b8d09a5fde1aca0d4ec9c3d28a583c8f4cdc679a

SHA512
a6acd1e815cda4a6926ef4527dd36f804c1256b1e9d4ffa0112908dc9195dfb2a3d2adb08e7ef41c10dbfb6db9136281515152a715a7b157c437b404780c80f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat

Filesize
195B

MD5
7d1543ce44af18fc3cabec0e57e6f282

SHA1
3de0e57c9240b0d31da3f360c6f5dd73460686b9

SHA256
5a36a8ae443e733c68f7282bc3b5d4b75a7ccdee61a724884a70924ffcb7daa3

SHA512
cb56c4942dc8b236e05bfe50d7a2f5a0c07a7589ecb1452a6970dda92b98190d4380a411dc5a6a0e9bfd12ad2a373666a1c0e4afcdd8096fbe98707ac5ecca3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat

Filesize
195B

MD5
81662e2989220e3dd8e8fce86c7906f1

SHA1
39654d01cb9ac8ac3586f17b79ebb6cfc4c0b82f

SHA256
b8943c6f302bce415c760a44ef9604b83256230cd44f3b35d79482f09f1e042d

SHA512
abdd0606b9a1d2c1ccc285dd596714b00c213e4ba5e79451917eaa20e4d1f12469f0a5d0c531cfeef57d8193630a998d535b67a3867ce998f08d3151f86ce5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ilWYProi9v.bat

Filesize
195B

MD5
9b75c32e0e95c20945fb3dc853cfca62

SHA1
2075ef5badf2f4be0437c723485c26f0f5ecc4cf

SHA256
f4f5fbaf070b11272796355e4edace46af50bf91b91c1634d9bbb0393b50632c

SHA512
e7142f175704cd33634bdb43fa7388ecd15adca5160d29fae592edafe9e4adbfa10c37d97424b682685ee88794d1bc6e8e95b5de93bcba83769e6fe21302e684

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat

Filesize
195B

MD5
8317a6a4ea7eb3292ea46dea7bb2a77c

SHA1
e41c7bc7a68f2bd15b0c8cee8c2eaeed0ec01c61

SHA256
eaa9519fd3e0d962cd6327d1cd02d921653a70e875e123414bb57ec8de920fe8

SHA512
2bcd54e34dd5e0ca6785ae92c04b386464ea8bb58b75ba8b57f898dd083965165bf5f1d343d4ac131d3b893a58fbba4ef5978367c46554a99366c3a1813d2ad9

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/468-248-0x000000001C900000-0x000000001C9A1000-memory.dmp

Filesize
644KB

Download
memory/1160-255-0x000000001B0D0000-0x000000001B171000-memory.dmp

Filesize
644KB

Download
memory/1716-295-0x0000000000FE0000-0x0000000000FF2000-memory.dmp

Filesize
72KB

Download
memory/3076-308-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/3600-264-0x0000000002A50000-0x0000000002A62000-memory.dmp

Filesize
72KB

Download
memory/3960-58-0x000002D552BB0000-0x000002D552BD2000-memory.dmp

Filesize
136KB

Download
memory/4352-17-0x0000000002670000-0x000000000267C000-memory.dmp

Filesize
48KB

Download
memory/4352-16-0x0000000002660000-0x000000000266C000-memory.dmp

Filesize
48KB

Download
memory/4352-15-0x0000000002530000-0x000000000253C000-memory.dmp

Filesize
48KB

Download
memory/4352-14-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/4352-13-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/4352-12-0x00007FFA0FBE3000-0x00007FFA0FBE5000-memory.dmp

Filesize
8KB

Download
memory/4560-321-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/4920-235-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

Filesize
72KB

Download