dcrat | 1eb432cb683e45c4d79d6c6412cf5f77007ab70b2472dedd529524c33a84d297

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1eb432cb683e45c4d79d6c6412cf5f77007ab70b2472dedd529524c33a84d297.exe
Size

1.3MB
MD5

0fcdaaa6d77f9c5d065216a547b21813
SHA1

138b457f3332a6a271f3dc5d3cfac9fd3d913393
SHA256

1eb432cb683e45c4d79d6c6412cf5f77007ab70b2472dedd529524c33a84d297
SHA512

53da42f370bf5dd644f35c20dd55f84d357c9a1adf045adabb76be82d38c2bd8f922b66984328e106cb60201379da2f063987564c48915d3b676e143f2576bb5
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100	4744	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	4744	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023cc3-9.dat	dcrat
behavioral2/memory/4420-13-0x00000000005C0000-0x00000000006D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2260	powershell.exe
4560	powershell.exe
1984	powershell.exe
4688	powershell.exe
4452	powershell.exe
3836	powershell.exe
3340	powershell.exe
2540	powershell.exe
4204	powershell.exe
4784	powershell.exe
4304	powershell.exe
4760	powershell.exe
4680	powershell.exe
4572	powershell.exe
320	powershell.exe
3272	powershell.exe
1876	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_1eb432cb683e45c4d79d6c6412cf5f77007ab70b2472dedd529524c33a84d297.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 15 IoCs

pid	Process
4420	DllCommonsvc.exe
2964	lsass.exe
4844	lsass.exe
1036	lsass.exe
1048	lsass.exe
3428	lsass.exe
4104	lsass.exe
3448	lsass.exe
1424	lsass.exe
1888	lsass.exe
928	lsass.exe
2168	lsass.exe
5072	lsass.exe
1588	lsass.exe
3172	lsass.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs

Web Service

T1102

flow	ioc
52	raw.githubusercontent.com
55	raw.githubusercontent.com
57	raw.githubusercontent.com
15	raw.githubusercontent.com
45	raw.githubusercontent.com
46	raw.githubusercontent.com
42	raw.githubusercontent.com
53	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
38	raw.githubusercontent.com
16	raw.githubusercontent.com
39	raw.githubusercontent.com
56	raw.githubusercontent.com
44	raw.githubusercontent.com
54	raw.githubusercontent.com

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Multimedia Platform\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Crashpad\attachments\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Common Files\DESIGNER\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\DESIGNER\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Crashpad\attachments\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\38384e6a620884	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Setup\State\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\unsecapp.exe	DllCommonsvc.exe
File created	C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\29c1c3cc0f7685	DllCommonsvc.exe
File created	C:\Windows\IdentityCRL\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\IdentityCRL\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Windows\Setup\State\winlogon.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1eb432cb683e45c4d79d6c6412cf5f77007ab70b2472dedd529524c33a84d297.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	JaffaCakes118_1eb432cb683e45c4d79d6c6412cf5f77007ab70b2472dedd529524c33a84d297.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	lsass.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2112	schtasks.exe
3100	schtasks.exe
1924	schtasks.exe
640	schtasks.exe
4064	schtasks.exe
5092	schtasks.exe
3320	schtasks.exe
2336	schtasks.exe
4068	schtasks.exe
4228	schtasks.exe
4248	schtasks.exe
3452	schtasks.exe
2124	schtasks.exe
2596	schtasks.exe
2360	schtasks.exe
940	schtasks.exe
4468	schtasks.exe
2520	schtasks.exe
1796	schtasks.exe
2228	schtasks.exe
2672	schtasks.exe
4808	schtasks.exe
3140	schtasks.exe
4092	schtasks.exe
2880	schtasks.exe
3572	schtasks.exe
1976	schtasks.exe
3436	schtasks.exe
4268	schtasks.exe
2400	schtasks.exe
1544	schtasks.exe
816	schtasks.exe
2320	schtasks.exe
336	schtasks.exe
100	schtasks.exe
4220	schtasks.exe
232	schtasks.exe
3016	schtasks.exe
4128	schtasks.exe
4812	schtasks.exe
1744	schtasks.exe
1536	schtasks.exe
3664	schtasks.exe
4912	schtasks.exe
3268	schtasks.exe
8	schtasks.exe
384	schtasks.exe
4072	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
4420	DllCommonsvc.exe
3836	powershell.exe
3836	powershell.exe
2260	powershell.exe
2260	powershell.exe
4560	powershell.exe
4560	powershell.exe
4452	powershell.exe
4452	powershell.exe
2540	powershell.exe
2540	powershell.exe
320	powershell.exe
320	powershell.exe
4688	powershell.exe
4688	powershell.exe
1984	powershell.exe
1984	powershell.exe
3340	powershell.exe
3340	powershell.exe
4680	powershell.exe
4680	powershell.exe
4784	powershell.exe
4784	powershell.exe
4572	powershell.exe
4572	powershell.exe
4304	powershell.exe
4304	powershell.exe
4204	powershell.exe
4204	powershell.exe
3272	powershell.exe
3272	powershell.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	4420	DllCommonsvc.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	3340	powershell.exe
Token: SeDebugPrivilege	3272	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	2964	lsass.exe
Token: SeDebugPrivilege	4844	lsass.exe
Token: SeDebugPrivilege	1036	lsass.exe
Token: SeDebugPrivilege	1048	lsass.exe
Token: SeDebugPrivilege	3428	lsass.exe
Token: SeDebugPrivilege	4104	lsass.exe
Token: SeDebugPrivilege	3448	lsass.exe
Token: SeDebugPrivilege	1424	lsass.exe
Token: SeDebugPrivilege	1888	lsass.exe
Token: SeDebugPrivilege	928	lsass.exe
Token: SeDebugPrivilege	2168	lsass.exe
Token: SeDebugPrivilege	5072	lsass.exe
Token: SeDebugPrivilege	1588	lsass.exe
Token: SeDebugPrivilege	3172	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 4592	4816	JaffaCakes118_1eb432cb683e45c4d79d6c6412cf5f77007ab70b2472dedd529524c33a84d297.exe	82
PID 4816 wrote to memory of 4592	4816	JaffaCakes118_1eb432cb683e45c4d79d6c6412cf5f77007ab70b2472dedd529524c33a84d297.exe	82
PID 4816 wrote to memory of 4592	4816	JaffaCakes118_1eb432cb683e45c4d79d6c6412cf5f77007ab70b2472dedd529524c33a84d297.exe	82
PID 4592 wrote to memory of 2976	4592	WScript.exe	83
PID 4592 wrote to memory of 2976	4592	WScript.exe	83
PID 4592 wrote to memory of 2976	4592	WScript.exe	83
PID 2976 wrote to memory of 4420	2976	cmd.exe	85
PID 2976 wrote to memory of 4420	2976	cmd.exe	85
PID 4420 wrote to memory of 2260	4420	DllCommonsvc.exe	135
PID 4420 wrote to memory of 2260	4420	DllCommonsvc.exe	135
PID 4420 wrote to memory of 1876	4420	DllCommonsvc.exe	136
PID 4420 wrote to memory of 1876	4420	DllCommonsvc.exe	136
PID 4420 wrote to memory of 4572	4420	DllCommonsvc.exe	137
PID 4420 wrote to memory of 4572	4420	DllCommonsvc.exe	137
PID 4420 wrote to memory of 3836	4420	DllCommonsvc.exe	138
PID 4420 wrote to memory of 3836	4420	DllCommonsvc.exe	138
PID 4420 wrote to memory of 4784	4420	DllCommonsvc.exe	139
PID 4420 wrote to memory of 4784	4420	DllCommonsvc.exe	139
PID 4420 wrote to memory of 4452	4420	DllCommonsvc.exe	140
PID 4420 wrote to memory of 4452	4420	DllCommonsvc.exe	140
PID 4420 wrote to memory of 4204	4420	DllCommonsvc.exe	141
PID 4420 wrote to memory of 4204	4420	DllCommonsvc.exe	141
PID 4420 wrote to memory of 2540	4420	DllCommonsvc.exe	142
PID 4420 wrote to memory of 2540	4420	DllCommonsvc.exe	142
PID 4420 wrote to memory of 4688	4420	DllCommonsvc.exe	144
PID 4420 wrote to memory of 4688	4420	DllCommonsvc.exe	144
PID 4420 wrote to memory of 1984	4420	DllCommonsvc.exe	145
PID 4420 wrote to memory of 1984	4420	DllCommonsvc.exe	145
PID 4420 wrote to memory of 4680	4420	DllCommonsvc.exe	146
PID 4420 wrote to memory of 4680	4420	DllCommonsvc.exe	146
PID 4420 wrote to memory of 3272	4420	DllCommonsvc.exe	147
PID 4420 wrote to memory of 3272	4420	DllCommonsvc.exe	147
PID 4420 wrote to memory of 3340	4420	DllCommonsvc.exe	149
PID 4420 wrote to memory of 3340	4420	DllCommonsvc.exe	149
PID 4420 wrote to memory of 4760	4420	DllCommonsvc.exe	150
PID 4420 wrote to memory of 4760	4420	DllCommonsvc.exe	150
PID 4420 wrote to memory of 4304	4420	DllCommonsvc.exe	151
PID 4420 wrote to memory of 4304	4420	DllCommonsvc.exe	151
PID 4420 wrote to memory of 4560	4420	DllCommonsvc.exe	152
PID 4420 wrote to memory of 4560	4420	DllCommonsvc.exe	152
PID 4420 wrote to memory of 320	4420	DllCommonsvc.exe	154
PID 4420 wrote to memory of 320	4420	DllCommonsvc.exe	154
PID 4420 wrote to memory of 4568	4420	DllCommonsvc.exe	168
PID 4420 wrote to memory of 4568	4420	DllCommonsvc.exe	168
PID 4568 wrote to memory of 3004	4568	cmd.exe	171
PID 4568 wrote to memory of 3004	4568	cmd.exe	171
PID 4568 wrote to memory of 2964	4568	cmd.exe	175
PID 4568 wrote to memory of 2964	4568	cmd.exe	175
PID 2964 wrote to memory of 4228	2964	lsass.exe	177
PID 2964 wrote to memory of 4228	2964	lsass.exe	177
PID 4228 wrote to memory of 2056	4228	cmd.exe	179
PID 4228 wrote to memory of 2056	4228	cmd.exe	179
PID 4228 wrote to memory of 4844	4228	cmd.exe	182
PID 4228 wrote to memory of 4844	4228	cmd.exe	182
PID 4844 wrote to memory of 3760	4844	lsass.exe	183
PID 4844 wrote to memory of 3760	4844	lsass.exe	183
PID 3760 wrote to memory of 4388	3760	cmd.exe	185
PID 3760 wrote to memory of 4388	3760	cmd.exe	185
PID 3760 wrote to memory of 1036	3760	cmd.exe	186
PID 3760 wrote to memory of 1036	3760	cmd.exe	186
PID 1036 wrote to memory of 2276	1036	lsass.exe	188
PID 1036 wrote to memory of 2276	1036	lsass.exe	188
PID 2276 wrote to memory of 2724	2276	cmd.exe	190
PID 2276 wrote to memory of 2724	2276	cmd.exe	190

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1eb432cb683e45c4d79d6c6412cf5f77007ab70b2472dedd529524c33a84d297.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1eb432cb683e45c4d79d6c6412cf5f77007ab70b2472dedd529524c33a84d297.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Pictures\Saved Pictures\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\attachments\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IdentityCRL\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\DESIGNER\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ecSPNBJa19.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4568
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3004
      - C:\Program Files\Windows Multimedia Platform\lsass.exe
        
        "C:\Program Files\Windows Multimedia Platform\lsass.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2056
        
        C:\Program Files\Windows Multimedia Platform\lsass.exe
        
        "C:\Program Files\Windows Multimedia Platform\lsass.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4388
        
        C:\Program Files\Windows Multimedia Platform\lsass.exe
        
        "C:\Program Files\Windows Multimedia Platform\lsass.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2724
        
        C:\Program Files\Windows Multimedia Platform\lsass.exe
        
        "C:\Program Files\Windows Multimedia Platform\lsass.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat"
        13⤵
        
        PID:3364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4824
        
        C:\Program Files\Windows Multimedia Platform\lsass.exe
        
        "C:\Program Files\Windows Multimedia Platform\lsass.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XhdmdigGiX.bat"
        15⤵
        
        PID:1728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:3040
        
        C:\Program Files\Windows Multimedia Platform\lsass.exe
        
        "C:\Program Files\Windows Multimedia Platform\lsass.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat"
        17⤵
        
        PID:1792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3940
        
        C:\Program Files\Windows Multimedia Platform\lsass.exe
        
        "C:\Program Files\Windows Multimedia Platform\lsass.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat"
        19⤵
        
        PID:3140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3964
        
        C:\Program Files\Windows Multimedia Platform\lsass.exe
        
        "C:\Program Files\Windows Multimedia Platform\lsass.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat"
        21⤵
        
        PID:4248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4388
        
        C:\Program Files\Windows Multimedia Platform\lsass.exe
        
        "C:\Program Files\Windows Multimedia Platform\lsass.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat"
        23⤵
        
        PID:4760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4476
        
        C:\Program Files\Windows Multimedia Platform\lsass.exe
        
        "C:\Program Files\Windows Multimedia Platform\lsass.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSuCPwp4Rh.bat"
        25⤵
        
        PID:2028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4012
        
        C:\Program Files\Windows Multimedia Platform\lsass.exe
        
        "C:\Program Files\Windows Multimedia Platform\lsass.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat"
        27⤵
        
        PID:4824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1744
        
        C:\Program Files\Windows Multimedia Platform\lsass.exe
        
        "C:\Program Files\Windows Multimedia Platform\lsass.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat"
        29⤵
        
        PID:412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:4520
        
        C:\Program Files\Windows Multimedia Platform\lsass.exe
        
        "C:\Program Files\Windows Multimedia Platform\lsass.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UZ6jdsJyxg.bat"
        31⤵
        
        PID:3432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:5108
        
        C:\Program Files\Windows Multimedia Platform\lsass.exe
        
        "C:\Program Files\Windows Multimedia Platform\lsass.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IuwUCT1VMm.bat"
        33⤵
        
        PID:2460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Pictures\Saved Pictures\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Saved Pictures\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Pictures\Saved Pictures\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Crashpad\attachments\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Crashpad\attachments\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\PostRebootEventCache.V2\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\IdentityCRL\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\IdentityCRL\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\Setup\State\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Setup\State\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Setup\State\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\DESIGNER\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\DESIGNER\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat

Filesize
219B

MD5
51c06d94edc15db7b51ba6a79b154739

SHA1
9d4fea27200f2b6e588a250c1fab35b558c56456

SHA256
6d4cf82c63be5bf882f03a6d85f02c184c7b53313b0a64a99e363d3fd05e807f

SHA512
fa46929d8bbe561b303d24d66aa64723bcf79b6e823b3a19f45dd073f20f3d91fe1319b11b1a1c49e63f5b610f1dd1ae092a529bc6276ae8ac9efc2d5119d0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat

Filesize
219B

MD5
397ea62c888d3d0d555a7f0fdf8c1f7f

SHA1
50cabf94a9be14ef94654db737db2db50456797f

SHA256
991abca913f3326f405bccfeec241137734813fa69bce8510aec42ee1190b334

SHA512
09c9675f2f716821b6c4989a78391de82b54b2bff9dd572f0bf5047c7f08c596bccf7d17cb26a791667a33b772be01a8c86b687a77b9564f06db1d138c12cb75

Download Submit
C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat

Filesize
219B

MD5
eb15470eaca0dfb28387428b020be305

SHA1
c5a75ca787f188d59dc10d908e052c32f4b10505

SHA256
094002d5407172aa9cf64ce60ab8961ef2b57f59aa958ac74b2656a7565c96df

SHA512
ff74e7848e8f4056fab58e8ab05d97c25c96494bf64c85a6aa0973c515cfe93a26b2499c3940f5108edfcf0427e2e25d6cdd6c6853577df4a18f124a2fc07c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat

Filesize
219B

MD5
5243c2280a46d5fde224a871828fda20

SHA1
1f74cf6363bc4e82c54e19bd989c2385122dbf00

SHA256
93f354f23e939bc1758cc098c7d238b748f59aa3f5c18e58cf6f7d37401207d5

SHA512
9e0be2577888a472520cf84705dfc980dcb8d8272986772f7a83762d681b6f6933a33b2182fc587bdf695fe274778cf0f26de7bfc0f2e1f718179ee0df576c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat

Filesize
219B

MD5
6f9eeb4051636276200eb8072fa0be24

SHA1
ae4a01b13a30ae59b8537b3934e96ab5c07e452a

SHA256
714c96baba039c8ddacb4e8fde8d0c15f3a60eac53a254d56fe7d6410efc0a05

SHA512
b8ca8dda2ac0c3b1b41dbc41076a7b1a6bcbae43a39c525f6298424f8fad669929f7bc209f8bccab58a67b695a51c6b09ceac402df9620aead658d9b303c1210

Download Submit
C:\Users\Admin\AppData\Local\Temp\IuwUCT1VMm.bat

Filesize
219B

MD5
d372b03140c5d2d2d4b79a9924b504c0

SHA1
0756097d07f735a1d589a0e78051b6c7bc92e8a7

SHA256
ae4529bf27de8f75378e619bfda7783d1974a206dc15bb930713a52c89c0a9e5

SHA512
b2a7ffc971a971d6a0a20282189167c0136a864752c46ea137f254a25754be26302d27928828aaed86ba6dbb4faa685cd7ace582d98d7289ae21b63ed97922df

Download Submit
C:\Users\Admin\AppData\Local\Temp\UZ6jdsJyxg.bat

Filesize
219B

MD5
485093466e957128bdabf480151f2fc9

SHA1
5dd5ceef147d02e9bcabadf59e25be9ce3b3f485

SHA256
3bb8f5732518837c5328b23f00921a18618fb14a21914e813d6c56edf04c54a1

SHA512
5340b046e230207971e86df5929f20fd78ee7e87ce7b233489d87de28f53e4b2e972dfdd81e471afe6308de0068b5caba2d13c6da54ed13c20d0ba956f176a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\XhdmdigGiX.bat

Filesize
219B

MD5
54bff4349424fb2c83498b832dfc85ea

SHA1
2afbca23d637e9c164f6a6eddab22f587a3a9ec0

SHA256
1b9ce7436b9a35c533a35bd7d98afad04276d67f153e3d595eeaf7a4defa04f2

SHA512
33357a67e1826c3cd4c255957c725f1e630a282241e78f5a57e5f9ae67e7e0690ca813ebca410d629e23f96e4834a56480193df181cade8af77b3f6c3a288449

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xxm4wolc.4md.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecSPNBJa19.bat

Filesize
219B

MD5
6f3f8bdfef7b71e0d344dc0929305830

SHA1
c88dd3f9d4e4b0cb38f4fd6b2d4ae1af20ffdbf3

SHA256
4426bae3afd512243512fc5c9db97640fea669159f811248eabcdd676849db2b

SHA512
27289e3c3c39d63c5a495636fc750dab0a3fe378b4a7ff7b29b6f5b4b16e736d92f2b4d88c7a161f6de1bd4f088af5bfb8661d94d43092937691977e36cf2d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat

Filesize
219B

MD5
7ec71af49fd2f32df092329f3c69532f

SHA1
b755fe6592c5da3d5a5c4ab708f38466d269fcfb

SHA256
b4187dada094690b1f87b57f469db1cd8060497583302ef12a8ddfe6eb74a9ad

SHA512
0ec1c6d4055557290e857cb29fa5685246c8354de8f2f487a66a7b95114da3152c0c85a4b8c71e5c803e7ef1b2204beaca5e4d4c9e114a7dbfbba373872a9881

Download Submit
C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat

Filesize
219B

MD5
8ada30a0886c29a8852de56d3c375f8b

SHA1
e8aeac45a777a5e2ea4917f5fba5df14c6f134eb

SHA256
1e67a611c31de9cbdfc83201a378dac55af6d41dff15585e67497ce1c0d9291b

SHA512
765ced0a6f6200c1d10aaf2363a1d5412d33e55b4de3413de76b84b5d1bccb066c32f8373a3ddc828b51913974347249470ae5ffac38fef39d1659be617314a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat

Filesize
219B

MD5
3015957313954e6a2b1b30bd772c8de9

SHA1
8320ba828a042a68aa8a6946b439620ee3a9d2dd

SHA256
bd082cb6106ee7f7c1b05efd07d0dd32a242f36e010239ba81a0ed61eea1f35d

SHA512
ba75cb04423424fccd43caf5758c54b5b8896698f528ecc797e76db791eec66c43f95678b51fa0b8e382127688ed078e44a351ffb8d15732bc2543408fc94b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat

Filesize
219B

MD5
3aeee8a4c2f0c02f06188ad6e1f5d5c5

SHA1
b5bdbd0025ac0a0c66b01fd8d86e7be16d7adb78

SHA256
e7cdb963cbc2d650d65010af6f9137c1998c46eb133fe4c1f8acda04ef70deff

SHA512
a6d989b30c7e9dc0a833024ffe0419ce61abd6f5ef898fae5070b95eb8ce88eca6a177f520e70ce428528536f88c09adb548f4f2b8c3277736604788d6f3f91d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1036-271-0x000000001D550000-0x000000001D6F9000-memory.dmp

Filesize
1.7MB

Download
memory/1036-270-0x000000001D4A0000-0x000000001D541000-memory.dmp

Filesize
644KB

Download
memory/1048-278-0x000000001D0B0000-0x000000001D259000-memory.dmp

Filesize
1.7MB

Download
memory/2964-255-0x000000001DB30000-0x000000001DCD9000-memory.dmp

Filesize
1.7MB

Download
memory/2964-254-0x000000001DA80000-0x000000001DB21000-memory.dmp

Filesize
644KB

Download
memory/3428-285-0x000000001DC80000-0x000000001DE29000-memory.dmp

Filesize
1.7MB

Download
memory/3448-299-0x000000001D870000-0x000000001DA19000-memory.dmp

Filesize
1.7MB

Download
memory/3836-60-0x000001A56B3D0000-0x000001A56B3F2000-memory.dmp

Filesize
136KB

Download
memory/4104-292-0x000000001DC40000-0x000000001DDE9000-memory.dmp

Filesize
1.7MB

Download
memory/4420-16-0x0000000002800000-0x000000000280C000-memory.dmp

Filesize
48KB

Download
memory/4420-15-0x00000000027F0000-0x00000000027FC000-memory.dmp

Filesize
48KB

Download
memory/4420-17-0x0000000002810000-0x000000000281C000-memory.dmp

Filesize
48KB

Download
memory/4420-14-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/4420-13-0x00000000005C0000-0x00000000006D0000-memory.dmp

Filesize
1.1MB

Download
memory/4420-12-0x00007FFD30E43000-0x00007FFD30E45000-memory.dmp

Filesize
8KB

Download
memory/4844-263-0x000000001D150000-0x000000001D1F1000-memory.dmp

Filesize
644KB

Download
memory/4844-264-0x000000001D210000-0x000000001D3B9000-memory.dmp

Filesize
1.7MB

Download