dcrat | eafbeb5ee4aebc5b5f98783a60df51ffa19c9c721ac8cae9bd6a2443e29e252f

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_eafbeb5ee4aebc5b5f98783a60df51ffa19c9c721ac8cae9bd6a2443e29e252f.exe
Size

1.3MB
MD5

3327510e2a623040b290ea267c40b604
SHA1

e447d6f67f9ee9061bf7363f5bc9d37c75c7e35b
SHA256

eafbeb5ee4aebc5b5f98783a60df51ffa19c9c721ac8cae9bd6a2443e29e252f
SHA512

548f7c30b2dcb39481128f4f415ada3c6f420ce8ee0dbcc1fc11696ee147176e72696ab8a22ddc9092370232128d0153816dd8077a5939db07418761fc7cf846
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	1780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	1780	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b69-10.dat	dcrat
behavioral2/memory/2716-13-0x0000000000F00000-0x0000000001010000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1384	powershell.exe
3004	powershell.exe
1448	powershell.exe
3484	powershell.exe
1896	powershell.exe
2480	powershell.exe
1588	powershell.exe
1144	powershell.exe
4420	powershell.exe
3356	powershell.exe
3488	powershell.exe
5100	powershell.exe
1920	powershell.exe
544	powershell.exe
4540	powershell.exe
772	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_eafbeb5ee4aebc5b5f98783a60df51ffa19c9c721ac8cae9bd6a2443e29e252f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 16 IoCs

pid	Process
2716	DllCommonsvc.exe
4012	RuntimeBroker.exe
856	RuntimeBroker.exe
4788	RuntimeBroker.exe
3556	RuntimeBroker.exe
4328	RuntimeBroker.exe
2340	RuntimeBroker.exe
3528	RuntimeBroker.exe
4616	RuntimeBroker.exe
2872	RuntimeBroker.exe
2556	RuntimeBroker.exe
3248	RuntimeBroker.exe
4152	RuntimeBroker.exe
1196	RuntimeBroker.exe
3772	RuntimeBroker.exe
2656	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
44	raw.githubusercontent.com
53	raw.githubusercontent.com
56	raw.githubusercontent.com
17	raw.githubusercontent.com
18	raw.githubusercontent.com
22	raw.githubusercontent.com
54	raw.githubusercontent.com
25	raw.githubusercontent.com
41	raw.githubusercontent.com
47	raw.githubusercontent.com
48	raw.githubusercontent.com
39	raw.githubusercontent.com
40	raw.githubusercontent.com
46	raw.githubusercontent.com
55	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\55b276f4edf653	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\unsecapp.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\29c1c3cc0f7685	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\StartMenuExperienceHost.exe	DllCommonsvc.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\fr-FR\22eafd247d37c3	DllCommonsvc.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\uk-UA\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\uk-UA\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\SKB\LanguageModels\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Windows\fr-FR\TextInputHost.exe	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteApps\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteApps\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\SKB\LanguageModels\9e8d7a4ca61bd9	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_eafbeb5ee4aebc5b5f98783a60df51ffa19c9c721ac8cae9bd6a2443e29e252f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	JaffaCakes118_eafbeb5ee4aebc5b5f98783a60df51ffa19c9c721ac8cae9bd6a2443e29e252f.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1536	schtasks.exe
3080	schtasks.exe
2136	schtasks.exe
4236	schtasks.exe
932	schtasks.exe
3580	schtasks.exe
4796	schtasks.exe
2008	schtasks.exe
2404	schtasks.exe
5056	schtasks.exe
4748	schtasks.exe
2164	schtasks.exe
2768	schtasks.exe
4584	schtasks.exe
3668	schtasks.exe
4912	schtasks.exe
1464	schtasks.exe
3980	schtasks.exe
4888	schtasks.exe
1364	schtasks.exe
2172	schtasks.exe
5032	schtasks.exe
1720	schtasks.exe
4456	schtasks.exe
1564	schtasks.exe
2384	schtasks.exe
1112	schtasks.exe
4428	schtasks.exe
3464	schtasks.exe
3676	schtasks.exe
3532	schtasks.exe
3568	schtasks.exe
848	schtasks.exe
2044	schtasks.exe
4788	schtasks.exe
3876	schtasks.exe
3712	schtasks.exe
2700	schtasks.exe
4708	schtasks.exe
3280	schtasks.exe
1556	schtasks.exe
4356	schtasks.exe
3524	schtasks.exe
5064	schtasks.exe
632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2716	DllCommonsvc.exe
2716	DllCommonsvc.exe
2716	DllCommonsvc.exe
2716	DllCommonsvc.exe
2716	DllCommonsvc.exe
2716	DllCommonsvc.exe
1896	powershell.exe
1896	powershell.exe
4420	powershell.exe
4420	powershell.exe
1588	powershell.exe
1588	powershell.exe
772	powershell.exe
772	powershell.exe
5100	powershell.exe
5100	powershell.exe
4540	powershell.exe
4540	powershell.exe
544	powershell.exe
544	powershell.exe
2480	powershell.exe
2480	powershell.exe
3484	powershell.exe
3484	powershell.exe
1448	powershell.exe
1448	powershell.exe
3356	powershell.exe
3356	powershell.exe
1384	powershell.exe
1384	powershell.exe
772	powershell.exe
3004	powershell.exe
3004	powershell.exe
3488	powershell.exe
3488	powershell.exe
1144	powershell.exe
1144	powershell.exe
1920	powershell.exe
1920	powershell.exe
4540	powershell.exe
3004	powershell.exe
1920	powershell.exe
4012	RuntimeBroker.exe
4012	RuntimeBroker.exe
1144	powershell.exe
4420	powershell.exe
1896	powershell.exe
1896	powershell.exe
1588	powershell.exe
5100	powershell.exe
544	powershell.exe
1448	powershell.exe
3356	powershell.exe
3484	powershell.exe
2480	powershell.exe
1384	powershell.exe
3488	powershell.exe
856	RuntimeBroker.exe
4788	RuntimeBroker.exe
3556	RuntimeBroker.exe
4328	RuntimeBroker.exe
2340	RuntimeBroker.exe
3528	RuntimeBroker.exe
4616	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	DllCommonsvc.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	3356	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	4012	RuntimeBroker.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	856	RuntimeBroker.exe
Token: SeDebugPrivilege	4788	RuntimeBroker.exe
Token: SeDebugPrivilege	3556	RuntimeBroker.exe
Token: SeDebugPrivilege	4328	RuntimeBroker.exe
Token: SeDebugPrivilege	2340	RuntimeBroker.exe
Token: SeDebugPrivilege	3528	RuntimeBroker.exe
Token: SeDebugPrivilege	4616	RuntimeBroker.exe
Token: SeDebugPrivilege	2872	RuntimeBroker.exe
Token: SeDebugPrivilege	2556	RuntimeBroker.exe
Token: SeDebugPrivilege	3248	RuntimeBroker.exe
Token: SeDebugPrivilege	4152	RuntimeBroker.exe
Token: SeDebugPrivilege	1196	RuntimeBroker.exe
Token: SeDebugPrivilege	3772	RuntimeBroker.exe
Token: SeDebugPrivilege	2656	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 3636	4220	JaffaCakes118_eafbeb5ee4aebc5b5f98783a60df51ffa19c9c721ac8cae9bd6a2443e29e252f.exe	82
PID 4220 wrote to memory of 3636	4220	JaffaCakes118_eafbeb5ee4aebc5b5f98783a60df51ffa19c9c721ac8cae9bd6a2443e29e252f.exe	82
PID 4220 wrote to memory of 3636	4220	JaffaCakes118_eafbeb5ee4aebc5b5f98783a60df51ffa19c9c721ac8cae9bd6a2443e29e252f.exe	82
PID 3636 wrote to memory of 404	3636	WScript.exe	83
PID 3636 wrote to memory of 404	3636	WScript.exe	83
PID 3636 wrote to memory of 404	3636	WScript.exe	83
PID 404 wrote to memory of 2716	404	cmd.exe	85
PID 404 wrote to memory of 2716	404	cmd.exe	85
PID 2716 wrote to memory of 3488	2716	DllCommonsvc.exe	132
PID 2716 wrote to memory of 3488	2716	DllCommonsvc.exe	132
PID 2716 wrote to memory of 5100	2716	DllCommonsvc.exe	133
PID 2716 wrote to memory of 5100	2716	DllCommonsvc.exe	133
PID 2716 wrote to memory of 1920	2716	DllCommonsvc.exe	134
PID 2716 wrote to memory of 1920	2716	DllCommonsvc.exe	134
PID 2716 wrote to memory of 1384	2716	DllCommonsvc.exe	135
PID 2716 wrote to memory of 1384	2716	DllCommonsvc.exe	135
PID 2716 wrote to memory of 3004	2716	DllCommonsvc.exe	136
PID 2716 wrote to memory of 3004	2716	DllCommonsvc.exe	136
PID 2716 wrote to memory of 1896	2716	DllCommonsvc.exe	137
PID 2716 wrote to memory of 1896	2716	DllCommonsvc.exe	137
PID 2716 wrote to memory of 1448	2716	DllCommonsvc.exe	138
PID 2716 wrote to memory of 1448	2716	DllCommonsvc.exe	138
PID 2716 wrote to memory of 4420	2716	DllCommonsvc.exe	139
PID 2716 wrote to memory of 4420	2716	DllCommonsvc.exe	139
PID 2716 wrote to memory of 2480	2716	DllCommonsvc.exe	140
PID 2716 wrote to memory of 2480	2716	DllCommonsvc.exe	140
PID 2716 wrote to memory of 3484	2716	DllCommonsvc.exe	141
PID 2716 wrote to memory of 3484	2716	DllCommonsvc.exe	141
PID 2716 wrote to memory of 1588	2716	DllCommonsvc.exe	142
PID 2716 wrote to memory of 1588	2716	DllCommonsvc.exe	142
PID 2716 wrote to memory of 544	2716	DllCommonsvc.exe	143
PID 2716 wrote to memory of 544	2716	DllCommonsvc.exe	143
PID 2716 wrote to memory of 3356	2716	DllCommonsvc.exe	144
PID 2716 wrote to memory of 3356	2716	DllCommonsvc.exe	144
PID 2716 wrote to memory of 4540	2716	DllCommonsvc.exe	145
PID 2716 wrote to memory of 4540	2716	DllCommonsvc.exe	145
PID 2716 wrote to memory of 772	2716	DllCommonsvc.exe	146
PID 2716 wrote to memory of 772	2716	DllCommonsvc.exe	146
PID 2716 wrote to memory of 1144	2716	DllCommonsvc.exe	147
PID 2716 wrote to memory of 1144	2716	DllCommonsvc.exe	147
PID 2716 wrote to memory of 4012	2716	DllCommonsvc.exe	163
PID 2716 wrote to memory of 4012	2716	DllCommonsvc.exe	163
PID 4012 wrote to memory of 4736	4012	RuntimeBroker.exe	168
PID 4012 wrote to memory of 4736	4012	RuntimeBroker.exe	168
PID 4736 wrote to memory of 1220	4736	cmd.exe	170
PID 4736 wrote to memory of 1220	4736	cmd.exe	170
PID 4736 wrote to memory of 856	4736	cmd.exe	172
PID 4736 wrote to memory of 856	4736	cmd.exe	172
PID 856 wrote to memory of 960	856	RuntimeBroker.exe	175
PID 856 wrote to memory of 960	856	RuntimeBroker.exe	175
PID 960 wrote to memory of 2164	960	cmd.exe	177
PID 960 wrote to memory of 2164	960	cmd.exe	177
PID 960 wrote to memory of 4788	960	cmd.exe	178
PID 960 wrote to memory of 4788	960	cmd.exe	178
PID 4788 wrote to memory of 4764	4788	RuntimeBroker.exe	179
PID 4788 wrote to memory of 4764	4788	RuntimeBroker.exe	179
PID 4764 wrote to memory of 2556	4764	cmd.exe	181
PID 4764 wrote to memory of 2556	4764	cmd.exe	181
PID 4764 wrote to memory of 3556	4764	cmd.exe	183
PID 4764 wrote to memory of 3556	4764	cmd.exe	183
PID 3556 wrote to memory of 5084	3556	RuntimeBroker.exe	185
PID 3556 wrote to memory of 5084	3556	RuntimeBroker.exe	185
PID 5084 wrote to memory of 4512	5084	cmd.exe	187
PID 5084 wrote to memory of 4512	5084	cmd.exe	187

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eafbeb5ee4aebc5b5f98783a60df51ffa19c9c721ac8cae9bd6a2443e29e252f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eafbeb5ee4aebc5b5f98783a60df51ffa19c9c721ac8cae9bd6a2443e29e252f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\StartMenuExperienceHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\uk-UA\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SKB\LanguageModels\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\TextInputHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
    - - C:\Windows\SKB\LanguageModels\RuntimeBroker.exe
        
        "C:\Windows\SKB\LanguageModels\RuntimeBroker.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4012
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1220
        
        C:\Windows\SKB\LanguageModels\RuntimeBroker.exe
        
        "C:\Windows\SKB\LanguageModels\RuntimeBroker.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x7ZYnkvAkq.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2164
        
        C:\Windows\SKB\LanguageModels\RuntimeBroker.exe
        
        "C:\Windows\SKB\LanguageModels\RuntimeBroker.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2556
        
        C:\Windows\SKB\LanguageModels\RuntimeBroker.exe
        
        "C:\Windows\SKB\LanguageModels\RuntimeBroker.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7hZg3igX7v.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4512
        
        C:\Windows\SKB\LanguageModels\RuntimeBroker.exe
        
        "C:\Windows\SKB\LanguageModels\RuntimeBroker.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WOs9W2tFAs.bat"
        14⤵
        
        PID:1112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:384
        
        C:\Windows\SKB\LanguageModels\RuntimeBroker.exe
        
        "C:\Windows\SKB\LanguageModels\RuntimeBroker.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat"
        16⤵
        
        PID:4488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4260
        
        C:\Windows\SKB\LanguageModels\RuntimeBroker.exe
        
        "C:\Windows\SKB\LanguageModels\RuntimeBroker.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat"
        18⤵
        
        PID:2268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3004
        
        C:\Windows\SKB\LanguageModels\RuntimeBroker.exe
        
        "C:\Windows\SKB\LanguageModels\RuntimeBroker.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\InhrPXXuGB.bat"
        20⤵
        
        PID:532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:972
        
        C:\Windows\SKB\LanguageModels\RuntimeBroker.exe
        
        "C:\Windows\SKB\LanguageModels\RuntimeBroker.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat"
        22⤵
        
        PID:4788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2900
        
        C:\Windows\SKB\LanguageModels\RuntimeBroker.exe
        
        "C:\Windows\SKB\LanguageModels\RuntimeBroker.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhLzHEla3w.bat"
        24⤵
        
        PID:4052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4960
        
        C:\Windows\SKB\LanguageModels\RuntimeBroker.exe
        
        "C:\Windows\SKB\LanguageModels\RuntimeBroker.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat"
        26⤵
        
        PID:2536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3588
        
        C:\Windows\SKB\LanguageModels\RuntimeBroker.exe
        
        "C:\Windows\SKB\LanguageModels\RuntimeBroker.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFXOGCU6Cq.bat"
        28⤵
        
        PID:3652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2340
        
        C:\Windows\SKB\LanguageModels\RuntimeBroker.exe
        
        "C:\Windows\SKB\LanguageModels\RuntimeBroker.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat"
        30⤵
        
        PID:3700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:3380
        
        C:\Windows\SKB\LanguageModels\RuntimeBroker.exe
        
        "C:\Windows\SKB\LanguageModels\RuntimeBroker.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat"
        32⤵
        
        PID:3740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:3584
        
        C:\Windows\SKB\LanguageModels\RuntimeBroker.exe
        
        "C:\Windows\SKB\LanguageModels\RuntimeBroker.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\RemoteApps\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\RemotePackages\RemoteApps\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\uk-UA\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\uk-UA\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\uk-UA\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\providercommon\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\providercommon\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\providercommon\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\SKB\LanguageModels\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\SKB\LanguageModels\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Windows\fr-FR\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\fr-FR\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
71fa55c67a762ba70e40011153e19b3c

SHA1
a36d2bb4802a8ec7db1a68de5f0c3d6007987492

SHA256
b8be6896ca89d3ebe9ee8a94e3407483f4750badaf7fa33526817cfc926dc291

SHA512
32760af7c05e20fec8cbddf56c2df544a69335f930f1d313cd1fdceaa90ed2afe81e54ac1b6770097d6f5ca5f30955f95970171a453579aa19239a17aaefe47f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7hZg3igX7v.bat

Filesize
212B

MD5
8b0b662216b93422dd2eeee6416f7514

SHA1
8ca577f7a1b679be7fa23d36e5ab6565e736f360

SHA256
26e7faa765403ec57efc233f5aa703047f386c5a3b975287c5d9324dc4c688cb

SHA512
fa737ba8ad14000fc47ac1b8f5811b37bc7e5de9181f25c07dda458bdf0ce8a719f070646a89304f57f00d369de9622117451a86b5e6a255f716f90de3195f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat

Filesize
212B

MD5
6b254e1809175860bf54270662dafa56

SHA1
e3d26bcc30f9f86be52d1bb3a67e0fff4a1a6564

SHA256
be4ff3638f9804b817db0043fdedbd80f750611904bea426325714ef43b91429

SHA512
c08bdce1f76372b3e57f76c5c35ccf1562903a9655127347382be997a8dc125aa6c84867f018e344f5bf1de6d06903557ee2ae6d16adbd0a26279a9297a8ff8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat

Filesize
212B

MD5
6752fd51bd0de7b23d2bda9f3d587571

SHA1
11314495595d32b07d1313babfb9610b8641adbb

SHA256
b9a58c2323b2e06ac4bb8593911460d6e7973a73acbb0d95e174ce69f07e603d

SHA512
e2048fc4af8a2c99fd51b17d7de7601b3cedbc0f51a036e2cd32fc99c5c7aeb84e9836e98808343265096ac0bf677fe71c2a40bfb7019544d767f57e3ea8dc84

Download Submit
C:\Users\Admin\AppData\Local\Temp\InhrPXXuGB.bat

Filesize
212B

MD5
480e97e4f07dd345b5f9a40ed331d96c

SHA1
343c95373ef1de2921863cc92509ddd9b490ef29

SHA256
5288911494bd6f0ba68d3efdccf6fd5250df7ee936f135eb6ba527a38f1a32bf

SHA512
eabeabe6d6448866422c99bcee9e6c7219649d5b0cad6c600f69f4f84d8b8ad061441948d8d3a94d3478cd149e9919536fd794ad66952c0ed1aa78d52ec23488

Download Submit
C:\Users\Admin\AppData\Local\Temp\JhLzHEla3w.bat

Filesize
212B

MD5
ddee3a36cd7690b46f83e273e63b412b

SHA1
cc317d05f4ccf09de385daebbfa7a754c2b18ae5

SHA256
896b13fe90ec51f5e543c412898abae5e7d29e8187b2443849ca8eb734417087

SHA512
473c73428dfce9794e974870e778dfc1aa2d17cbbabfa52fc757c300d5e9e85f4cbe7625e692f7ed3be4e876ff3e4141083db21d2944e94d2671953cfb3ac7bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOs9W2tFAs.bat

Filesize
212B

MD5
e17db09fef4b5d1814f27577311ecbff

SHA1
c9028926d7b8510680f5a337e9f4f81d84f503ec

SHA256
babfec758a009a56b94d5162af49b957d584cdda744a1e6da2680c52ae7c4f53

SHA512
50c0d586e6cdfbb182f96f935a4dbf0838fc39861751f6f0596127bb4170492329fa3d2d96208bef97a67512f3b61819842a05e1e4633bcca52690df805d429b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u4vzu1j5.wtq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat

Filesize
212B

MD5
305101f18a9f339d0f7861ffe1b13d38

SHA1
20412dd11e674d53a7d784db570c4c2acf1f89e5

SHA256
2240108c14d99d06f9d2b830904f8c8d82447752dfa315022492f5d13ffd6240

SHA512
bbbfe77c7336ace89ec40a1a44efa9e8813ad39255ae4f20f0179ed24cb068be6bf345dae754f4ab4443b9dddccb87592701f1f463b821b63dea8c2245e302d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat

Filesize
212B

MD5
bf899529cbe06ff021ac1936a649bdee

SHA1
4105239d9e6378dbfc766244dcdaf5e0c653a3fe

SHA256
11c6e412812162c414c2217e9aae434df982e6b6cb95be2842cdb9dd068619d9

SHA512
1c1b710337c71464729241a9c8e0726ca33b614d954f8d59962ecf1d9959aac5e81ac8813b85c3296b98b31f1d72e16b0b66925f06030e72d3a81f1706fdb3f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat

Filesize
212B

MD5
9a150f441bea92eeeea4d12f3e080dc6

SHA1
25bc389b31ccd33214d0aa1156a7f75a6d678a39

SHA256
aa765a1bfb8c8261097afeffbf6f015ff70795605fbe8fe11c92b8c13d30429d

SHA512
24ab7a4f513f7df62bc0c252e4e7215176e7063e1f25532ffba8f1520423a3d88600f4432625f29fcf6d453ebf7a23007d2f2759e4909fd0bc6bd56cef25e5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jFXOGCU6Cq.bat

Filesize
212B

MD5
d4fb1861f10f6549a5b147cfdbbfffe5

SHA1
8a282f9942acf0d528c525bc25c8d1061176b8cd

SHA256
acf62031774b88a2acb26ac608e358cab08234531e629717a105246b637d25b9

SHA512
74499204c38ead244419fcc4ab79e681d9ff232181eaf2980b48afd0d1f8d51893aad8d72340e2c83ba81e1cd798272877de1f836945d44f0d42336c0739d56d

Download Submit
C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat

Filesize
212B

MD5
b9943a08ade58d29b127900feff6c9fe

SHA1
6a1bc823d02afd14a56b5e0be5f4ee7505bc8316

SHA256
9a3d2cb2d25d0fb569462899ffa7d7a7aa71725b02314cd0293c87c998a65aa2

SHA512
61c9dcd13bd6328cfce46de6abf3f620c6dd1271dfc9b0d9888d4660762e3bfdd1707eaab9af978062b717343573b63557e0c66bf38c7178514844ff1e924eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\x7ZYnkvAkq.bat

Filesize
212B

MD5
f5c2111fb0cab5e96ce714d76bd4a088

SHA1
23bdd511e74b635320b05cfb02d3f8912704e845

SHA256
b5d66b46d8b3251c2de3beb705ca27d7c2835f96e93a562e9a91d08131181b4a

SHA512
848942ad205d907214982c4dee81b54ba851c965b32dafa89f45533bf59f00b9263925ed43e7c43625eb6aa624e4f7e87196a1d7f02f71c861f6d6362fe642d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat

Filesize
212B

MD5
9ecb95bd1ea254b803bb00534ff8e527

SHA1
e1784b2a610d02023adb92950e89e5d95cb56608

SHA256
d95d6b9c07ea442f836999396d02c2d59679f268803cbc08019729ec80553f8f

SHA512
4d335ffe8285a706077a3ff4b53327a3f125054171f2c82b27a9bdf217e0852c1c39d556fa797a314a1febc8beb1d14c1c096a2bfaa36f1faddbc8ebee711d26

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1896-64-0x000002365C820000-0x000002365C842000-memory.dmp

Filesize
136KB

Download
memory/2716-13-0x0000000000F00000-0x0000000001010000-memory.dmp

Filesize
1.1MB

Download
memory/2716-12-0x00007FFBFAD53000-0x00007FFBFAD55000-memory.dmp

Filesize
8KB

Download
memory/2716-14-0x0000000001960000-0x0000000001972000-memory.dmp

Filesize
72KB

Download
memory/2716-15-0x0000000001970000-0x000000000197C000-memory.dmp

Filesize
48KB

Download
memory/2716-16-0x0000000001980000-0x000000000198C000-memory.dmp

Filesize
48KB

Download
memory/2716-17-0x0000000001990000-0x000000000199C000-memory.dmp

Filesize
48KB

Download
memory/3772-319-0x000000001AFF0000-0x000000001B002000-memory.dmp

Filesize
72KB

Download
memory/4616-282-0x0000000000BF0000-0x0000000000C02000-memory.dmp

Filesize
72KB

Download
memory/4788-251-0x000000001AFF0000-0x000000001B002000-memory.dmp

Filesize
72KB

Download