Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 02:56
Behavioral task
behavioral1
Sample
ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe
Resource
win10v2004-20240508-en
General
-
Target
ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe
-
Size
2.2MB
-
MD5
8a47ebacc81a5930588692128bc229f8
-
SHA1
3323a7c3376d19d5db6decb7c0fe2747848f9725
-
SHA256
ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908
-
SHA512
d2c12419b5b78570f723137f768199cdd2dbf78456d260965bba037646ab2a569acac4da6a2bdcaa80fb6f6bb0ef1892675894a0a2ea760fdb5f322d935d4e14
-
SSDEEP
49152:fHS93gX+fmEb8cbLJFVOy4lnxMPPAKYw1adF:/wNTT2MP4Kpa
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 5 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3304 3332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3612 3332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4260 3332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 3332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4208 3332 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/344-1-0x0000000000770000-0x00000000009B6000-memory.dmp dcrat C:\PerfLogs\fontdrvhost.exe dcrat C:\ProgramData\SoftwareDistribution\upfc.exe dcrat -
Detects executables packed with SmartAssembly 15 IoCs
Processes:
resource yara_rule behavioral2/memory/344-3-0x0000000002A10000-0x0000000002A1C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/344-4-0x0000000002A20000-0x0000000002A30000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/344-5-0x0000000002A30000-0x0000000002A86000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/344-8-0x0000000002BC0000-0x0000000002BCA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/344-9-0x0000000002BD0000-0x0000000002BDC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/344-10-0x000000001B5D0000-0x000000001B5DA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/344-11-0x000000001B5E0000-0x000000001B5EC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/344-13-0x000000001B600000-0x000000001B60A000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/4724-217-0x000000001AFE0000-0x000000001B036000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/3028-230-0x0000000002DD0000-0x0000000002E26000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/452-253-0x000000001BDC0000-0x000000001BE16000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/1316-298-0x00000000017C0000-0x0000000001816000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/3340-310-0x0000000002C90000-0x0000000002CE6000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/548-344-0x0000000000E60000-0x0000000000EB6000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/3708-367-0x000000001B580000-0x000000001B5D6000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3276 powershell.exe 4788 powershell.exe 5068 powershell.exe 2016 powershell.exe 1760 powershell.exe 3096 powershell.exe -
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.execa5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exeSppExtComObj.exeSppExtComObj.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SppExtComObj.exe -
Executes dropped EXE 16 IoCs
Processes:
SppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exepid process 4724 SppExtComObj.exe 3028 SppExtComObj.exe 1756 SppExtComObj.exe 452 SppExtComObj.exe 3860 SppExtComObj.exe 2848 SppExtComObj.exe 2744 SppExtComObj.exe 1316 SppExtComObj.exe 3340 SppExtComObj.exe 3608 SppExtComObj.exe 2572 SppExtComObj.exe 548 SppExtComObj.exe 4524 SppExtComObj.exe 3708 SppExtComObj.exe 2012 SppExtComObj.exe 228 SppExtComObj.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\Analog.Shell.Broker\\SppExtComObj.exe\"" ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\All Users\\Adobe\\Setup\\upfc.exe\"" ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\"" ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\ProgramData\\SoftwareDistribution\\upfc.exe\"" ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\PerfLogs\\fontdrvhost.exe\"" ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe -
Drops file in System32 directory 5 IoCs
Processes:
ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exedescription ioc process File opened for modification C:\Windows\System32\Analog.Shell.Broker\RCX58C1.tmp ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe File opened for modification C:\Windows\System32\Analog.Shell.Broker\RCX58C2.tmp ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe File created C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe File opened for modification C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe File created C:\Windows\System32\Analog.Shell.Broker\e1ef82546f0b02 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4260 schtasks.exe 2188 schtasks.exe 4208 schtasks.exe 3304 schtasks.exe 3612 schtasks.exe -
Modifies registry class 17 IoCs
Processes:
SppExtComObj.exeSppExtComObj.execa5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings SppExtComObj.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSppExtComObj.exepid process 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 2016 powershell.exe 2016 powershell.exe 3096 powershell.exe 3096 powershell.exe 4788 powershell.exe 4788 powershell.exe 3276 powershell.exe 3276 powershell.exe 5068 powershell.exe 5068 powershell.exe 3276 powershell.exe 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 1760 powershell.exe 1760 powershell.exe 3096 powershell.exe 4788 powershell.exe 2016 powershell.exe 5068 powershell.exe 1760 powershell.exe 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe 4724 SppExtComObj.exe 4724 SppExtComObj.exe 4724 SppExtComObj.exe 4724 SppExtComObj.exe 4724 SppExtComObj.exe 4724 SppExtComObj.exe 4724 SppExtComObj.exe 4724 SppExtComObj.exe 4724 SppExtComObj.exe 4724 SppExtComObj.exe 4724 SppExtComObj.exe 4724 SppExtComObj.exe 4724 SppExtComObj.exe 4724 SppExtComObj.exe 4724 SppExtComObj.exe 4724 SppExtComObj.exe 4724 SppExtComObj.exe 4724 SppExtComObj.exe 4724 SppExtComObj.exe 4724 SppExtComObj.exe 4724 SppExtComObj.exe 4724 SppExtComObj.exe 4724 SppExtComObj.exe 4724 SppExtComObj.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exedescription pid process Token: SeDebugPrivilege 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe Token: SeDebugPrivilege 4788 powershell.exe Token: SeDebugPrivilege 3096 powershell.exe Token: SeDebugPrivilege 2016 powershell.exe Token: SeDebugPrivilege 3276 powershell.exe Token: SeDebugPrivilege 5068 powershell.exe Token: SeDebugPrivilege 1760 powershell.exe Token: SeDebugPrivilege 4724 SppExtComObj.exe Token: SeDebugPrivilege 3028 SppExtComObj.exe Token: SeDebugPrivilege 1756 SppExtComObj.exe Token: SeDebugPrivilege 452 SppExtComObj.exe Token: SeDebugPrivilege 3860 SppExtComObj.exe Token: SeDebugPrivilege 2848 SppExtComObj.exe Token: SeDebugPrivilege 2744 SppExtComObj.exe Token: SeDebugPrivilege 1316 SppExtComObj.exe Token: SeDebugPrivilege 3340 SppExtComObj.exe Token: SeDebugPrivilege 3608 SppExtComObj.exe Token: SeDebugPrivilege 2572 SppExtComObj.exe Token: SeDebugPrivilege 548 SppExtComObj.exe Token: SeDebugPrivilege 4524 SppExtComObj.exe Token: SeDebugPrivilege 3708 SppExtComObj.exe Token: SeDebugPrivilege 2012 SppExtComObj.exe Token: SeDebugPrivilege 228 SppExtComObj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exeSppExtComObj.exeWScript.exeSppExtComObj.exeWScript.exeSppExtComObj.exeWScript.exeSppExtComObj.exeWScript.exeSppExtComObj.exeWScript.exeSppExtComObj.exeWScript.exeSppExtComObj.exeWScript.exeSppExtComObj.exeWScript.exeSppExtComObj.exedescription pid process target process PID 344 wrote to memory of 3276 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 344 wrote to memory of 3276 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 344 wrote to memory of 4788 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 344 wrote to memory of 4788 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 344 wrote to memory of 5068 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 344 wrote to memory of 5068 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 344 wrote to memory of 2016 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 344 wrote to memory of 2016 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 344 wrote to memory of 1760 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 344 wrote to memory of 1760 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 344 wrote to memory of 3096 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 344 wrote to memory of 3096 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe powershell.exe PID 344 wrote to memory of 4724 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe SppExtComObj.exe PID 344 wrote to memory of 4724 344 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe SppExtComObj.exe PID 4724 wrote to memory of 3972 4724 SppExtComObj.exe WScript.exe PID 4724 wrote to memory of 3972 4724 SppExtComObj.exe WScript.exe PID 4724 wrote to memory of 4344 4724 SppExtComObj.exe WScript.exe PID 4724 wrote to memory of 4344 4724 SppExtComObj.exe WScript.exe PID 3972 wrote to memory of 3028 3972 WScript.exe SppExtComObj.exe PID 3972 wrote to memory of 3028 3972 WScript.exe SppExtComObj.exe PID 3028 wrote to memory of 4028 3028 SppExtComObj.exe WScript.exe PID 3028 wrote to memory of 4028 3028 SppExtComObj.exe WScript.exe PID 3028 wrote to memory of 3736 3028 SppExtComObj.exe WScript.exe PID 3028 wrote to memory of 3736 3028 SppExtComObj.exe WScript.exe PID 4028 wrote to memory of 1756 4028 WScript.exe SppExtComObj.exe PID 4028 wrote to memory of 1756 4028 WScript.exe SppExtComObj.exe PID 1756 wrote to memory of 3144 1756 SppExtComObj.exe WScript.exe PID 1756 wrote to memory of 3144 1756 SppExtComObj.exe WScript.exe PID 1756 wrote to memory of 1344 1756 SppExtComObj.exe WScript.exe PID 1756 wrote to memory of 1344 1756 SppExtComObj.exe WScript.exe PID 3144 wrote to memory of 452 3144 WScript.exe SppExtComObj.exe PID 3144 wrote to memory of 452 3144 WScript.exe SppExtComObj.exe PID 452 wrote to memory of 4924 452 SppExtComObj.exe WScript.exe PID 452 wrote to memory of 4924 452 SppExtComObj.exe WScript.exe PID 452 wrote to memory of 3528 452 SppExtComObj.exe WScript.exe PID 452 wrote to memory of 3528 452 SppExtComObj.exe WScript.exe PID 4924 wrote to memory of 3860 4924 WScript.exe SppExtComObj.exe PID 4924 wrote to memory of 3860 4924 WScript.exe SppExtComObj.exe PID 3860 wrote to memory of 4380 3860 SppExtComObj.exe WScript.exe PID 3860 wrote to memory of 4380 3860 SppExtComObj.exe WScript.exe PID 3860 wrote to memory of 1480 3860 SppExtComObj.exe WScript.exe PID 3860 wrote to memory of 1480 3860 SppExtComObj.exe WScript.exe PID 4380 wrote to memory of 2848 4380 WScript.exe SppExtComObj.exe PID 4380 wrote to memory of 2848 4380 WScript.exe SppExtComObj.exe PID 2848 wrote to memory of 3180 2848 SppExtComObj.exe WScript.exe PID 2848 wrote to memory of 3180 2848 SppExtComObj.exe WScript.exe PID 2848 wrote to memory of 4068 2848 SppExtComObj.exe WScript.exe PID 2848 wrote to memory of 4068 2848 SppExtComObj.exe WScript.exe PID 3180 wrote to memory of 2744 3180 WScript.exe SppExtComObj.exe PID 3180 wrote to memory of 2744 3180 WScript.exe SppExtComObj.exe PID 2744 wrote to memory of 960 2744 SppExtComObj.exe WScript.exe PID 2744 wrote to memory of 960 2744 SppExtComObj.exe WScript.exe PID 2744 wrote to memory of 1500 2744 SppExtComObj.exe WScript.exe PID 2744 wrote to memory of 1500 2744 SppExtComObj.exe WScript.exe PID 960 wrote to memory of 1316 960 WScript.exe SppExtComObj.exe PID 960 wrote to memory of 1316 960 WScript.exe SppExtComObj.exe PID 1316 wrote to memory of 632 1316 SppExtComObj.exe WScript.exe PID 1316 wrote to memory of 632 1316 SppExtComObj.exe WScript.exe PID 1316 wrote to memory of 1760 1316 SppExtComObj.exe WScript.exe PID 1316 wrote to memory of 1760 1316 SppExtComObj.exe WScript.exe PID 632 wrote to memory of 3340 632 WScript.exe SppExtComObj.exe PID 632 wrote to memory of 3340 632 WScript.exe SppExtComObj.exe PID 3340 wrote to memory of 2172 3340 SppExtComObj.exe WScript.exe PID 3340 wrote to memory of 2172 3340 SppExtComObj.exe WScript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe"C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3276 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4788 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Setup\upfc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5068 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\SoftwareDistribution\upfc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\fontdrvhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3096 -
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe"C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0351f545-5ef5-438e-976e-8638c387e22b.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exeC:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff9fc68a-5537-4993-87c3-c1414412a145.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exeC:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e99529d-7ead-4eb5-a02b-ccfbbb331a62.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exeC:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d4435c6-643b-44bb-a47d-94185b57422e.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exeC:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7bd1255-7b10-47bb-a3ef-1344ec7ada48.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exeC:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad6c1669-108d-46c5-89ad-57294091ce76.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exeC:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\633ca69f-240a-44d9-8f61-2eae9c2d8ef0.vbs"15⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exeC:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8b98cd4-78d3-4b62-be68-655e618f64f5.vbs"17⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exeC:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1aefdea1-bd15-48ce-8c94-e03ed473b990.vbs"19⤵PID:2172
-
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exeC:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3608 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62224a12-2b17-4ad6-ac8a-773cb2691eac.vbs"21⤵PID:3672
-
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exeC:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2572 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf5a918c-536d-4481-b80b-77748e7827bc.vbs"23⤵PID:3436
-
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exeC:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:548 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fb53dd9-66c4-4c72-9f8a-76b6d158963f.vbs"25⤵PID:5008
-
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exeC:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4524 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40bbc39e-80cd-43b8-b761-8cc84f6fbf0e.vbs"27⤵PID:2748
-
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exeC:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3708 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9ac3e6b-b6ef-47a4-aa9a-030aac171292.vbs"29⤵PID:4560
-
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exeC:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2012 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7229e023-8505-4b34-9f70-c2f644b6bede.vbs"31⤵PID:3012
-
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exeC:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:228 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21847678-6bd4-4321-bcee-c386ebeee3e1.vbs"33⤵PID:2128
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6f1db2b-13b0-4ed0-83ad-33a51f87270c.vbs"33⤵PID:4220
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68bb6dc3-ea4f-4c11-852d-8174a1605668.vbs"31⤵PID:1620
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57983995-7fc2-40b1-aa84-58185cc552be.vbs"29⤵PID:5076
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffef8f49-f941-469f-97bc-8402dde0e9ea.vbs"27⤵PID:1756
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0333ab8-9ed6-409a-aa0b-5f9920815e51.vbs"25⤵PID:1976
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08b7206b-e08c-453c-85e8-186f9e155015.vbs"23⤵PID:3100
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b09f0430-3221-4884-8055-8dc261939e3f.vbs"21⤵PID:2432
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48c0f184-8fd8-4273-8843-cf17d092e7f0.vbs"19⤵PID:3652
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67c9098c-4b31-4c31-b57b-dcf4eb02e9b4.vbs"17⤵PID:1760
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7101fda6-6084-4a69-98fd-1c2088b9ed86.vbs"15⤵PID:1500
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3013c67-6628-41b2-ad42-14481e46c972.vbs"13⤵PID:4068
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\240f518e-d3e0-467e-beed-021756eaf370.vbs"11⤵PID:1480
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60b90654-6ed7-49ff-bc29-ea38fef6213f.vbs"9⤵PID:3528
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a5c93ee-959c-42f3-a57e-53e721abbb06.vbs"7⤵PID:1344
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15512a27-1632-48ae-a87f-7e570874c52c.vbs"5⤵PID:3736
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73d0f563-2cab-4691-b7b6-8a5373885f38.vbs"3⤵PID:4344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\ProgramData\SoftwareDistribution\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\PerfLogs\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PerfLogs\fontdrvhost.exeFilesize
2.2MB
MD58a47ebacc81a5930588692128bc229f8
SHA13323a7c3376d19d5db6decb7c0fe2747848f9725
SHA256ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908
SHA512d2c12419b5b78570f723137f768199cdd2dbf78456d260965bba037646ab2a569acac4da6a2bdcaa80fb6f6bb0ef1892675894a0a2ea760fdb5f322d935d4e14
-
C:\ProgramData\SoftwareDistribution\upfc.exeFilesize
2.2MB
MD5890c6979f506268ec4cb03d22e323b54
SHA1dc0e3fd26dc90a0cf9f303634e3b04321f81d2c5
SHA2564d6c0af64ff09fbc2e869a7f78291396de04b08b41f166311cc8cc8222779ab1
SHA5127402617bd6a64c778f22c663cef462a306459f9a28e87f9b543d8960c97fd8258d40a64f5489457c9097afbbe3634436b2eeb3dd92f73c805d88d300b32815f6
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.logFilesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Temp\0351f545-5ef5-438e-976e-8638c387e22b.vbsFilesize
732B
MD5725e8c09310641092c830ac46617df5e
SHA1de4df0b4d84c9fc3d7094b09422f2853f5d3f923
SHA25648a6b2d382f4165077f7918957d8878dab737e1d4aa5dfe8bcb27b4be7ce172b
SHA51239749ad2cc56dce3dee0d2e023e2c7731f822be89f3e32c9179502e156a1b62153d158140c0c9b9629f8a97f4e8e0e8fac96e39596e792438d5d1903d7af70ab
-
C:\Users\Admin\AppData\Local\Temp\1aefdea1-bd15-48ce-8c94-e03ed473b990.vbsFilesize
732B
MD59b8999a13a2fbb8e4950d5ec378f0102
SHA1b6fa39fe19704fdca0088c5d9c61788d8cfb49e7
SHA2566892841c905fd8cf535274be953b4ad60224d3bd4928b057931786a14f33e6e3
SHA512b740b2d7fd10f0b6fd0ceff34518c17a26388829ba5bab17250f65a7b493e2390c6a4c95e94d1ac4a4b00103f3ec644da2e74c9f52a99a7b0f7dabac8b2ba1b3
-
C:\Users\Admin\AppData\Local\Temp\40bbc39e-80cd-43b8-b761-8cc84f6fbf0e.vbsFilesize
732B
MD54951fa61a8acd273f00397cf211d6b1a
SHA1638628c37edc6862a6bda76c8a28c1f60edc1318
SHA2562db1c21e2380108512285a1edff99fc2d14f3ce886fa72a84a11d42bf1348277
SHA5120ec45d8e8ee7345c81e4a46c93af03e1e89781d8308e8358b6e8a5ff9ad0c905afb9f6232de4f3a707e90ea7487298fe5f30098ab74c41b2cfef5ae295303865
-
C:\Users\Admin\AppData\Local\Temp\62224a12-2b17-4ad6-ac8a-773cb2691eac.vbsFilesize
732B
MD508b39de6cda89fddd9c2dc11477b22a5
SHA1ecd87e93a38f79aa678a893e7b19ded7d28bb73d
SHA256dc5b809ce8f3333da5a4d18b71ccef31b43924effeacd63fb5af0687489e4dc2
SHA512e7d65687dc9ecd3a9a02dd9dacaf4aba8387bc8862cbcb2eb723834bef9057154a9faa2bee3addf3d0f04c176bf907922b4cfb05678c50c6001c78261d465752
-
C:\Users\Admin\AppData\Local\Temp\633ca69f-240a-44d9-8f61-2eae9c2d8ef0.vbsFilesize
732B
MD51184c517a7d1961ce9ffa679eddbb8d4
SHA151f8ca6d851bb67f18a9c05ea44791469a7e42e6
SHA25675101ecf724b56f305a4b3f296fa44f6e940872550726f4a13e52425f2f81b22
SHA512a0626ea77c4ee469c90be93584c71d0311a05e30d699febd0319dd9e2be3b153347a58e36121a59b97ff65594422c4a226776aeb0f86935b5c330e1ed84f3c48
-
C:\Users\Admin\AppData\Local\Temp\6d4435c6-643b-44bb-a47d-94185b57422e.vbsFilesize
731B
MD567016f70b2fd0c5c4ab8932ef4411b67
SHA1a93d02dc81809d9bdd236368725e8943ed6882dd
SHA256ed25245c0f29f97a888d1375c2f5dc2e9815bc3819f308a60b886acdc1e31b82
SHA5121c9a38e33de15d04428d0b092d32b6ba97fd05dca18d8ad27108cccf155c5bfd26efa6d7d1c370701ecdcbc108aabf0034e2823de05cf03d1574719a46574896
-
C:\Users\Admin\AppData\Local\Temp\73d0f563-2cab-4691-b7b6-8a5373885f38.vbsFilesize
508B
MD5335cf549b99251e92119cb0e197ebac8
SHA1b465bae1e29ac519998f9f921102e7bcf7414682
SHA256c9d491a34273e31af4b690b5e76e7e0cfc592f9793849954e1b1ac10cb45ede5
SHA512f312e56057b79b86e8a7c50ae5769305c58116146b5203659e0b8d69dbc06bd170c822b47d7a5a1bf615f7dd876579e0a963fbe2492fb943c51fe285ccf1dc1c
-
C:\Users\Admin\AppData\Local\Temp\8e99529d-7ead-4eb5-a02b-ccfbbb331a62.vbsFilesize
732B
MD5a7378dded00637f3f08a8f1393afe3af
SHA15f2818c64815c4720c079c25938e21391a4a268e
SHA2562e07edcf3499270d85453ca03618c7087310689981e26694a465e7dc03d1e395
SHA5121f955ee0ad13c35382786470cf70f127b88370e261f3b0376f542cb89091c65b1f5ff12da178e094e1d28ceec13be5af6374837adbb6b89b632706190468d1a7
-
C:\Users\Admin\AppData\Local\Temp\8fb53dd9-66c4-4c72-9f8a-76b6d158963f.vbsFilesize
731B
MD5bb1b34d9c1ca05140a24b6eca1e13789
SHA1d6bbd10a38a92bda571e1f282ba480f9cffcb0bc
SHA256dc702559beb57889539dc59a4cc1b796e3c7499a2fa22dc68cd198ce43a06b95
SHA51270d34761f62ddcf209d47bc068f8a144be3708b05234a2f211b255372ef844b6f676954a84d2db77426ff0fdac3bad5cd5ba0ea3b29b6acfec3a9c2058db03cf
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xogy10xi.aa1.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\ad6c1669-108d-46c5-89ad-57294091ce76.vbsFilesize
732B
MD581f1bd5511e61eb83b9c375d04d3b758
SHA1e63154b79b4bef06f1d87daba1170d526660e644
SHA256c6ef3ed8734341b8edd80702949f5740ee4490797cb5af0eb3cad868856dd076
SHA5125895f4e0f40b843a596fa757f29f1247fe2c05abf2a9013c04ad5b9280545f375723f1d6ed3fcdf38315fafa5fdaac8b34558a78beebbc499ccdf6a6db5c8e5c
-
C:\Users\Admin\AppData\Local\Temp\bf5a918c-536d-4481-b80b-77748e7827bc.vbsFilesize
732B
MD5225f1431f16e9d9b76d6903c4b1afd7c
SHA185856633ec0e8b95aa3caf78a17222393d5adefb
SHA256a1054920614eac0dbc8838099998041e133f2754243de9e6213690b982024eee
SHA5128a212d1a03f3a021b368ca1d1dfff6e76dc2018875d05b32d65c94440d5698b71e23bb00ae3c05f19eacffcf577a9184b89e0bd719924b5c91522ab536008bc2
-
C:\Users\Admin\AppData\Local\Temp\d8b98cd4-78d3-4b62-be68-655e618f64f5.vbsFilesize
732B
MD5705b12ef0604a9384452dc0d413c0525
SHA1616eef306088a7bad188fcc153c51576412345ea
SHA25637934fb2c60d55d813ba968578071147b49a22278e5bf2cc749d6df76a8de7ca
SHA5129ad40281e2b3a434ba85eaaa7a71c5bcb7a14589382601f2106f570288e9a42c7b318272968a8c63296ff5d0e1471f790397cdfbfcee2993c4d76c4e580852b9
-
C:\Users\Admin\AppData\Local\Temp\f7bd1255-7b10-47bb-a3ef-1344ec7ada48.vbsFilesize
732B
MD580969060b621e75029d471598e533045
SHA1462f00f9bb2a3e6e36d2f5488a0e6d5192bf617e
SHA256907d6a3b485fd535c92adcec9e02c409f56c7d3ab39ea6f1e1537345762a04d6
SHA51283c8b43659ef138d54c5fc9e42adbc8a8e1a480232ca36583f748442c0294ac694af3715c15dcf2040ff7841ba126a1db72402c63498bfbad2639d2c0143e956
-
C:\Users\Admin\AppData\Local\Temp\f9ac3e6b-b6ef-47a4-aa9a-030aac171292.vbsFilesize
732B
MD5fd5666f2c477e4b1e5db0f7409a85e91
SHA1a6bc1301706c1140015a614cb438431f0a633e90
SHA256c713d4fcaa4e3c2abd359d77767ad8bb2c2ca709894a5b27130e947d052a0ccc
SHA512b38b5e1d2a7eda740c0ea0a70942a0c73b90bbd4ea1c026b43ff7306273f3f72f228a9bbbfa8aa1f10b59b1b008cf44024e7a8ca97ac749b55500b27c7347732
-
C:\Users\Admin\AppData\Local\Temp\ff9fc68a-5537-4993-87c3-c1414412a145.vbsFilesize
732B
MD5b28d1c02d33eed47d3c9ce0cea6878f0
SHA1ffdf793160e4c20e274e5cab9e9656e07fb310ee
SHA256a726408c3a645cf2eb5b9ad8bc0701b2fbf72eb668a1e49676dc8272bd8e12cc
SHA512bb49d75054dfeb4e70940fe178524a3f6d76b78a630d71b1af10c427f542267c0ac4f8b49488c1a3c6d085eb00a5e389538b91ae76cf243f862c7a6546d6f769
-
memory/344-11-0x000000001B5E0000-0x000000001B5EC000-memory.dmpFilesize
48KB
-
memory/344-7-0x0000000002BB0000-0x0000000002BBA000-memory.dmpFilesize
40KB
-
memory/344-203-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmpFilesize
10.8MB
-
memory/344-1-0x0000000000770000-0x00000000009B6000-memory.dmpFilesize
2.3MB
-
memory/344-2-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmpFilesize
10.8MB
-
memory/344-13-0x000000001B600000-0x000000001B60A000-memory.dmpFilesize
40KB
-
memory/344-12-0x000000001B5F0000-0x000000001B5F8000-memory.dmpFilesize
32KB
-
memory/344-3-0x0000000002A10000-0x0000000002A1C000-memory.dmpFilesize
48KB
-
memory/344-0-0x00007FFB552B3000-0x00007FFB552B5000-memory.dmpFilesize
8KB
-
memory/344-10-0x000000001B5D0000-0x000000001B5DA000-memory.dmpFilesize
40KB
-
memory/344-9-0x0000000002BD0000-0x0000000002BDC000-memory.dmpFilesize
48KB
-
memory/344-4-0x0000000002A20000-0x0000000002A30000-memory.dmpFilesize
64KB
-
memory/344-5-0x0000000002A30000-0x0000000002A86000-memory.dmpFilesize
344KB
-
memory/344-8-0x0000000002BC0000-0x0000000002BCA000-memory.dmpFilesize
40KB
-
memory/344-6-0x0000000002A90000-0x0000000002A98000-memory.dmpFilesize
32KB
-
memory/452-253-0x000000001BDC0000-0x000000001BE16000-memory.dmpFilesize
344KB
-
memory/548-344-0x0000000000E60000-0x0000000000EB6000-memory.dmpFilesize
344KB
-
memory/1316-298-0x00000000017C0000-0x0000000001816000-memory.dmpFilesize
344KB
-
memory/3028-230-0x0000000002DD0000-0x0000000002E26000-memory.dmpFilesize
344KB
-
memory/3096-142-0x000001EF6F8B0000-0x000001EF6F8D2000-memory.dmpFilesize
136KB
-
memory/3340-310-0x0000000002C90000-0x0000000002CE6000-memory.dmpFilesize
344KB
-
memory/3708-367-0x000000001B580000-0x000000001B5D6000-memory.dmpFilesize
344KB
-
memory/4724-217-0x000000001AFE0000-0x000000001B036000-memory.dmpFilesize
344KB