dcrat | c355f38ee63673e3fa88f735bb3665cce31d960484b62d4fb592a692091d7e63

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c355f38ee63673e3fa88f735bb3665cce31d960484b62d4fb592a692091d7e63.exe
Size

1.3MB
MD5

c404461ae893f2b2204ffa1172f71fb3
SHA1

356dd751dfe6c80ddd5da67b3edce71add99ccff
SHA256

c355f38ee63673e3fa88f735bb3665cce31d960484b62d4fb592a692091d7e63
SHA512

272380f5630526cf41be8eb24a565575a7612b2f78a54e64913325e29cda71131b6940d9653c864929199ffe23c85c5d75326d90b933368dcfee96ba5594b6f6
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 63 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	416	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3812	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	4024	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	4024	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023cae-10.dat	dcrat
behavioral2/memory/3400-13-0x0000000000F80000-0x0000000001090000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 23 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1604	powershell.exe
2148	powershell.exe
4444	powershell.exe
2716	powershell.exe
3288	powershell.exe
4992	powershell.exe
4464	powershell.exe
4484	powershell.exe
2712	powershell.exe
184	powershell.exe
1932	powershell.exe
4996	powershell.exe
3644	powershell.exe
3868	powershell.exe
2128	powershell.exe
1896	powershell.exe
2436	powershell.exe
4008	powershell.exe
4364	powershell.exe
2412	powershell.exe
2112	powershell.exe
4460	powershell.exe
3704	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	c355f38ee63673e3fa88f735bb3665cce31d960484b62d4fb592a692091d7e63.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sppsvc.exe

Executes dropped EXE 14 IoCs

pid	Process
3400	DllCommonsvc.exe
1384	DllCommonsvc.exe
1136	sppsvc.exe
3048	sppsvc.exe
1660	sppsvc.exe
3144	sppsvc.exe
2140	sppsvc.exe
368	sppsvc.exe
2860	sppsvc.exe
2296	sppsvc.exe
3652	sppsvc.exe
2428	sppsvc.exe
1476	sppsvc.exe
1832	sppsvc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
40	raw.githubusercontent.com
41	raw.githubusercontent.com
49	raw.githubusercontent.com
55	raw.githubusercontent.com
56	raw.githubusercontent.com
57	raw.githubusercontent.com
61	raw.githubusercontent.com
23	raw.githubusercontent.com
24	raw.githubusercontent.com
39	raw.githubusercontent.com
45	raw.githubusercontent.com
46	raw.githubusercontent.com
54	raw.githubusercontent.com

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Security\BrowserCore\en-US\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\TextInputHost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\ja-JP\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\ja-JP\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\SearchApp.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\22eafd247d37c3	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\38384e6a620884	DllCommonsvc.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\ModemLogs\Registry.exe	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\ee2ad38f3d4382	DllCommonsvc.exe
File created	C:\Windows\es-ES\sppsvc.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\es-ES\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\es-ES\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\LanguageOverlayCache\sihost.exe	DllCommonsvc.exe
File created	C:\Windows\IME\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\IME\5b884080fd4f94	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c355f38ee63673e3fa88f735bb3665cce31d960484b62d4fb592a692091d7e63.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	c355f38ee63673e3fa88f735bb3665cce31d960484b62d4fb592a692091d7e63.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sppsvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 63 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
680	schtasks.exe
4228	schtasks.exe
2276	schtasks.exe
3668	schtasks.exe
2500	schtasks.exe
4160	schtasks.exe
3848	schtasks.exe
2900	schtasks.exe
908	schtasks.exe
4124	schtasks.exe
4700	schtasks.exe
3124	schtasks.exe
2656	schtasks.exe
3860	schtasks.exe
416	schtasks.exe
3980	schtasks.exe
4840	schtasks.exe
1780	schtasks.exe
1400	schtasks.exe
4384	schtasks.exe
1708	schtasks.exe
1140	schtasks.exe
2876	schtasks.exe
2396	schtasks.exe
876	schtasks.exe
4276	schtasks.exe
3740	schtasks.exe
1552	schtasks.exe
4900	schtasks.exe
4608	schtasks.exe
2376	schtasks.exe
2716	schtasks.exe
4232	schtasks.exe
1136	schtasks.exe
968	schtasks.exe
4752	schtasks.exe
3220	schtasks.exe
4156	schtasks.exe
3060	schtasks.exe
4180	schtasks.exe
4676	schtasks.exe
3048	schtasks.exe
1592	schtasks.exe
3684	schtasks.exe
2568	schtasks.exe
4288	schtasks.exe
2596	schtasks.exe
3812	schtasks.exe
3368	schtasks.exe
632	schtasks.exe
4504	schtasks.exe
4196	schtasks.exe
1440	schtasks.exe
4496	schtasks.exe
3364	schtasks.exe
3408	schtasks.exe
4052	schtasks.exe
4456	schtasks.exe
4136	schtasks.exe
4772	schtasks.exe
2340	schtasks.exe
1756	schtasks.exe
3888	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3400	DllCommonsvc.exe
3400	DllCommonsvc.exe
3400	DllCommonsvc.exe
3400	DllCommonsvc.exe
3400	DllCommonsvc.exe
3400	DllCommonsvc.exe
3400	DllCommonsvc.exe
3400	DllCommonsvc.exe
3400	DllCommonsvc.exe
3400	DllCommonsvc.exe
3400	DllCommonsvc.exe
3400	DllCommonsvc.exe
3400	DllCommonsvc.exe
2112	powershell.exe
2112	powershell.exe
2148	powershell.exe
2148	powershell.exe
3288	powershell.exe
3288	powershell.exe
2128	powershell.exe
2128	powershell.exe
2148	powershell.exe
4992	powershell.exe
4992	powershell.exe
4464	powershell.exe
4464	powershell.exe
4484	powershell.exe
4484	powershell.exe
2412	powershell.exe
2412	powershell.exe
3868	powershell.exe
3868	powershell.exe
2128	powershell.exe
3644	powershell.exe
3644	powershell.exe
184	powershell.exe
184	powershell.exe
2712	powershell.exe
2712	powershell.exe
4444	powershell.exe
4444	powershell.exe
2716	powershell.exe
2716	powershell.exe
2716	powershell.exe
2112	powershell.exe
4992	powershell.exe
3288	powershell.exe
184	powershell.exe
4464	powershell.exe
3868	powershell.exe
2412	powershell.exe
4484	powershell.exe
4444	powershell.exe
3644	powershell.exe
2712	powershell.exe
1384	DllCommonsvc.exe
1384	DllCommonsvc.exe
1384	DllCommonsvc.exe
3704	powershell.exe
3704	powershell.exe
2436	powershell.exe
2436	powershell.exe
1604	powershell.exe
1604	powershell.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	3400	DllCommonsvc.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	3288	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	184	powershell.exe
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	1384	DllCommonsvc.exe
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	4008	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeDebugPrivilege	1136	sppsvc.exe
Token: SeDebugPrivilege	3048	sppsvc.exe
Token: SeDebugPrivilege	1660	sppsvc.exe
Token: SeDebugPrivilege	3144	sppsvc.exe
Token: SeDebugPrivilege	2140	sppsvc.exe
Token: SeDebugPrivilege	368	sppsvc.exe
Token: SeDebugPrivilege	2860	sppsvc.exe
Token: SeDebugPrivilege	2296	sppsvc.exe
Token: SeDebugPrivilege	3652	sppsvc.exe
Token: SeDebugPrivilege	2428	sppsvc.exe
Token: SeDebugPrivilege	1476	sppsvc.exe
Token: SeDebugPrivilege	1832	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 216	1756	c355f38ee63673e3fa88f735bb3665cce31d960484b62d4fb592a692091d7e63.exe	82
PID 1756 wrote to memory of 216	1756	c355f38ee63673e3fa88f735bb3665cce31d960484b62d4fb592a692091d7e63.exe	82
PID 1756 wrote to memory of 216	1756	c355f38ee63673e3fa88f735bb3665cce31d960484b62d4fb592a692091d7e63.exe	82
PID 216 wrote to memory of 4972	216	WScript.exe	83
PID 216 wrote to memory of 4972	216	WScript.exe	83
PID 216 wrote to memory of 4972	216	WScript.exe	83
PID 4972 wrote to memory of 3400	4972	cmd.exe	85
PID 4972 wrote to memory of 3400	4972	cmd.exe	85
PID 3400 wrote to memory of 2148	3400	DllCommonsvc.exe	126
PID 3400 wrote to memory of 2148	3400	DllCommonsvc.exe	126
PID 3400 wrote to memory of 2112	3400	DllCommonsvc.exe	127
PID 3400 wrote to memory of 2112	3400	DllCommonsvc.exe	127
PID 3400 wrote to memory of 2128	3400	DllCommonsvc.exe	128
PID 3400 wrote to memory of 2128	3400	DllCommonsvc.exe	128
PID 3400 wrote to memory of 4464	3400	DllCommonsvc.exe	129
PID 3400 wrote to memory of 4464	3400	DllCommonsvc.exe	129
PID 3400 wrote to memory of 4992	3400	DllCommonsvc.exe	130
PID 3400 wrote to memory of 4992	3400	DllCommonsvc.exe	130
PID 3400 wrote to memory of 184	3400	DllCommonsvc.exe	131
PID 3400 wrote to memory of 184	3400	DllCommonsvc.exe	131
PID 3400 wrote to memory of 4444	3400	DllCommonsvc.exe	132
PID 3400 wrote to memory of 4444	3400	DllCommonsvc.exe	132
PID 3400 wrote to memory of 3288	3400	DllCommonsvc.exe	135
PID 3400 wrote to memory of 3288	3400	DllCommonsvc.exe	135
PID 3400 wrote to memory of 2716	3400	DllCommonsvc.exe	136
PID 3400 wrote to memory of 2716	3400	DllCommonsvc.exe	136
PID 3400 wrote to memory of 3868	3400	DllCommonsvc.exe	137
PID 3400 wrote to memory of 3868	3400	DllCommonsvc.exe	137
PID 3400 wrote to memory of 2712	3400	DllCommonsvc.exe	138
PID 3400 wrote to memory of 2712	3400	DllCommonsvc.exe	138
PID 3400 wrote to memory of 2412	3400	DllCommonsvc.exe	139
PID 3400 wrote to memory of 2412	3400	DllCommonsvc.exe	139
PID 3400 wrote to memory of 4484	3400	DllCommonsvc.exe	141
PID 3400 wrote to memory of 4484	3400	DllCommonsvc.exe	141
PID 3400 wrote to memory of 3644	3400	DllCommonsvc.exe	142
PID 3400 wrote to memory of 3644	3400	DllCommonsvc.exe	142
PID 3400 wrote to memory of 4392	3400	DllCommonsvc.exe	154
PID 3400 wrote to memory of 4392	3400	DllCommonsvc.exe	154
PID 4392 wrote to memory of 524	4392	cmd.exe	156
PID 4392 wrote to memory of 524	4392	cmd.exe	156
PID 4392 wrote to memory of 1384	4392	cmd.exe	157
PID 4392 wrote to memory of 1384	4392	cmd.exe	157
PID 1384 wrote to memory of 1896	1384	DllCommonsvc.exe	182
PID 1384 wrote to memory of 1896	1384	DllCommonsvc.exe	182
PID 1384 wrote to memory of 2436	1384	DllCommonsvc.exe	183
PID 1384 wrote to memory of 2436	1384	DllCommonsvc.exe	183
PID 1384 wrote to memory of 4008	1384	DllCommonsvc.exe	184
PID 1384 wrote to memory of 4008	1384	DllCommonsvc.exe	184
PID 1384 wrote to memory of 1932	1384	DllCommonsvc.exe	185
PID 1384 wrote to memory of 1932	1384	DllCommonsvc.exe	185
PID 1384 wrote to memory of 4460	1384	DllCommonsvc.exe	186
PID 1384 wrote to memory of 4460	1384	DllCommonsvc.exe	186
PID 1384 wrote to memory of 4996	1384	DllCommonsvc.exe	187
PID 1384 wrote to memory of 4996	1384	DllCommonsvc.exe	187
PID 1384 wrote to memory of 1604	1384	DllCommonsvc.exe	188
PID 1384 wrote to memory of 1604	1384	DllCommonsvc.exe	188
PID 1384 wrote to memory of 4364	1384	DllCommonsvc.exe	189
PID 1384 wrote to memory of 4364	1384	DllCommonsvc.exe	189
PID 1384 wrote to memory of 3704	1384	DllCommonsvc.exe	190
PID 1384 wrote to memory of 3704	1384	DllCommonsvc.exe	190
PID 1384 wrote to memory of 2180	1384	DllCommonsvc.exe	200
PID 1384 wrote to memory of 2180	1384	DllCommonsvc.exe	200
PID 2180 wrote to memory of 368	2180	cmd.exe	202
PID 2180 wrote to memory of 368	2180	cmd.exe	202

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c355f38ee63673e3fa88f735bb3665cce31d960484b62d4fb592a692091d7e63.exe
"C:\Users\Admin\AppData\Local\Temp\c355f38ee63673e3fa88f735bb3665cce31d960484b62d4fb592a692091d7e63.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\TextInputHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\TextInputHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\plugins\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\SIGNUP\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\3D Objects\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\ja-JP\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\25s6BiNAc8.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4392
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:524
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\sppsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\StartMenuExperienceHost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\SearchApp.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6ofUwTLOZv.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:368
        
        C:\Windows\es-ES\sppsvc.exe
        
        "C:\Windows\es-ES\sppsvc.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TK13bru719.bat"
        9⤵
        
        PID:3012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2300
        
        C:\Windows\es-ES\sppsvc.exe
        
        "C:\Windows\es-ES\sppsvc.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat"
        11⤵
        
        PID:3200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3704
        
        C:\Windows\es-ES\sppsvc.exe
        
        "C:\Windows\es-ES\sppsvc.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"
        13⤵
        
        PID:3824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1396
        
        C:\Windows\es-ES\sppsvc.exe
        
        "C:\Windows\es-ES\sppsvc.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7etkz3INVn.bat"
        15⤵
        
        PID:2992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1476
        
        C:\Windows\es-ES\sppsvc.exe
        
        "C:\Windows\es-ES\sppsvc.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat"
        17⤵
        
        PID:4548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2500
        
        C:\Windows\es-ES\sppsvc.exe
        
        "C:\Windows\es-ES\sppsvc.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"
        19⤵
        
        PID:3860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3316
        
        C:\Windows\es-ES\sppsvc.exe
        
        "C:\Windows\es-ES\sppsvc.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN1wkOWwnv.bat"
        21⤵
        
        PID:412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2908
        
        C:\Windows\es-ES\sppsvc.exe
        
        "C:\Windows\es-ES\sppsvc.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat"
        23⤵
        
        PID:1996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1756
        
        C:\Windows\es-ES\sppsvc.exe
        
        "C:\Windows\es-ES\sppsvc.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat"
        25⤵
        
        PID:4280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1660
        
        C:\Windows\es-ES\sppsvc.exe
        
        "C:\Windows\es-ES\sppsvc.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ESzt3JT3T8.bat"
        27⤵
        
        PID:3144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4448
        
        C:\Windows\es-ES\sppsvc.exe
        
        "C:\Windows\es-ES\sppsvc.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat"
        29⤵
        
        PID:4540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:1920
        
        C:\Windows\es-ES\sppsvc.exe
        
        "C:\Windows\es-ES\sppsvc.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KVYyjDtEXm.bat"
        31⤵
        
        PID:632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\IME\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\IME\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\plugins\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\plugins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Windows\ModemLogs\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\ModemLogs\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\3D Objects\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\3D Objects\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\ja-JP\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\AccountPictures\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\AccountPictures\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\es-ES\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
624e41a75a6dfd62039973dbbfdbe622

SHA1
f791e4cc85d6ae7039acef57a9025b173d7e963b

SHA256
ced1b5ac330145fa608627ad4de1dfb3533375f19b6da3d02ad202d0b7732bc1

SHA512
a13a128a5ea8aad3bcd5f3dbffa5fbfe7763370d8e43b546a1df1da3b0ec0d520cf5fcc8c25c22fd1e73ea1d00da1bee99305e028e71e193339e4fa8ce8f0b2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
724B

MD5
09bb0457ad55056d442f859b1f1b007f

SHA1
4150558c65ae414a05ae9ee4c553fd4a535ccced

SHA256
578357413e19e7696022cce51ce42ab6384d62510edb94b48b26eedecfcf7af8

SHA512
bc18792340cc4965f454ed712932876d9d1b162312922a14671d30a1399d385a69a916372ca3ac0682d644f084611a276e166a78a3208db452c4f1e699069232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
575c67abdb0b2c72de0d9dd38b94d791

SHA1
27783f259ffd096b21c02c70cb999bf860183124

SHA256
fdf985fb9c56b4462675c41f68555f8762dd7043b15750968208b88be87252bc

SHA512
61b23a15b52cf51b525993e8cfc0b9fd41d1bb28501c96a35f776bfa738390783ad266c2d0383a53770f3662dd118a45114d92afee63b4673e88008a6559b774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8846686b7f2d146c0baa27459eedbd8d

SHA1
c953a3d1c7870a9d7ded709301f3ae7f1ea94e61

SHA256
33e3dc5ccf5c09b1c26c524b284335712ef653a2b2169732d8d890f615026c65

SHA512
3e72136bff1772ae7934c67ead939b4783ffb9a3657a366881504c7a11e76abe6469b6a4701b031fd564e6d257f7c62f52fb69f93a67459fadf909fefbbe6154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c625954a51c4bbd8141206b00f6fc0a

SHA1
4128cb2f9d2984844e303e2e330e448334e5c273

SHA256
952515feb4929cfad2435c679a5fad19242e938e8a7c97afebb1f3d996bd3ec4

SHA512
3f7c4ea0551de5b6237ca13419413e6e73e85632e9bb09b5354d6310b5969f9c3a2dc27142e75e8572c2c65b2bc7615269fad27dcea2f91c389b6758e2630517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0f6a77860cd9c5289dd6e45bbc36a982

SHA1
750d55b0d394bc5716fc3e3204975b029d3dc43b

SHA256
a8388051b43fdc7a50ee51047ef4076c4b6502a6e53befe8131efcb71aa700a4

SHA512
e4e4473383243a71d7bebffb8bf4bf449201e1aee752426044e81bdc12c3aaf284ce003a859b0ac96d5fd75063376485dc5b5ac0caad189577bf394f104cdd06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e2efbfd23e33d8d07d019bdd9ca20649

SHA1
68d3b285c423d311bdf8dc53354f5f4000caf386

SHA256
f4386e3a103dafd6e85bebc2ad649069d168b4da8a0ded51b3ec96fa1408a828

SHA512
b7a961002557ff2efb785f756c9347e250392eab3dcb5168c67e89238e85368a41d0a5bdc94bfbbc192ba427c83e982234b3cf8824b166a69973f3f9df177443

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
20ccd8eee8fb63b0f660c38299f815d4

SHA1
5882e3b12448a5cd6ab57008c1be852ac84cade1

SHA256
cad714968818e2c4fec544ad7aa0faf5da04809f8efd1a8699d2861d0c0809e3

SHA512
28b87bd117a752ce699bd00c651c095dcfdb2a6cf71687177862c9062c3f73243ac32ac1b709804f940eef8c1f3e233593c73c4831449742c931d8c845c9fd8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
32b16440fab3a1055d9c22b90935bdfb

SHA1
ee350c4a65b81468487a3660dfe4f373660b9070

SHA256
ee68b728a82fefc941eba10390d9d70f5aeb442039c901eaf9a18477761cfd35

SHA512
5a1f36ab56e25548fd2875d364cfec39830e855b89628718f786bb8158147ee6fd66f2b7477d1b57b0d8cec5b8f10d173face18f4131ecec0dc67ca9ae56216c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2d6baabb78161c2401e97f08de1b3b4e

SHA1
7bd22cebd5f310d8ac2ef8027caf6a0ec3bf709e

SHA256
1cea816e9897ec6852edb3671e5a93b05ea817bc969c4d47ee70f5573f95df42

SHA512
9f35b70cdb0159002143296f11dd22bec6e28836d36bb2ec0527692935cfc3f43df54871a9397bbdf2aaf6912943968310320433ca51a39e360d7227262c754c

Download Submit
C:\Users\Admin\AppData\Local\Temp\25s6BiNAc8.bat

Filesize
199B

MD5
94218b04e47024aadd9a805283383c32

SHA1
e283b45480c01854ea5da8d079c4137cf71b8239

SHA256
15aaaee5665f030506201aff59e9e7615f23bb459594339fcc8b93a52bdf007e

SHA512
3869dfc485795506f93c52bd755795ac0a08b76a336f3eaa38599bd005a5819d52465ee7d4e4f53defa1a25fc1a5d7a084ecc773e32ce8ec4d2a5d708559d956

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ofUwTLOZv.bat

Filesize
192B

MD5
9d41b4bd6f30498ac6c999e08ad27a99

SHA1
8e69f204a827f6cf2a67947c2fb78763ee05488d

SHA256
2f886b44d524fb3436cab86c2c5c2fd853649dc2cf4c218ee321de00c224cd8c

SHA512
3941267c092aa221347e88cb0ea777527573a20bbccd5d1030edbca78356126d9c81afde9e30eaaeeb990a6718cf7fc1154c05b99394e94f928d65e26f6fef47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7etkz3INVn.bat

Filesize
192B

MD5
c46c462faf88bc08e9d636341b1d61ec

SHA1
0b01bebd691b1a18d8714eaee8e8c8aa0a68a449

SHA256
8bd619c1e9827b75d8783779e2a77f4ccaea62711a996aa27f08bf81e5e6ee68

SHA512
fa044c53e8b1bfdee77ec9091d50e3f7fcf94600c718e694aab5fdb2d4e3a7f416c450c0722879b75d0426d5bbc4f0d89be405c3b24ed90dca835c84b0acdd24

Download Submit
C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat

Filesize
192B

MD5
4ca1b09527db86008b7c4a035adfa74f

SHA1
edd590e9cf568562f611654b66f8ad3b8238c08a

SHA256
bb494578d4f8180800f27fa05980e7257a9bc0d229eed7acecd14a0059ebab96

SHA512
32e55fdb14b83d10d9821144c66c602ceb0becdaa13e34f20a2619837dd169a640a668faf7a0aec5fbea0d533eb1b5cd798c9b73a6439fecf046adc718c6793e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ESzt3JT3T8.bat

Filesize
192B

MD5
f7fdeb6f71bf9b49208f840dbbb8ddb7

SHA1
947cd940060be3178cef94cffd59968e1b5aa390

SHA256
10d6e7f17a7b00dc3672a744b7244c830fa3bc740b5700e21c6bd63bd5c8df78

SHA512
3984a188a5322b15f703372d9762bce119ff52c2945fa76e55b14d8c5efe1d33dc414af4b625c9ed052ec9f6d076a6c866e4be8ec71cc43202aec5ab547a63d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GN1wkOWwnv.bat

Filesize
192B

MD5
02c12ca4c028cc270ac557450932e6b9

SHA1
c509334b416a1a2d7a54c2215e4d18646032f8da

SHA256
23e0f78ea105fbcef832f3c10f604be7844b506b3ce77f39d3b82b812b372e2a

SHA512
cb5e97eac8ec5e05f8b0c0c20187a00d9e829d2845111b124f661075d87aee86755cd8d652d0c368a792dec0088ad8945b55a70aef2051c9fe19e878d808f851

Download Submit
C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat

Filesize
192B

MD5
2a21d0d183182b77c37259d8969fe9f1

SHA1
1b57bfdae35b15d6f00181881941ad4f1e316fe4

SHA256
34a2210867bb3a94cd3e28f3c698d4cc4837871d0310996c219aefdd8bd0e749

SHA512
2c48863f30ae15e5d3f9b5f18afac294b62ecd9576a52094b6e8aa48f5fed0bab9bd71842dbba1564a6ef5f71a5c567f954caa81d966692b6ca5d5d28977f66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KVYyjDtEXm.bat

Filesize
192B

MD5
be6ee6ef65cb3002e1f6346f8dd53b3e

SHA1
f833132e3d7027801437c3dbb83ff1ce366928e4

SHA256
ba5c958ce1243ccf0ad207200eb6a5360bc7439196b12465deb415fb25063258

SHA512
35cf3b9a77e55b858b4683472a2bbd4c549fd15f9a0db48488ae3d65420fe82ef405bb3f942ef5c4c0a56b4b79aa66acb53d82d6b4aa98ad6b09839b4c84067f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TK13bru719.bat

Filesize
192B

MD5
f1641650dd996aa2362356e9a1f3908d

SHA1
d634960021f24347338aee277f4ee376fda6da9a

SHA256
8f23a8931a8be0d014a9b47988b81379ce2846035f2e3470c1f563834452ac4f

SHA512
6d2d97815f6c7b3f5d29042b321f060e2165f55f6b91d37e7492bd03c0a91fd87671e991ff027ff8d562733b21605a895a5d2b3f1006a9766e73fb0c24e017ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p4mqxb1l.0m5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat

Filesize
192B

MD5
85b7b7fd9ba208cd088f524eda084391

SHA1
69dbb2cf9d387eb1aac442c5819e86c30f793752

SHA256
b83dff0d176c9c706187c5de053bf09f1cbb39c7ec4dbe30284e3df7ab363751

SHA512
d77c3535514f7d7b988c1338fcc8de85e40ee0f0d1e525c40ad4739bbb62ce6280d4c26c7ac143fef44b1399dfdc46d31403ef30662b7735455ae68f17955dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat

Filesize
192B

MD5
e17164bc4998a3a4295cdd5005fb7ead

SHA1
d79b76e4ef9f24e50ca8e803c03825b9bdb814a9

SHA256
096c4aaebe63ca2d9f285a9f0c53e055f95451720db965afdf77cf1cc7405ca5

SHA512
57354272ef124f95df90d10a5cc4f7e019e8537715cea787909978bdabbe65e080b045fd9b700ad97814e0c375e32b4f0394bbba15fd4d77441a1226113ae1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxMZkGAiOs.bat

Filesize
192B

MD5
017da65dac407a8101b39d29e95c833b

SHA1
3a48cca7225b346b270b8dd5ee0518dbc79179ac

SHA256
e8391efca452af46390aea7e6e5b2d4e33652c7e5c5cd22c3a1fded4fe6263c8

SHA512
bb54559dea821eceeb8675112314a74f1cc5aef77fcb2c0b522c4654aab73b251c6060c0ac5d0dc6322ee4b1609e05a0185e5fb81342a204191b7eb67a2d1ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat

Filesize
192B

MD5
51be5cabbd59a7a5933d083fd54358c8

SHA1
6d3c023cc69da70a72329a387268f0646fbe15a7

SHA256
ce9094ad7fec93b185b00380feafbce8d6c6b89a3a4a9298a81f2377e20b6a5e

SHA512
71b97f16fc7762bf22579af7078a553a81d923c8d1486333adacc9b232f60757b8bd8ac36a8a54d915305fa64c8b3ec7b3804482da421b52946061340631d104

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat

Filesize
192B

MD5
3c315c9bfbe7b7a0d0b40a3312d3653a

SHA1
71dab51ed32ea8b0c74d0ec1ba9a1761cde2e735

SHA256
99919a41d9f8275e103b8550d3ffb405be306c2fcde45ee8f4261c6291756f12

SHA512
efc4ee5a18be1fe5b0d3718d672aae74300df409d00b822568bc29ca4a96824aad204039fd572bfbd76608c22ee1418e9f5fa216854d438ca1db19ebdb5f0b81

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/368-366-0x0000000000E20000-0x0000000000E32000-memory.dmp

Filesize
72KB

Download
memory/1136-335-0x000000001C530000-0x000000001C5D1000-memory.dmp

Filesize
644KB

Download
memory/1136-334-0x000000001B770000-0x000000001B7C6000-memory.dmp

Filesize
344KB

Download
memory/1136-328-0x0000000002BC0000-0x0000000002BD2000-memory.dmp

Filesize
72KB

Download
memory/1384-204-0x0000000002A70000-0x0000000002A82000-memory.dmp

Filesize
72KB

Download
memory/1660-346-0x00000000026B0000-0x00000000026C2000-memory.dmp

Filesize
72KB

Download
memory/2148-55-0x00000151C6130000-0x00000151C6152000-memory.dmp

Filesize
136KB

Download
memory/2428-392-0x0000000000FD0000-0x0000000000FE2000-memory.dmp

Filesize
72KB

Download
memory/2860-373-0x0000000001050000-0x0000000001062000-memory.dmp

Filesize
72KB

Download
memory/3048-339-0x0000000001910000-0x0000000001922000-memory.dmp

Filesize
72KB

Download
memory/3144-353-0x00000000030D0000-0x00000000030E2000-memory.dmp

Filesize
72KB

Download
memory/3400-13-0x0000000000F80000-0x0000000001090000-memory.dmp

Filesize
1.1MB

Download
memory/3400-14-0x0000000003110000-0x0000000003122000-memory.dmp

Filesize
72KB

Download
memory/3400-12-0x00007FFC03FE3000-0x00007FFC03FE5000-memory.dmp

Filesize
8KB

Download
memory/3400-15-0x00000000031D0000-0x00000000031DC000-memory.dmp

Filesize
48KB

Download
memory/3400-16-0x00000000031C0000-0x00000000031CC000-memory.dmp

Filesize
48KB

Download
memory/3400-17-0x00000000031E0000-0x00000000031EC000-memory.dmp

Filesize
48KB

Download