dcrat | 6321db3417e55f11dab4ae1801f62f7b9d7c485c0c4a5596cd6c90a644231b19

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6321db3417e55f11dab4ae1801f62f7b9d7c485c0c4a5596cd6c90a644231b19.exe
Size

1.3MB
MD5

6ad6543d5dd8c54bf7d84a140974b9e8
SHA1

89e8c42529cf32ba6abbc60b8e14b9f4ed6d80df
SHA256

6321db3417e55f11dab4ae1801f62f7b9d7c485c0c4a5596cd6c90a644231b19
SHA512

4e339582a3d85a9575988d23b97f8742cceae86d8f5df8affd1cdd39215493cfc207d986be453244cb26488d7473bb764d8095965910099bd34756248b34ac71
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 60 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3492	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	3572	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	3572	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0008000000023be3-10.dat	dcrat
behavioral2/memory/3392-13-0x00000000002B0000-0x00000000003C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4324	powershell.exe
2684	powershell.exe
4852	powershell.exe
4424	powershell.exe
4024	powershell.exe
1276	powershell.exe
532	powershell.exe
2360	powershell.exe
2184	powershell.exe
4716	powershell.exe
3804	powershell.exe
1200	powershell.exe
1448	powershell.exe
3876	powershell.exe
824	powershell.exe
2732	powershell.exe
4560	powershell.exe
3900	powershell.exe
1148	powershell.exe
2632	powershell.exe
928	powershell.exe
4176	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	JaffaCakes118_6321db3417e55f11dab4ae1801f62f7b9d7c485c0c4a5596cd6c90a644231b19.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	explorer.exe

Executes dropped EXE 14 IoCs

pid	Process
3392	DllCommonsvc.exe
1128	DllCommonsvc.exe
5800	explorer.exe
4832	explorer.exe
2172	explorer.exe
5432	explorer.exe
5220	explorer.exe
3388	explorer.exe
5368	explorer.exe
5700	explorer.exe
5984	explorer.exe
2784	explorer.exe
4056	explorer.exe
752	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
54	raw.githubusercontent.com
55	raw.githubusercontent.com
56	raw.githubusercontent.com
52	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
39	raw.githubusercontent.com
40	raw.githubusercontent.com
44	raw.githubusercontent.com
45	raw.githubusercontent.com
50	raw.githubusercontent.com
53	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\lua\meta\cc11b995f2a76d	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\c82b8037eab33d	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WaaSMedicAgent.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WaaSMedicAgent.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\c82b8037eab33d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\SearchApp.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\38384e6a620884	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\088424020bedd6	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\L2Schemas\7a0fd90576e088	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6321db3417e55f11dab4ae1801f62f7b9d7c485c0c4a5596cd6c90a644231b19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	JaffaCakes118_6321db3417e55f11dab4ae1801f62f7b9d7c485c0c4a5596cd6c90a644231b19.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 60 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1656	schtasks.exe
780	schtasks.exe
2892	schtasks.exe
1060	schtasks.exe
2788	schtasks.exe
3236	schtasks.exe
904	schtasks.exe
2160	schtasks.exe
3372	schtasks.exe
3372	schtasks.exe
4320	schtasks.exe
1908	schtasks.exe
4332	schtasks.exe
4064	schtasks.exe
2120	schtasks.exe
1676	schtasks.exe
1960	schtasks.exe
1440	schtasks.exe
3592	schtasks.exe
3488	schtasks.exe
3232	schtasks.exe
2300	schtasks.exe
3908	schtasks.exe
3940	schtasks.exe
1256	schtasks.exe
2064	schtasks.exe
3444	schtasks.exe
1156	schtasks.exe
4340	schtasks.exe
5044	schtasks.exe
3060	schtasks.exe
3492	schtasks.exe
2160	schtasks.exe
4900	schtasks.exe
2576	schtasks.exe
1316	schtasks.exe
1280	schtasks.exe
3392	schtasks.exe
5000	schtasks.exe
3120	schtasks.exe
3956	schtasks.exe
3980	schtasks.exe
4360	schtasks.exe
5064	schtasks.exe
4552	schtasks.exe
1780	schtasks.exe
4896	schtasks.exe
4340	schtasks.exe
2672	schtasks.exe
3248	schtasks.exe
3388	schtasks.exe
2272	schtasks.exe
2748	schtasks.exe
3608	schtasks.exe
4928	schtasks.exe
2672	schtasks.exe
2320	schtasks.exe
4844	schtasks.exe
4624	schtasks.exe
1152	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3392	DllCommonsvc.exe
4852	powershell.exe
3876	powershell.exe
1448	powershell.exe
4852	powershell.exe
1448	powershell.exe
2184	powershell.exe
3876	powershell.exe
2184	powershell.exe
1128	DllCommonsvc.exe
1128	DllCommonsvc.exe
1128	DllCommonsvc.exe
1128	DllCommonsvc.exe
1128	DllCommonsvc.exe
1128	DllCommonsvc.exe
1128	DllCommonsvc.exe
1128	DllCommonsvc.exe
1128	DllCommonsvc.exe
4716	powershell.exe
4716	powershell.exe
2360	powershell.exe
2360	powershell.exe
4324	powershell.exe
4324	powershell.exe
4024	powershell.exe
4024	powershell.exe
4176	powershell.exe
4176	powershell.exe
2684	powershell.exe
2684	powershell.exe
3804	powershell.exe
3804	powershell.exe
4424	powershell.exe
4424	powershell.exe
2632	powershell.exe
2632	powershell.exe
4560	powershell.exe
4560	powershell.exe
2732	powershell.exe
2732	powershell.exe
532	powershell.exe
532	powershell.exe
824	powershell.exe
824	powershell.exe
1148	powershell.exe
1148	powershell.exe
3900	powershell.exe
3900	powershell.exe
1276	powershell.exe
1276	powershell.exe
928	powershell.exe
928	powershell.exe
1200	powershell.exe
1200	powershell.exe
928	powershell.exe
1148	powershell.exe
4324	powershell.exe
4324	powershell.exe
4424	powershell.exe
2732	powershell.exe
532	powershell.exe
2360	powershell.exe
2360	powershell.exe
4716	powershell.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	3392	DllCommonsvc.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	1128	DllCommonsvc.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeDebugPrivilege	4176	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	3804	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	5800	explorer.exe
Token: SeDebugPrivilege	4832	explorer.exe
Token: SeDebugPrivilege	2172	explorer.exe
Token: SeDebugPrivilege	5432	explorer.exe
Token: SeDebugPrivilege	5220	explorer.exe
Token: SeDebugPrivilege	3388	explorer.exe
Token: SeDebugPrivilege	5368	explorer.exe
Token: SeDebugPrivilege	5700	explorer.exe
Token: SeDebugPrivilege	5984	explorer.exe
Token: SeDebugPrivilege	2784	explorer.exe
Token: SeDebugPrivilege	4056	explorer.exe
Token: SeDebugPrivilege	752	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 3744	4988	JaffaCakes118_6321db3417e55f11dab4ae1801f62f7b9d7c485c0c4a5596cd6c90a644231b19.exe	83
PID 4988 wrote to memory of 3744	4988	JaffaCakes118_6321db3417e55f11dab4ae1801f62f7b9d7c485c0c4a5596cd6c90a644231b19.exe	83
PID 4988 wrote to memory of 3744	4988	JaffaCakes118_6321db3417e55f11dab4ae1801f62f7b9d7c485c0c4a5596cd6c90a644231b19.exe	83
PID 3744 wrote to memory of 628	3744	WScript.exe	85
PID 3744 wrote to memory of 628	3744	WScript.exe	85
PID 3744 wrote to memory of 628	3744	WScript.exe	85
PID 628 wrote to memory of 3392	628	cmd.exe	87
PID 628 wrote to memory of 3392	628	cmd.exe	87
PID 3392 wrote to memory of 2184	3392	DllCommonsvc.exe	99
PID 3392 wrote to memory of 2184	3392	DllCommonsvc.exe	99
PID 3392 wrote to memory of 4852	3392	DllCommonsvc.exe	100
PID 3392 wrote to memory of 4852	3392	DllCommonsvc.exe	100
PID 3392 wrote to memory of 1448	3392	DllCommonsvc.exe	101
PID 3392 wrote to memory of 1448	3392	DllCommonsvc.exe	101
PID 3392 wrote to memory of 3876	3392	DllCommonsvc.exe	102
PID 3392 wrote to memory of 3876	3392	DllCommonsvc.exe	102
PID 3392 wrote to memory of 1932	3392	DllCommonsvc.exe	106
PID 3392 wrote to memory of 1932	3392	DllCommonsvc.exe	106
PID 1932 wrote to memory of 1636	1932	cmd.exe	109
PID 1932 wrote to memory of 1636	1932	cmd.exe	109
PID 1932 wrote to memory of 1128	1932	cmd.exe	115
PID 1932 wrote to memory of 1128	1932	cmd.exe	115
PID 1128 wrote to memory of 4716	1128	DllCommonsvc.exe	167
PID 1128 wrote to memory of 4716	1128	DllCommonsvc.exe	167
PID 1128 wrote to memory of 2360	1128	DllCommonsvc.exe	168
PID 1128 wrote to memory of 2360	1128	DllCommonsvc.exe	168
PID 1128 wrote to memory of 2732	1128	DllCommonsvc.exe	169
PID 1128 wrote to memory of 2732	1128	DllCommonsvc.exe	169
PID 1128 wrote to memory of 2684	1128	DllCommonsvc.exe	170
PID 1128 wrote to memory of 2684	1128	DllCommonsvc.exe	170
PID 1128 wrote to memory of 4324	1128	DllCommonsvc.exe	171
PID 1128 wrote to memory of 4324	1128	DllCommonsvc.exe	171
PID 1128 wrote to memory of 1148	1128	DllCommonsvc.exe	173
PID 1128 wrote to memory of 1148	1128	DllCommonsvc.exe	173
PID 1128 wrote to memory of 532	1128	DllCommonsvc.exe	174
PID 1128 wrote to memory of 532	1128	DllCommonsvc.exe	174
PID 1128 wrote to memory of 3900	1128	DllCommonsvc.exe	175
PID 1128 wrote to memory of 3900	1128	DllCommonsvc.exe	175
PID 1128 wrote to memory of 1276	1128	DllCommonsvc.exe	176
PID 1128 wrote to memory of 1276	1128	DllCommonsvc.exe	176
PID 1128 wrote to memory of 4560	1128	DllCommonsvc.exe	178
PID 1128 wrote to memory of 4560	1128	DllCommonsvc.exe	178
PID 1128 wrote to memory of 1200	1128	DllCommonsvc.exe	179
PID 1128 wrote to memory of 1200	1128	DllCommonsvc.exe	179
PID 1128 wrote to memory of 3804	1128	DllCommonsvc.exe	180
PID 1128 wrote to memory of 3804	1128	DllCommonsvc.exe	180
PID 1128 wrote to memory of 4176	1128	DllCommonsvc.exe	181
PID 1128 wrote to memory of 4176	1128	DllCommonsvc.exe	181
PID 1128 wrote to memory of 928	1128	DllCommonsvc.exe	183
PID 1128 wrote to memory of 928	1128	DllCommonsvc.exe	183
PID 1128 wrote to memory of 824	1128	DllCommonsvc.exe	184
PID 1128 wrote to memory of 824	1128	DllCommonsvc.exe	184
PID 1128 wrote to memory of 4024	1128	DllCommonsvc.exe	185
PID 1128 wrote to memory of 4024	1128	DllCommonsvc.exe	185
PID 1128 wrote to memory of 2632	1128	DllCommonsvc.exe	186
PID 1128 wrote to memory of 2632	1128	DllCommonsvc.exe	186
PID 1128 wrote to memory of 4424	1128	DllCommonsvc.exe	187
PID 1128 wrote to memory of 4424	1128	DllCommonsvc.exe	187
PID 1128 wrote to memory of 3936	1128	DllCommonsvc.exe	203
PID 1128 wrote to memory of 3936	1128	DllCommonsvc.exe	203
PID 3936 wrote to memory of 5004	3936	cmd.exe	207
PID 3936 wrote to memory of 5004	3936	cmd.exe	207
PID 3936 wrote to memory of 5800	3936	cmd.exe	213
PID 3936 wrote to memory of 5800	3936	cmd.exe	213

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6321db3417e55f11dab4ae1801f62f7b9d7c485c0c4a5596cd6c90a644231b19.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6321db3417e55f11dab4ae1801f62f7b9d7c485c0c4a5596cd6c90a644231b19.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\meta\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3876
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\llBcBBNrH4.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1932
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1636
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WaaSMedicAgent.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\SearchApp.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\upfc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Registry.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\SppExtComObj.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\conhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\unsecapp.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\explorer.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WaaSMedicAgent.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WrXtWNezsF.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:5004
        
        C:\Users\Public\Downloads\explorer.exe
        
        "C:\Users\Public\Downloads\explorer.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat"
        9⤵
        
        PID:6024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:6080
        
        C:\Users\Public\Downloads\explorer.exe
        
        "C:\Users\Public\Downloads\explorer.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MUFyTxLHSg.bat"
        11⤵
        
        PID:5204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4356
        
        C:\Users\Public\Downloads\explorer.exe
        
        "C:\Users\Public\Downloads\explorer.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat"
        13⤵
        
        PID:5000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:5172
        
        C:\Users\Public\Downloads\explorer.exe
        
        "C:\Users\Public\Downloads\explorer.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat"
        15⤵
        
        PID:2576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1976
        
        C:\Users\Public\Downloads\explorer.exe
        
        "C:\Users\Public\Downloads\explorer.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat"
        17⤵
        
        PID:2684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:880
        
        C:\Users\Public\Downloads\explorer.exe
        
        "C:\Users\Public\Downloads\explorer.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat"
        19⤵
        
        PID:3232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4488
        
        C:\Users\Public\Downloads\explorer.exe
        
        "C:\Users\Public\Downloads\explorer.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1n8esAjYxK.bat"
        21⤵
        
        PID:5304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:5540
        
        C:\Users\Public\Downloads\explorer.exe
        
        "C:\Users\Public\Downloads\explorer.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhLzHEla3w.bat"
        23⤵
        
        PID:3936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1612
        
        C:\Users\Public\Downloads\explorer.exe
        
        "C:\Users\Public\Downloads\explorer.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat"
        25⤵
        
        PID:6104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:6080
        
        C:\Users\Public\Downloads\explorer.exe
        
        "C:\Users\Public\Downloads\explorer.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat"
        27⤵
        
        PID:3444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:928
        
        C:\Users\Public\Downloads\explorer.exe
        
        "C:\Users\Public\Downloads\explorer.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat"
        29⤵
        
        PID:1172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:1856
        
        C:\Users\Public\Downloads\explorer.exe
        
        "C:\Users\Public\Downloads\explorer.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat"
        31⤵
        
        PID:940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\lua\meta\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\meta\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\lua\meta\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\L2Schemas\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\providercommon\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Application Data\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\Application Data\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Application Data\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\providercommon\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\providercommon\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\providercommon\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Downloads\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
40410e5901db54c0ed323ae9cfbfc7fa

SHA1
c043d37544d9cde8c8a8e59a0ade84ee04dba25d

SHA256
46bc15ca448445fc31d1384e56ebe554e5833eb2ea9b019456c134188e67b013

SHA512
31c09f5b4b9ca9cd2da4d028db92431ca255f2183122280f85913476e342a0f3425551a106f9462917a75f5b97e7c70c8bd7a6dbcc20c18008292981530eb041

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
085e0a3b869f290afea5688a8ac4e7c5

SHA1
0fedef5057708908bcca9e7572be8f46cef4f3ca

SHA256
1fed2c9bc05b3fcb93f493124dbf1680c6445f67e3d49680257183132514509c

SHA512
bbac0555a05dbe83154a90caa44a653c8a05c87594a211548b165c5b1d231e3818830e754c0b6de3e5cb64dba3a5ad18bebae05cb9157e1dd46bce2a86d18ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3bdf0f0bc4de32a6f32ecb8a32ba5df1

SHA1
900c6a905984e5e16f3efe01ce2b2cc725fc64f1

SHA256
c893092af552e973c44e0596d1509605a393896a0c1eae64f11456dc956ba40e

SHA512
680d8f42fd4cb1fffa52e1f7cc483e8afc79c8f3e25ebfe5324c7c277d88499cc58324313599e307e47ba3ee4004de7554192203413cb061a29170cd9bc889c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
405185bc0ea52b588b936aee6b9bbe3f

SHA1
485209c45e9f4ecfbb07096e5cacc1a359d577c6

SHA256
35cf92b2f431bc23642c047e98da70737e01d924d7c69df6a6ecca82cb7ad40a

SHA512
ac235e45fcf5e0b220c25e249366adf7b306fd3337d2eb1367a7168a6d45c0b434a3dc06f80c133e0119e65fc267bc274a9900ad86485b72c9126174ebd7d74e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2c30103cc6b103339cfe44137ca0edf0

SHA1
ecdc8c1685831e906cbb8ca6065ab4bb06fe3db4

SHA256
85ea59925c660ced52ba5095323e580d61aa8f8de82f31cdde85a5ed7e75cfae

SHA512
a870be1cb86f955187170d99c7e6200f6871bc7858885d3b2f431bfa6f9af1d3d86a00add6f6f5a0396ed25fc19c4181b985cf08921ad98bf4903568fe59a482

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8609c12c59293ee67562f5096525f6f

SHA1
7b89311e1e00dec0658daa7749b6560af217435c

SHA256
9e7a84df1f437f21ceba6e519fbbd333f0bd7721e8e4b0bb963652fb9a1163fa

SHA512
ce6838f441c0954739ec5e03af0726d20b892c4415df3c3ee2010bc6c8f6191ac6717d0e3499ce04a03441b1ad43fc7a2df0de34a1ebd67fbd62cfdf48007b62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
057e7742b25e65a341d1341da25b54a8

SHA1
65c874ac4f429a4172bdf89a73922e39873ecab6

SHA256
f8cf996545599e442f94820af5c724fca27d22de96bcef6aa308d0520c3a1468

SHA512
94b461e3705336b9ebf10df506f4a436cee20ac60540cfb6fd2f36c48e011836bf1f9e3f00e5b254ad6e6f1338a976dba495d398b4459687f518e815afde04e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
567596411bf2cfb492d035b7076b2674

SHA1
1e0d40acd1a8bd4bd7402d5eeeff6641793c551d

SHA256
6952b906439dd7cc618b3571d2dac8d5135683daf56b026e0a3588e2fdafd8b1

SHA512
83ec03a5bf152fa4d8910322203061fba680cae989a9f769c1e04ee9d03d8fadfb3f7c10fc3ed2fc1a4acf597ddea11beba7906f01b3ba6602395d5188f468db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
669da47b4b9fbd5be73aa95dae38ae5b

SHA1
5118811981f4c9dcf0c4c4225824563f917bccda

SHA256
649b913bb8af13c4c91937cb2675287e92b71f9f8afa0a15575b99b7316ce0e0

SHA512
7b554e7cbccd9896c7feb4e8f78d9e2652f04e4696d8a745e0a462b91a43044487e6d4a50dea6853624d32b76445bdf44e10e338ceb32eeeeaa6d8e5f9423b41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat

Filesize
203B

MD5
ab1ff18465bc51ab86bf1612e051df73

SHA1
11903dd22c6d4ff2036101a014f0caaf298ca0ea

SHA256
69c8bb359fccee0f9b200d58cb408a035d16c2895184d10fb334611e72ef4174

SHA512
6454f944cbd428167809225e0f2e0e265aa3c20f148dc8deca268cfc4efb2ee236aeda0324256fc18e700ea908819b71012e94ed2dbef7d9776a0ad73aced555

Download Submit
C:\Users\Admin\AppData\Local\Temp\1n8esAjYxK.bat

Filesize
203B

MD5
24c56520d861f1ddfe172c9b890416e3

SHA1
a9c0b66d4b093faf30befdc9451388c6f74e12f5

SHA256
54641d0efb47d24c86daed01973e9976d7968e1f55968ce9b8ac85476050f0f8

SHA512
88e681c38ff5d3822611763138e0a1778906ac9571745e5ef2225c53f0f2ed553b340d62afbbaa16e604f71463c5c1f14780b23b2bce51a7bbc74f0584d42c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat

Filesize
203B

MD5
b52b713313f65c95a1701a34f2c1e838

SHA1
beabbbc864243b2eea16e6b62e58be74e9f52b38

SHA256
a0c04c1059b497a140fcf40c899f922614f04b9c645965618f244796a5e485af

SHA512
4a83b57cfa84a090cae6016ea86b5eb65861156927def4ce061affd3ca54cebf108e8e02221baa93f1120b86779ebcdb1127589a20ff1beabc6437f65273ec80

Download Submit
C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat

Filesize
203B

MD5
e0188d97c6f65589776387927efffa5b

SHA1
3a3f025bb48c58da2d046da38f6099e60346de66

SHA256
c39e7aa9d8a2edc1b217733aeed080cfb86a51f6101afe4fa4aa53ec1a138427

SHA512
65fc9c86a9637e588067e6fa46ba7af42ddd9c48e5a20756bf40f6eb54b49a5845d77fecfd38028607710df2c67840a6459079d0580b60aa51f38473abe90420

Download Submit
C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat

Filesize
203B

MD5
3e24007e3ad7bc50ffe2a374301a3c5d

SHA1
604fdb429735e69dff0e0a5bbd05146d2a01cca1

SHA256
5155197ec77b216b1fe462db523ccf51de93f5c73d1c4a45f51f6ffe3b942839

SHA512
c7a63ac04d2144a5b19edb57e22b9850e3d7f965c6715f4955f69978681c78099c1fc055e083f89687656bca9d6d4d35d0e851f1566f0eae80d6fd35947a0ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat

Filesize
203B

MD5
76d9a93bfd80271d5ff3c02c84a88e6c

SHA1
142fd7a64231925c2ff53f0ef6f40f392f3527e3

SHA256
161e6ce05c69d3ce88b77dbdbc7f6607e2a9b18038978fbee086f4b4b52fc01c

SHA512
42a45e8ebf505cb58a8090d5f80ca59b3e324f049a962e4307b3d4fc7cff129ba6bcb9740237ea11bb0d08d60599305ef735243707b1040ba88f150cce6f2d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\JhLzHEla3w.bat

Filesize
203B

MD5
86c898de3a26276348e2a4fb8f7af0c1

SHA1
b7b06648c31f3db0c3c6bb53014369cec58b9acf

SHA256
c567a5d3f81b21bd7095c29271f4cb7651e9d9ea56afc326e827fd7621491bf6

SHA512
6c88be95b55543602f896ce7d90599bf71c04247f9bf7c0768f12b73bac1329d1a77c78daacf370351b9fd4554a586e6bb24b9b6448e19202f1116608c4d77bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUFyTxLHSg.bat

Filesize
203B

MD5
424d25a070fde7890b4b5ac39dc3a780

SHA1
d854c3ee814cd074bbe48185110056724195badc

SHA256
051a76705d281c0754d9317112c532ba08803724b30e48af86fd970d720cca3c

SHA512
b67fae8f5b0ddada2f4422b4b97f7bc5afe5e2a15ac92ccd00a7a288fe3fd81b5f180742bd37321998de17677b27d083dba94f79f4e43097832569d776e3633f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WrXtWNezsF.bat

Filesize
203B

MD5
9acbd0360a8be5a5e22a24b39f8ed839

SHA1
8af9fbf8eba7d8f6346a41f8cf6310fceeb57397

SHA256
d917d19507116f5f8f66aabfa31de130758fa9c43d9a6e129da177e4913f93ec

SHA512
a1e27b8fa2392cd56e240ff5a8b7d864d52e52e5f972763d2c83093dd427549ade16b2851ebede38e451b49942cd10533afe79762633708fc972ab5c8fdb8b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lrk4b0ti.jon.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat

Filesize
203B

MD5
cd1ba2a78542b14bbda442008d5702fe

SHA1
d6f28b9d73f00ac62a878f7a04cd80e4ed893ef4

SHA256
c3c24d870b9131f741940388967a4520c34d7ddb5bd7ea84dc1e24098e0cf7df

SHA512
e2cb4589147336d6a29be21e8ffcc897af7ff1346ced9f427e26bdb76ebaab177311f94c1e00e18ceb1b37cf44be9b08387133f32982ef0f95b8ba53cbfc5f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat

Filesize
203B

MD5
17b2c69fd0a929d1dc2428fa9088f1c1

SHA1
7bfa51f1255e88b59beb03422233969b76bdc524

SHA256
4e643c2b9b07764221aa0725c75200c747e53ea9f884675ff14980dc8d502057

SHA512
52e4b61a877884cd4aee897625bff60dc95be11a374fc45b3803cbdb6a98a2142539c8b9ce3fbb55873fb3fad449684a34eeb2af8be18f2e8ef0707b203fa2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\llBcBBNrH4.bat

Filesize
199B

MD5
f86b0f319b233c8e4b2113680a9b0cb9

SHA1
c8513806a846c7b9efd14a91eee8a05f749fd327

SHA256
19808129f5baf58f456e8a179b22cfcd503534594d285003b58f625772120c76

SHA512
ee746565a7f1c22c0504e0fff76c90e2038428d13664e7fba472087e338312095b9e653c966ee591bd7bf4a172a88ab7c60905b953f4d46937a0a6486d11849a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat

Filesize
203B

MD5
a72b5caa5ac1b41b89091f3b2d1bdba5

SHA1
911c1f9a5e6a3b4d20be35040326f0aeb940536a

SHA256
3efed84994778f9dd29ba545fdbb0e22168746e34e5fb147cf9055fc2a4f14b0

SHA512
be3b9a03f484dec7ee7f4ada5b82f196482f4ce6722a232a326cace1670a3ed98bfd27e74c8cb34db3beb493efb79fd9adcf41edba55815ff0e1b64ca2643321

Download Submit
C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat

Filesize
203B

MD5
a0d247861178095a665d85d77a7c2f7c

SHA1
4d21834c9285bbf0b2a754c0d945bbc2af8ee67d

SHA256
50d48f3a124df941def15b1111f7db23cd6254772bf98a48e42213154afefb08

SHA512
f801b4805b0ff8dbebfcf36936d57e1b4919bc122ac6a156004b88b3065143ea489faf18971790afcc83ce2a0832cc39387ecdad8cfd32cfc5dbc90fa67ed082

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/752-389-0x0000000000A10000-0x0000000000A22000-memory.dmp

Filesize
72KB

Download
memory/1128-78-0x0000000000A70000-0x0000000000A82000-memory.dmp

Filesize
72KB

Download
memory/2172-331-0x00000000016F0000-0x0000000001702000-memory.dmp

Filesize
72KB

Download
memory/2784-375-0x00000000016C0000-0x00000000016D2000-memory.dmp

Filesize
72KB

Download
memory/3392-16-0x00000000024F0000-0x00000000024FC000-memory.dmp

Filesize
48KB

Download
memory/3392-15-0x00000000024E0000-0x00000000024EC000-memory.dmp

Filesize
48KB

Download
memory/3392-14-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/3392-12-0x00007FFE22CA3000-0x00007FFE22CA5000-memory.dmp

Filesize
8KB

Download
memory/3392-13-0x00000000002B0000-0x00000000003C0000-memory.dmp

Filesize
1.1MB

Download
memory/3392-17-0x0000000002500000-0x000000000250C000-memory.dmp

Filesize
48KB

Download
memory/4056-382-0x0000000002530000-0x0000000002542000-memory.dmp

Filesize
72KB

Download
memory/4852-28-0x000001E24B4A0000-0x000001E24B4C2000-memory.dmp

Filesize
136KB

Download
memory/5220-344-0x00000000019A0000-0x00000000019B2000-memory.dmp

Filesize
72KB

Download