dcrat | 61aa8c8e0325c5d23970ed605931948fa060c7adbdf7f6babe4ff8ada7502c2e

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_61aa8c8e0325c5d23970ed605931948fa060c7adbdf7f6babe4ff8ada7502c2e.exe
Size

1.3MB
MD5

5ff1a1cfe76c71c8317f19811b841019
SHA1

64d9474cf89b6434afd4ee9c2c5e95d7b740386b
SHA256

61aa8c8e0325c5d23970ed605931948fa060c7adbdf7f6babe4ff8ada7502c2e
SHA512

b1a143f24534a273123ca50ce6800a78d0973ea7d64fe8e56c9f7ea10595e43fd0465f874e57097a73ec59a2ddfaa4a4be2475c481bac22d1ac5b75c2da7526c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 60 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	720	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3904	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2328	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	2328	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b74-9.dat	dcrat
behavioral2/memory/2732-13-0x0000000000740000-0x0000000000850000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1364	powershell.exe
4740	powershell.exe
4336	powershell.exe
5068	powershell.exe
532	powershell.exe
1072	powershell.exe
2172	powershell.exe
1496	powershell.exe
4876	powershell.exe
2344	powershell.exe
2076	powershell.exe
3336	powershell.exe
3420	powershell.exe
4436	powershell.exe
3540	powershell.exe
4420	powershell.exe
2128	powershell.exe
2884	powershell.exe
5064	powershell.exe
2668	powershell.exe
5036	powershell.exe
3400	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_61aa8c8e0325c5d23970ed605931948fa060c7adbdf7f6babe4ff8ada7502c2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sihost.exe

Executes dropped EXE 16 IoCs

pid	Process
2732	DllCommonsvc.exe
640	DllCommonsvc.exe
624	sihost.exe
5964	sihost.exe
5312	sihost.exe
3816	sihost.exe
3672	sihost.exe
3420	sihost.exe
1984	sihost.exe
2580	sihost.exe
5804	sihost.exe
892	sihost.exe
1448	sihost.exe
2164	sihost.exe
2704	sihost.exe
1696	sihost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
56	raw.githubusercontent.com
40	raw.githubusercontent.com
43	raw.githubusercontent.com
55	raw.githubusercontent.com
38	raw.githubusercontent.com
39	raw.githubusercontent.com
52	raw.githubusercontent.com
54	raw.githubusercontent.com
53	raw.githubusercontent.com
21	raw.githubusercontent.com
22	raw.githubusercontent.com
36	raw.githubusercontent.com
44	raw.githubusercontent.com
47	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\restore\sihost.exe	DllCommonsvc.exe
File created	C:\Windows\SysWOW64\restore\66fc9ff0ee96c2	DllCommonsvc.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\Accessories\uk-UA\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\dotnet\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\de-DE\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\uk-UA\System.exe	DllCommonsvc.exe
File created	C:\Program Files\dotnet\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\de-DE\5940a34987c991	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\schemas\EAPMethods\smss.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\services.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_61aa8c8e0325c5d23970ed605931948fa060c7adbdf7f6babe4ff8ada7502c2e.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	JaffaCakes118_61aa8c8e0325c5d23970ed605931948fa060c7adbdf7f6babe4ff8ada7502c2e.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 60 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4852	schtasks.exe
5048	schtasks.exe
1840	schtasks.exe
4952	schtasks.exe
1984	schtasks.exe
4752	schtasks.exe
3956	schtasks.exe
4496	schtasks.exe
2272	schtasks.exe
4452	schtasks.exe
2908	schtasks.exe
4552	schtasks.exe
4904	schtasks.exe
3092	schtasks.exe
2780	schtasks.exe
2492	schtasks.exe
2140	schtasks.exe
4232	schtasks.exe
4860	schtasks.exe
4924	schtasks.exe
1408	schtasks.exe
4916	schtasks.exe
1664	schtasks.exe
2416	schtasks.exe
1048	schtasks.exe
3308	schtasks.exe
2680	schtasks.exe
3556	schtasks.exe
4752	schtasks.exe
3552	schtasks.exe
1940	schtasks.exe
2440	schtasks.exe
3816	schtasks.exe
2752	schtasks.exe
4172	schtasks.exe
428	schtasks.exe
3592	schtasks.exe
4484	schtasks.exe
2968	schtasks.exe
1340	schtasks.exe
3904	schtasks.exe
1760	schtasks.exe
2160	schtasks.exe
4800	schtasks.exe
4032	schtasks.exe
2472	schtasks.exe
1904	schtasks.exe
1876	schtasks.exe
3660	schtasks.exe
2548	schtasks.exe
2404	schtasks.exe
3788	schtasks.exe
3548	schtasks.exe
720	schtasks.exe
3916	schtasks.exe
2000	schtasks.exe
2980	schtasks.exe
3232	schtasks.exe
908	schtasks.exe
3892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
2732	DllCommonsvc.exe
5064	powershell.exe
4336	powershell.exe
5036	powershell.exe
2668	powershell.exe
4876	powershell.exe
1364	powershell.exe
1364	powershell.exe
4740	powershell.exe
4740	powershell.exe
5036	powershell.exe
5036	powershell.exe
5064	powershell.exe
5064	powershell.exe
4336	powershell.exe
4336	powershell.exe
2668	powershell.exe
2668	powershell.exe
1364	powershell.exe
4876	powershell.exe
4876	powershell.exe
4740	powershell.exe
640	DllCommonsvc.exe
640	DllCommonsvc.exe
640	DllCommonsvc.exe
640	DllCommonsvc.exe
640	DllCommonsvc.exe
640	DllCommonsvc.exe
640	DllCommonsvc.exe
640	DllCommonsvc.exe
640	DllCommonsvc.exe
640	DllCommonsvc.exe
640	DllCommonsvc.exe
640	DllCommonsvc.exe
640	DllCommonsvc.exe
640	DllCommonsvc.exe
640	DllCommonsvc.exe
640	DllCommonsvc.exe
640	DllCommonsvc.exe
640	DllCommonsvc.exe
640	DllCommonsvc.exe
640	DllCommonsvc.exe
640	DllCommonsvc.exe
640	DllCommonsvc.exe
2076	powershell.exe
2076	powershell.exe
3400	powershell.exe
3400	powershell.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	DllCommonsvc.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	640	DllCommonsvc.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	3336	powershell.exe
Token: SeDebugPrivilege	3540	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	624	sihost.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	5964	sihost.exe
Token: SeDebugPrivilege	5312	sihost.exe
Token: SeDebugPrivilege	3816	sihost.exe
Token: SeDebugPrivilege	3672	sihost.exe
Token: SeDebugPrivilege	3420	sihost.exe
Token: SeDebugPrivilege	1984	sihost.exe
Token: SeDebugPrivilege	2580	sihost.exe
Token: SeDebugPrivilege	5804	sihost.exe
Token: SeDebugPrivilege	892	sihost.exe
Token: SeDebugPrivilege	1448	sihost.exe
Token: SeDebugPrivilege	2164	sihost.exe
Token: SeDebugPrivilege	2704	sihost.exe
Token: SeDebugPrivilege	1696	sihost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 4104	4788	JaffaCakes118_61aa8c8e0325c5d23970ed605931948fa060c7adbdf7f6babe4ff8ada7502c2e.exe	83
PID 4788 wrote to memory of 4104	4788	JaffaCakes118_61aa8c8e0325c5d23970ed605931948fa060c7adbdf7f6babe4ff8ada7502c2e.exe	83
PID 4788 wrote to memory of 4104	4788	JaffaCakes118_61aa8c8e0325c5d23970ed605931948fa060c7adbdf7f6babe4ff8ada7502c2e.exe	83
PID 4104 wrote to memory of 1928	4104	WScript.exe	85
PID 4104 wrote to memory of 1928	4104	WScript.exe	85
PID 4104 wrote to memory of 1928	4104	WScript.exe	85
PID 1928 wrote to memory of 2732	1928	cmd.exe	87
PID 1928 wrote to memory of 2732	1928	cmd.exe	87
PID 2732 wrote to memory of 4740	2732	DllCommonsvc.exe	108
PID 2732 wrote to memory of 4740	2732	DllCommonsvc.exe	108
PID 2732 wrote to memory of 5064	2732	DllCommonsvc.exe	109
PID 2732 wrote to memory of 5064	2732	DllCommonsvc.exe	109
PID 2732 wrote to memory of 1364	2732	DllCommonsvc.exe	110
PID 2732 wrote to memory of 1364	2732	DllCommonsvc.exe	110
PID 2732 wrote to memory of 5036	2732	DllCommonsvc.exe	111
PID 2732 wrote to memory of 5036	2732	DllCommonsvc.exe	111
PID 2732 wrote to memory of 2668	2732	DllCommonsvc.exe	112
PID 2732 wrote to memory of 2668	2732	DllCommonsvc.exe	112
PID 2732 wrote to memory of 4876	2732	DllCommonsvc.exe	115
PID 2732 wrote to memory of 4876	2732	DllCommonsvc.exe	115
PID 2732 wrote to memory of 4336	2732	DllCommonsvc.exe	117
PID 2732 wrote to memory of 4336	2732	DllCommonsvc.exe	117
PID 2732 wrote to memory of 4476	2732	DllCommonsvc.exe	122
PID 2732 wrote to memory of 4476	2732	DllCommonsvc.exe	122
PID 4476 wrote to memory of 1136	4476	cmd.exe	124
PID 4476 wrote to memory of 1136	4476	cmd.exe	124
PID 4476 wrote to memory of 640	4476	cmd.exe	131
PID 4476 wrote to memory of 640	4476	cmd.exe	131
PID 640 wrote to memory of 2344	640	DllCommonsvc.exe	174
PID 640 wrote to memory of 2344	640	DllCommonsvc.exe	174
PID 640 wrote to memory of 4436	640	DllCommonsvc.exe	175
PID 640 wrote to memory of 4436	640	DllCommonsvc.exe	175
PID 640 wrote to memory of 5068	640	DllCommonsvc.exe	176
PID 640 wrote to memory of 5068	640	DllCommonsvc.exe	176
PID 640 wrote to memory of 2076	640	DllCommonsvc.exe	177
PID 640 wrote to memory of 2076	640	DllCommonsvc.exe	177
PID 640 wrote to memory of 532	640	DllCommonsvc.exe	178
PID 640 wrote to memory of 532	640	DllCommonsvc.exe	178
PID 640 wrote to memory of 3400	640	DllCommonsvc.exe	179
PID 640 wrote to memory of 3400	640	DllCommonsvc.exe	179
PID 640 wrote to memory of 3540	640	DllCommonsvc.exe	180
PID 640 wrote to memory of 3540	640	DllCommonsvc.exe	180
PID 640 wrote to memory of 1072	640	DllCommonsvc.exe	181
PID 640 wrote to memory of 1072	640	DllCommonsvc.exe	181
PID 640 wrote to memory of 4420	640	DllCommonsvc.exe	182
PID 640 wrote to memory of 4420	640	DllCommonsvc.exe	182
PID 640 wrote to memory of 2128	640	DllCommonsvc.exe	183
PID 640 wrote to memory of 2128	640	DllCommonsvc.exe	183
PID 640 wrote to memory of 3336	640	DllCommonsvc.exe	184
PID 640 wrote to memory of 3336	640	DllCommonsvc.exe	184
PID 640 wrote to memory of 3420	640	DllCommonsvc.exe	185
PID 640 wrote to memory of 3420	640	DllCommonsvc.exe	185
PID 640 wrote to memory of 2172	640	DllCommonsvc.exe	186
PID 640 wrote to memory of 2172	640	DllCommonsvc.exe	186
PID 640 wrote to memory of 1496	640	DllCommonsvc.exe	187
PID 640 wrote to memory of 1496	640	DllCommonsvc.exe	187
PID 640 wrote to memory of 2884	640	DllCommonsvc.exe	188
PID 640 wrote to memory of 2884	640	DllCommonsvc.exe	188
PID 640 wrote to memory of 624	640	DllCommonsvc.exe	204
PID 640 wrote to memory of 624	640	DllCommonsvc.exe	204
PID 624 wrote to memory of 5808	624	sihost.exe	212
PID 624 wrote to memory of 5808	624	sihost.exe	212
PID 5808 wrote to memory of 5864	5808	cmd.exe	214
PID 5808 wrote to memory of 5864	5808	cmd.exe	214

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61aa8c8e0325c5d23970ed605931948fa060c7adbdf7f6babe4ff8ada7502c2e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_61aa8c8e0325c5d23970ed605931948fa060c7adbdf7f6babe4ff8ada7502c2e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\WDF\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\TextInputHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\de-DE\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4336
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rUCf9QwiuX.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4476
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1136
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchApp.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\uk-UA\System.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WaaSMedicAgent.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\winlogon.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\restore\sihost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\System.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\fontdrvhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sysmon.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\lsass.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\explorer.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\SysWOW64\restore\sihost.exe
        
        "C:\Windows\SysWOW64\restore\sihost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aTd08pZfDw.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\restore\sihost.exe
        
        "C:\Windows\SysWOW64\restore\sihost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat"
        10⤵
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\restore\sihost.exe
        
        "C:\Windows\SysWOW64\restore\sihost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Iu2jWrKESR.bat"
        12⤵
        
        PID:5324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\restore\sihost.exe
        
        "C:\Windows\SysWOW64\restore\sihost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat"
        14⤵
        
        PID:4956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\restore\sihost.exe
        
        "C:\Windows\SysWOW64\restore\sihost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat"
        16⤵
        
        PID:2800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\restore\sihost.exe
        
        "C:\Windows\SysWOW64\restore\sihost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p6CE4ikEee.bat"
        18⤵
        
        PID:1364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\restore\sihost.exe
        
        "C:\Windows\SysWOW64\restore\sihost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat"
        20⤵
        
        PID:2384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\restore\sihost.exe
        
        "C:\Windows\SysWOW64\restore\sihost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat"
        22⤵
        
        PID:5644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\restore\sihost.exe
        
        "C:\Windows\SysWOW64\restore\sihost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D2zd9hDRps.bat"
        24⤵
        
        PID:4504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\restore\sihost.exe
        
        "C:\Windows\SysWOW64\restore\sihost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NczlPfxoCy.bat"
        26⤵
        
        PID:4724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\restore\sihost.exe
        
        "C:\Windows\SysWOW64\restore\sihost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat"
        28⤵
        
        PID:2260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\restore\sihost.exe
        
        "C:\Windows\SysWOW64\restore\sihost.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat"
        30⤵
        
        PID:2404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\restore\sihost.exe
        
        "C:\Windows\SysWOW64\restore\sihost.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat"
        32⤵
        
        PID:4768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\restore\sihost.exe
        
        "C:\Windows\SysWOW64\restore\sihost.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft\WDF\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\WDF\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\WDF\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\providercommon\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\providercommon\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\providercommon\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\de-DE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\providercommon\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\uk-UA\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\uk-UA\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\uk-UA\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\providercommon\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\providercommon\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\providercommon\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\dotnet\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\SysWOW64\restore\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\restore\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\SysWOW64\restore\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\Edge\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Edge\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\Cursors\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Cursors\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\providercommon\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\providercommon\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Public\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Public\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6b5af67fffe2948a1310aa4beab6f164

SHA1
e8260177c4c6be5283102ffe91b395538e392b55

SHA256
14363a01a5ab07497b69a7fd416e7c6b6de22860e3944ee41996f66faa08220c

SHA512
d141b645142d7ac196130ffc323a240b69e970fd2d6836915cab7c353dc5a259c27f2e864e1806f7b9f9973a99ede4087afe28acd0cb06279c61427f6dae6717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b7189719e6df2c3dfc76197ec3f31f7a

SHA1
effd91412deadc87cc10ef76cdecc1e0b54b6d41

SHA256
1c72fa37d078b92c7e900b2e3d17c43c34d936a696a8ddf6c519f4a80308b892

SHA512
2df1f1d45844da7ffb17cdfb411f223e9c614c00f5cf7eb5ba92bf7ba174875af2a515371208286c95c0479c934ae2c6a83dfc0b54380be89db1eddd19faf978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3bdf0f0bc4de32a6f32ecb8a32ba5df1

SHA1
900c6a905984e5e16f3efe01ce2b2cc725fc64f1

SHA256
c893092af552e973c44e0596d1509605a393896a0c1eae64f11456dc956ba40e

SHA512
680d8f42fd4cb1fffa52e1f7cc483e8afc79c8f3e25ebfe5324c7c277d88499cc58324313599e307e47ba3ee4004de7554192203413cb061a29170cd9bc889c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
705e397ba2c670b0b9fcebdd31e0feea

SHA1
8566fe7e0903b7495e659ba0588b72e3ce538c3b

SHA256
ae5d0de2ba6fe534bf67dcdbbfd71cf3f8c26f3d6ec852d73362d274a242732f

SHA512
a2914a193cbea13119567199082c52eebe67719c80bc056b3820c6a4b2e8cf8c7ecd3e38975f6ffc616b171ab722a6664f44f65496fdaf114615c1bbdf98306c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
145039ee65251da29aa337556cab6c61

SHA1
5dce5405ea3ab3c00a5ff7044c8bb7b684f9973e

SHA256
26bbedffe13d17dc90fda8ee3423a05695ef2d9d10cad9f537334074ec105788

SHA512
d6536c7c31ce564a80c45d4acff414c5426a777ec5bbd8a9f3eb19f6a82ca25dda557f15a600df81b5b2472881d6b266cd1be93dfedcf44a244ce47904e3c46e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bc113211a3e72478c93989952aee3251

SHA1
5eeb2f2e4642ef5f147dd118742ea3c3dcf0cd16

SHA256
c6059355503eca5b35ac8446442eb5031ab610b7353cd2e8a3cf07dc99469fae

SHA512
c0748cc3a4b701f5cefeeaf9ac1bdbae28cfcf1dad8e89a2db2c756b908011ee8e945b6d02bef816763fc5acc38a72657316f5cd56c62342c8e779a50f4f4460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6bf2927575032d77fab2956579e56348

SHA1
55bfbdacbf4a787b232793f19eca4df667722621

SHA256
a8f97ad6d46dc8b95328e3d85c48451537b2c71855a5913f7b2f3305dab0b6f0

SHA512
7649c7f3c6d753ce6d374798f1f9e0bc6aa84fd445407bd0a0a4cfaa6f48c5d54deb0c836b39b5104c9e82922c0daa84fe824c43f84ae89860c7d1c68610decc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat

Filesize
203B

MD5
87244f9720660508e57268db6a1e6b9a

SHA1
58972c59736fb600a92aa24581dbac650fb299ae

SHA256
806d84f2102845d72671d5607a440dfcc60f5e46be765864f27f14956c30f6e5

SHA512
36f0e47e22ede69a6600347def67bf16df6ee26accc4bec1f41500118e5ef6355f1d9d6d72c2b67e21cea64c77a86e5e9dbe4fd5f4500b61a9d7e5a135d5001e

Download Submit
C:\Users\Admin\AppData\Local\Temp\D2zd9hDRps.bat

Filesize
203B

MD5
bf57d92f2801ba676baf984617e20b95

SHA1
0b105f5eeeabb93668fd95ecde9711c498799f1e

SHA256
e968900124d5a585e61a804768b287ef1a0af00eb3232f2b0d40c8d29c280fef

SHA512
4b266e4014809a1623c5567931c719ce7aadf769f8e53ed3dc77eab07a1780579da5ade319a2e3da08c94b8cce0181e13af146ffd30d552bd98bfea6a60a3b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat

Filesize
203B

MD5
f92140419767ebf8698ca33f6605ef74

SHA1
459d7138c6066867af18498149d07a1ece5fff0b

SHA256
02756051ad3379a3eaf039c04b7e0c623bad9f80f9ad445ac18198e109aceab5

SHA512
e631c943862ded5220e6e6e63caac225c9fdb28f6774eb2e33cb8d503ba189441f6318eb232c62c542bf205e02ccdc62648adc38b7de718d50b63e6cd70a705e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iu2jWrKESR.bat

Filesize
203B

MD5
9cbca498bf70f3fef936095faac14ea5

SHA1
1262a7712a931d869ddf389c6df2b5c83aa0d49a

SHA256
c7ba9d11b25d9957d01071c2bdb92322e6dae4ff54c6329177456f1cf0337593

SHA512
72b6cc2ecd3ece5f72135e042f1980e925af2d1d2e254340cf47e9467ca8840d6828c8f7b259775742b7a75e9733bcf91bbf798ce4f19ef5f9c71d2dac7f5829

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat

Filesize
203B

MD5
13d7ea3453661bc1c2eded548633f794

SHA1
e673aa3862a4c5a17b3594f37cc60eab0e9d0a0f

SHA256
c21bdc63164a59a43c306654111d53036b3c21a8f10ade487b1c02bc3e29aead

SHA512
585732047e96793ee6c10b8202df47df45c7ce6ce6fb80b3d353368955bc373eefc82c1d3a858601f0ae480541c32a6207a9ea081d53bbf797026bf7a5091481

Download Submit
C:\Users\Admin\AppData\Local\Temp\NczlPfxoCy.bat

Filesize
203B

MD5
cc195e341e4afec3bf60f9e9ede4717c

SHA1
e7f9ac041f3ca58ff4ddcc2d1cc642a69e8d4483

SHA256
5b4e7dc16a4813eba64fe866230029313576ec941a8a272ac8240dde2b79406c

SHA512
b2caf852bd95e5aa11880cbd84c77709270701a08a4a4c79e00e0562c98e7261f9c880f5b63bbb9165ee428f17d450c79f5ca34f97a4a49889a143bc1fed30c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jvpxasml.ai0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aTd08pZfDw.bat

Filesize
203B

MD5
684631827ad6c6b1455933c31e9bf631

SHA1
b91efe03768215e0e648b1a29d3c3c4abf751b96

SHA256
686be290d0f9f11270602c28d3e2b3f2de55b9da17747cc34a6e27b5ff8a5a65

SHA512
2dc3225aa8f42705b50f320bad020acdd1801b82ee84cc061696854f488646a32f91565f2f73d33e2df2da1701ff4746b6efbad62123485dec7efb9dd98e51fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat

Filesize
203B

MD5
f3043de2dfed33c41ec9c2a1ad7ab35c

SHA1
7af125f2603fd6e7008f895f460138e1008b13ba

SHA256
4569910f53c9ac939fcb0a196dc9cb54742801db5af68ac80d38bb2c99e89597

SHA512
fe463ac056c6fabcf1e426b614ada04cd5609cb5bf214937438f073455a984e4d30d6b9cc1d6541d3db5ea53b089404babd9ea03d7ac86a7b694f792e605dfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat

Filesize
203B

MD5
ef597d361e466e10e5fc9203f2145920

SHA1
7101ea5caccb46c915070ad69299eccd8da387cf

SHA256
c428d4532a7b3d60682e33b21f28ef35a78924f5b4bf824367841a22510d9107

SHA512
149ebb0a6172755a72057bbe7f1dc4b80b2685349a49443f77d9de97f2bca0ada14e7ae132e8d8f8f69f1dacc06da1588653aae149cb263cf216880b12f2369c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat

Filesize
203B

MD5
bd0893fac32e1d71961022f85a0d2ec0

SHA1
c13ede4af14a03ca495310dec9e0a9799b8cc8b0

SHA256
e3c2f65dbc3f8f3d27d6f62bc4e3c5a38bc016d75c038ada112a0be067175a43

SHA512
5ebc7a6c2cfe3fc88f94b555b5284acf5ae2f05f15c74f454dbcfec937035fd71c12637805cd7309f74ab472abd0148ff643600817c0575fe84387207bd25ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat

Filesize
203B

MD5
7dc9156c49ce34cab7796825e73eddb4

SHA1
490ca1deb0d03789d2d741b8090d9032d3f89954

SHA256
c4f63ffa71d93719f6a2591a83e504e80ea416f8f55880962e3368c8ac7eacf0

SHA512
01475c2e0cc0f5927044b1cbc1e8680de6d599e0fd5226351ffa0f6ef4f390c23a95f86e47cd7d2be0becab3bde20e67d6b26b3bd7bd00a28eff5bd438b290db

Download Submit
C:\Users\Admin\AppData\Local\Temp\p6CE4ikEee.bat

Filesize
203B

MD5
ff43a1d078e2eefd408fc46a0ba59d1c

SHA1
eb330853215e502fef9adcb0a8d431a9a038d803

SHA256
49c47fd668450328d33a540befccd19e1c8d7c30c369d5d631eca0fde7c9545a

SHA512
74d17a39115f7a4ca494c972cc8c2b9f103f6cb264a1de34c3c5cf1c0b91f72cf472b737f1bb7d263e48c011d55326277ed2fe72a853a892baee2878e4469a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\rUCf9QwiuX.bat

Filesize
199B

MD5
2b8c64cf7952e4b91f3010ce675845b5

SHA1
ba8d58d65ef4bc2c53183cccae238c64bd527967

SHA256
a723e37b33241ce04e92c04492331a3c995220d3daf33b5057c02096dbdc5748

SHA512
5e16c996ffca6ccd152b9e028368fe8e9221b144d2083d564bbeef59f00535de161c664d9cff08b4a4129aff92c01950fe7cb977b9e047e3294b2af61390fe27

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/624-211-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/640-117-0x000000001AC70000-0x000000001AC82000-memory.dmp

Filesize
72KB

Download
memory/892-383-0x0000000002C60000-0x0000000002C72000-memory.dmp

Filesize
72KB

Download
memory/1448-390-0x0000000001390000-0x00000000013A2000-memory.dmp

Filesize
72KB

Download
memory/1984-363-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/2164-397-0x0000000000F40000-0x0000000000F52000-memory.dmp

Filesize
72KB

Download
memory/2580-370-0x0000000001140000-0x0000000001152000-memory.dmp

Filesize
72KB

Download
memory/2704-404-0x0000000002B30000-0x0000000002B42000-memory.dmp

Filesize
72KB

Download
memory/2732-12-0x00007FFE2FD43000-0x00007FFE2FD45000-memory.dmp

Filesize
8KB

Download
memory/2732-13-0x0000000000740000-0x0000000000850000-memory.dmp

Filesize
1.1MB

Download
memory/2732-14-0x0000000002AE0000-0x0000000002AF2000-memory.dmp

Filesize
72KB

Download
memory/2732-15-0x000000001B320000-0x000000001B32C000-memory.dmp

Filesize
48KB

Download
memory/2732-16-0x000000001B310000-0x000000001B31C000-memory.dmp

Filesize
48KB

Download
memory/2732-17-0x000000001BB90000-0x000000001BB9C000-memory.dmp

Filesize
48KB

Download
memory/3672-350-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/3816-343-0x0000000001190000-0x00000000011A2000-memory.dmp

Filesize
72KB

Download
memory/5064-38-0x000001AAB30E0000-0x000001AAB3102000-memory.dmp

Filesize
136KB

Download
memory/5312-336-0x0000000000EB0000-0x0000000000EC2000-memory.dmp

Filesize
72KB

Download