dcrat | 0a8666aafcf0a8e55e72f7e7c30450d529a61a2b26047fd159fed4eab404307e

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0a8666aafcf0a8e55e72f7e7c30450d529a61a2b26047fd159fed4eab404307e.exe
Size

1.3MB
MD5

13d857df1e0216ee214c877230784f86
SHA1

ecf641be074dd244917f7c2ef4752ceaf6dbffa9
SHA256

0a8666aafcf0a8e55e72f7e7c30450d529a61a2b26047fd159fed4eab404307e
SHA512

5febaf522ae186d9337d7fa535500757f8631513d03707e797d8f87d94d83c1c7063e92aaa1b155e2242a4fdb711d56565ee1eda7846321842512bbd06ec653c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3492	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	3552	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	3552	schtasks.exe	89

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b97-10.dat	dcrat
behavioral2/memory/864-13-0x0000000000BD0000-0x0000000000CE0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 21 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
832	powershell.exe
3884	powershell.exe
2344	powershell.exe
4752	powershell.exe
1260	powershell.exe
3112	powershell.exe
4836	powershell.exe
2276	powershell.exe
4684	powershell.exe
1100	powershell.exe
3660	powershell.exe
2000	powershell.exe
1636	powershell.exe
1176	powershell.exe
2400	powershell.exe
2580	powershell.exe
1528	powershell.exe
1712	powershell.exe
1808	powershell.exe
1380	powershell.exe
4044	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	JaffaCakes118_0a8666aafcf0a8e55e72f7e7c30450d529a61a2b26047fd159fed4eab404307e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe

Executes dropped EXE 15 IoCs

pid	Process
864	DllCommonsvc.exe
732	DllCommonsvc.exe
1184	SppExtComObj.exe
4696	SppExtComObj.exe
4644	SppExtComObj.exe
376	SppExtComObj.exe
4004	SppExtComObj.exe
1636	SppExtComObj.exe
1812	SppExtComObj.exe
2908	SppExtComObj.exe
1624	SppExtComObj.exe
4736	SppExtComObj.exe
3240	SppExtComObj.exe
4012	SppExtComObj.exe
4948	SppExtComObj.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
17	raw.githubusercontent.com
46	raw.githubusercontent.com
54	raw.githubusercontent.com
56	raw.githubusercontent.com
57	raw.githubusercontent.com
58	raw.githubusercontent.com
55	raw.githubusercontent.com
40	raw.githubusercontent.com
41	raw.githubusercontent.com
62	raw.githubusercontent.com
18	raw.githubusercontent.com
26	raw.githubusercontent.com
42	raw.githubusercontent.com
47	raw.githubusercontent.com

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\fr-FR\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\fr-FR\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\fr-FR\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\it-IT\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\it-IT\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\fr-FR\9e8d7a4ca61bd9	DllCommonsvc.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Branding\shellbrd\powershell.exe	DllCommonsvc.exe
File created	C:\Windows\Branding\shellbrd\e978f868350d50	DllCommonsvc.exe
File created	C:\Windows\IdentityCRL\production\sysmon.exe	DllCommonsvc.exe
File created	C:\Windows\DigitalLocker\en-US\e978f868350d50	DllCommonsvc.exe
File opened for modification	C:\Windows\Branding\shellbrd\powershell.exe	DllCommonsvc.exe
File created	C:\Windows\IdentityCRL\production\121e5b5079f7c0	DllCommonsvc.exe
File created	C:\Windows\debug\upfc.exe	DllCommonsvc.exe
File created	C:\Windows\debug\ea1d8f6d871115	DllCommonsvc.exe
File created	C:\Windows\DigitalLocker\en-US\powershell.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0a8666aafcf0a8e55e72f7e7c30450d529a61a2b26047fd159fed4eab404307e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	JaffaCakes118_0a8666aafcf0a8e55e72f7e7c30450d529a61a2b26047fd159fed4eab404307e.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4460	schtasks.exe
3992	schtasks.exe
3696	schtasks.exe
5044	schtasks.exe
3524	schtasks.exe
4492	schtasks.exe
1424	schtasks.exe
2288	schtasks.exe
3532	schtasks.exe
5080	schtasks.exe
4188	schtasks.exe
3524	schtasks.exe
5028	schtasks.exe
2800	schtasks.exe
5044	schtasks.exe
4144	schtasks.exe
4088	schtasks.exe
2984	schtasks.exe
4104	schtasks.exe
3492	schtasks.exe
2760	schtasks.exe
768	schtasks.exe
376	schtasks.exe
3620	schtasks.exe
3380	schtasks.exe
2512	schtasks.exe
4992	schtasks.exe
3476	schtasks.exe
2380	schtasks.exe
4540	schtasks.exe
4004	schtasks.exe
4468	schtasks.exe
2032	schtasks.exe
2216	schtasks.exe
2556	schtasks.exe
1764	schtasks.exe
3236	schtasks.exe
1112	schtasks.exe
868	schtasks.exe
1524	schtasks.exe
2808	schtasks.exe
1904	schtasks.exe
4448	schtasks.exe
344	schtasks.exe
3852	schtasks.exe
1852	schtasks.exe
404	schtasks.exe
2500	schtasks.exe
3260	schtasks.exe
3972	schtasks.exe
2864	schtasks.exe
1816	schtasks.exe
4456	schtasks.exe
1592	schtasks.exe
4296	schtasks.exe
2624	schtasks.exe
4384	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
864	DllCommonsvc.exe
832	powershell.exe
4836	powershell.exe
1176	powershell.exe
2276	powershell.exe
2000	powershell.exe
832	powershell.exe
1636	powershell.exe
1636	powershell.exe
4836	powershell.exe
4836	powershell.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
2000	powershell.exe
1176	powershell.exe
2276	powershell.exe
1636	powershell.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
732	DllCommonsvc.exe
4752	powershell.exe
4752	powershell.exe
4752	powershell.exe
2400	powershell.exe
2400	powershell.exe
2400	powershell.exe
1260	powershell.exe
1260	powershell.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	864	DllCommonsvc.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	732	DllCommonsvc.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeDebugPrivilege	4044	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	1184	SppExtComObj.exe
Token: SeDebugPrivilege	4696	SppExtComObj.exe
Token: SeDebugPrivilege	4644	SppExtComObj.exe
Token: SeDebugPrivilege	376	SppExtComObj.exe
Token: SeDebugPrivilege	4004	SppExtComObj.exe
Token: SeDebugPrivilege	1636	SppExtComObj.exe
Token: SeDebugPrivilege	1812	SppExtComObj.exe
Token: SeDebugPrivilege	2908	SppExtComObj.exe
Token: SeDebugPrivilege	1624	SppExtComObj.exe
Token: SeDebugPrivilege	4736	SppExtComObj.exe
Token: SeDebugPrivilege	3240	SppExtComObj.exe
Token: SeDebugPrivilege	4012	SppExtComObj.exe
Token: SeDebugPrivilege	4948	SppExtComObj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 888	4440	JaffaCakes118_0a8666aafcf0a8e55e72f7e7c30450d529a61a2b26047fd159fed4eab404307e.exe	84
PID 4440 wrote to memory of 888	4440	JaffaCakes118_0a8666aafcf0a8e55e72f7e7c30450d529a61a2b26047fd159fed4eab404307e.exe	84
PID 4440 wrote to memory of 888	4440	JaffaCakes118_0a8666aafcf0a8e55e72f7e7c30450d529a61a2b26047fd159fed4eab404307e.exe	84
PID 888 wrote to memory of 4396	888	WScript.exe	86
PID 888 wrote to memory of 4396	888	WScript.exe	86
PID 888 wrote to memory of 4396	888	WScript.exe	86
PID 4396 wrote to memory of 864	4396	cmd.exe	88
PID 4396 wrote to memory of 864	4396	cmd.exe	88
PID 864 wrote to memory of 832	864	DllCommonsvc.exe	106
PID 864 wrote to memory of 832	864	DllCommonsvc.exe	106
PID 864 wrote to memory of 4836	864	DllCommonsvc.exe	107
PID 864 wrote to memory of 4836	864	DllCommonsvc.exe	107
PID 864 wrote to memory of 2276	864	DllCommonsvc.exe	108
PID 864 wrote to memory of 2276	864	DllCommonsvc.exe	108
PID 864 wrote to memory of 2000	864	DllCommonsvc.exe	109
PID 864 wrote to memory of 2000	864	DllCommonsvc.exe	109
PID 864 wrote to memory of 1636	864	DllCommonsvc.exe	110
PID 864 wrote to memory of 1636	864	DllCommonsvc.exe	110
PID 864 wrote to memory of 1176	864	DllCommonsvc.exe	111
PID 864 wrote to memory of 1176	864	DllCommonsvc.exe	111
PID 864 wrote to memory of 732	864	DllCommonsvc.exe	118
PID 864 wrote to memory of 732	864	DllCommonsvc.exe	118
PID 732 wrote to memory of 2400	732	DllCommonsvc.exe	161
PID 732 wrote to memory of 2400	732	DllCommonsvc.exe	161
PID 732 wrote to memory of 1712	732	DllCommonsvc.exe	162
PID 732 wrote to memory of 1712	732	DllCommonsvc.exe	162
PID 732 wrote to memory of 3884	732	DllCommonsvc.exe	163
PID 732 wrote to memory of 3884	732	DllCommonsvc.exe	163
PID 732 wrote to memory of 1808	732	DllCommonsvc.exe	164
PID 732 wrote to memory of 1808	732	DllCommonsvc.exe	164
PID 732 wrote to memory of 2580	732	DllCommonsvc.exe	165
PID 732 wrote to memory of 2580	732	DllCommonsvc.exe	165
PID 732 wrote to memory of 2344	732	DllCommonsvc.exe	166
PID 732 wrote to memory of 2344	732	DllCommonsvc.exe	166
PID 732 wrote to memory of 4684	732	DllCommonsvc.exe	167
PID 732 wrote to memory of 4684	732	DllCommonsvc.exe	167
PID 732 wrote to memory of 4752	732	DllCommonsvc.exe	168
PID 732 wrote to memory of 4752	732	DllCommonsvc.exe	168
PID 732 wrote to memory of 1260	732	DllCommonsvc.exe	169
PID 732 wrote to memory of 1260	732	DllCommonsvc.exe	169
PID 732 wrote to memory of 1380	732	DllCommonsvc.exe	170
PID 732 wrote to memory of 1380	732	DllCommonsvc.exe	170
PID 732 wrote to memory of 4044	732	DllCommonsvc.exe	171
PID 732 wrote to memory of 4044	732	DllCommonsvc.exe	171
PID 732 wrote to memory of 3660	732	DllCommonsvc.exe	172
PID 732 wrote to memory of 3660	732	DllCommonsvc.exe	172
PID 732 wrote to memory of 3112	732	DllCommonsvc.exe	173
PID 732 wrote to memory of 3112	732	DllCommonsvc.exe	173
PID 732 wrote to memory of 1100	732	DllCommonsvc.exe	174
PID 732 wrote to memory of 1100	732	DllCommonsvc.exe	174
PID 732 wrote to memory of 1528	732	DllCommonsvc.exe	175
PID 732 wrote to memory of 1528	732	DllCommonsvc.exe	175
PID 732 wrote to memory of 4476	732	DllCommonsvc.exe	191
PID 732 wrote to memory of 4476	732	DllCommonsvc.exe	191
PID 4476 wrote to memory of 5072	4476	cmd.exe	193
PID 4476 wrote to memory of 5072	4476	cmd.exe	193
PID 4476 wrote to memory of 1184	4476	cmd.exe	200
PID 4476 wrote to memory of 1184	4476	cmd.exe	200
PID 1184 wrote to memory of 2448	1184	SppExtComObj.exe	208
PID 1184 wrote to memory of 2448	1184	SppExtComObj.exe	208
PID 2448 wrote to memory of 3408	2448	cmd.exe	210
PID 2448 wrote to memory of 3408	2448	cmd.exe	210
PID 2448 wrote to memory of 4696	2448	cmd.exe	212
PID 2448 wrote to memory of 4696	2448	cmd.exe	212

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a8666aafcf0a8e55e72f7e7c30450d529a61a2b26047fd159fed4eab404307e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a8666aafcf0a8e55e72f7e7c30450d529a61a2b26047fd159fed4eab404307e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:732
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\shellbrd\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IdentityCRL\production\sysmon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3884
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\RuntimeBroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4684
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\upfc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\SppExtComObj.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\en-US\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4044
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\it-IT\cmd.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3660
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3112
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DQspZnlBxZ.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5072
        
        C:\Users\Default\Pictures\SppExtComObj.exe
        
        "C:\Users\Default\Pictures\SppExtComObj.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3408
        
        C:\Users\Default\Pictures\SppExtComObj.exe
        
        "C:\Users\Default\Pictures\SppExtComObj.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat"
        10⤵
        
        PID:4504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2760
        
        C:\Users\Default\Pictures\SppExtComObj.exe
        
        "C:\Users\Default\Pictures\SppExtComObj.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qKN9Q7Smhq.bat"
        12⤵
        
        PID:3900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3660
        
        C:\Users\Default\Pictures\SppExtComObj.exe
        
        "C:\Users\Default\Pictures\SppExtComObj.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qKN9Q7Smhq.bat"
        14⤵
        
        PID:2720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:832
        
        C:\Users\Default\Pictures\SppExtComObj.exe
        
        "C:\Users\Default\Pictures\SppExtComObj.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat"
        16⤵
        
        PID:3376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3672
        
        C:\Users\Default\Pictures\SppExtComObj.exe
        
        "C:\Users\Default\Pictures\SppExtComObj.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat"
        18⤵
        
        PID:2596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4464
        
        C:\Users\Default\Pictures\SppExtComObj.exe
        
        "C:\Users\Default\Pictures\SppExtComObj.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat"
        20⤵
        
        PID:1160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3148
        
        C:\Users\Default\Pictures\SppExtComObj.exe
        
        "C:\Users\Default\Pictures\SppExtComObj.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat"
        22⤵
        
        PID:2112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3924
        
        C:\Users\Default\Pictures\SppExtComObj.exe
        
        "C:\Users\Default\Pictures\SppExtComObj.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"
        24⤵
        
        PID:1100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4788
        
        C:\Users\Default\Pictures\SppExtComObj.exe
        
        "C:\Users\Default\Pictures\SppExtComObj.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\574RqM7W2b.bat"
        26⤵
        
        PID:924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4500
        
        C:\Users\Default\Pictures\SppExtComObj.exe
        
        "C:\Users\Default\Pictures\SppExtComObj.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat"
        28⤵
        
        PID:2300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4512
        
        C:\Users\Default\Pictures\SppExtComObj.exe
        
        "C:\Users\Default\Pictures\SppExtComObj.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat"
        30⤵
        
        PID:3644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:4420
        
        C:\Users\Default\Pictures\SppExtComObj.exe
        
        "C:\Users\Default\Pictures\SppExtComObj.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Windows\Branding\shellbrd\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\Branding\shellbrd\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\shellbrd\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Windows\IdentityCRL\production\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\production\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Windows\IdentityCRL\production\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\fr-FR\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\debug\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Windows\debug\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Pictures\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\Pictures\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Pictures\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\en-US\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\en-US\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\it-IT\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\it-IT\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\fr-FR\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
154eb22fde09f911faa0ebe95dd400a3

SHA1
0ab8fb9484e7120a33d565424763f1281356f3f9

SHA256
3058a78f6adce4dcfe108b9791d5aa9431b27bdde8627f2399947aff46af477d

SHA512
f59bb2d30db73e80e5e802b3fe1175cb4e184c5671e1ce682fddf1e39ee8244a168bb4ed1d9daa6f99ef7ed9e166b392b9052c8959e2ba67cdf8c9b7868ae927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9c740b7699e2363ac4ecdf496520ca35

SHA1
aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

SHA256
be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

SHA512
8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3072fa0040b347c3941144486bf30c6f

SHA1
e6dc84a5bd882198583653592f17af1bf8cbfc68

SHA256
da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e

SHA512
62df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a2c8179aaa149c0b9791b73ce44c04d1

SHA1
703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

SHA256
c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

SHA512
2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
54522d22658e4f8f87ecb947b71b8feb

SHA1
6a6144bdf9c445099f52211b6122a2ecf72b77e9

SHA256
af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a

SHA512
55f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
233714f1d87f913365a129844535551d

SHA1
48c5cb4a30662308f9f4e3d196ce5b1928982863

SHA256
952bebd223c047a17364324cddb721ab7970e479b860ff493dd0800aab48b501

SHA512
c3ef855d7221530b5f962df24116c7e753d3fce970097ffb6a3bcddc57f801812baadbeb1ae54d754e4596ebeaa1bee996319e2540d13d5d252d306ece73f3d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F0LTC0kP2.bat

Filesize
207B

MD5
c83edd1213fa09a8af8a9476fc580ce6

SHA1
bf7acacd56dc9d64f6a19666f4b1f4a8ba3d2efd

SHA256
4e39072e4e6c58a2ff50c0fdcc4d2efd55570c712e3bcabef02599039238ebd3

SHA512
0ef7a49d171fbc72be2e9e53e23f197adf7bda0554d31232907c6d9e59b9318a612b0cb6964fdcb9861a8317509c35f3e9af9b8487e569bfdaaf3df8e8708633

Download Submit
C:\Users\Admin\AppData\Local\Temp\574RqM7W2b.bat

Filesize
207B

MD5
a6ef364ea40e7ea51d40e55aaaf61163

SHA1
11c32736a26ba84f12ccab7a41bbfd1165d6db64

SHA256
49e7787e1dcd71d49434a611a35efa8ab17c587705190a13e9ea894f50494ac9

SHA512
853d9081f5a9afdf769cfefc50b1fb22db425d87afff553f19bef48515b1033168bf7257062310b63f8e15edb9087d0de3fdb1eac18f9c6e56f76dcb7c92afd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat

Filesize
207B

MD5
dc576e939d5d1587538087f19bdbfaf6

SHA1
7be00dc7263edcb0d72261f35f438d3338850682

SHA256
b7a3fbc689f390443b727ea230f65802695d0e3ccd67a0b350debe423571433c

SHA512
3575cb57b05577fbeb352c833b745f6b0ffa557d22880c565cc042303fff38b44f2d553a28686bcc2bbaf5b106226f4b45d071c5e9ad26770eeeb44778b866ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat

Filesize
207B

MD5
55771f93d18ad070ee809ff3a5c7a119

SHA1
25704e72ff82e416d2010c6f76853a143d012f3f

SHA256
47ccbcba5c213fe0dbb3476be065544779ee197ae3857bf824d48afa5b74e42a

SHA512
43bb43832e55474bccb8e09d14f5c1c3e4cd19a41e731216d5c12b98cdd08e0cef2a36817ec8806edef9f06929459ffa4cf20a7fc366612d3eeac58370b1f3de

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQspZnlBxZ.bat

Filesize
207B

MD5
3fa127e4c462def1420ee58e9879feda

SHA1
111deb67b807849691350782854db5e8223af1f6

SHA256
ab0b2fd1219535d65a2d4e6f89391a3e2ed8ba6972ff941ac2fcbeb21da75be2

SHA512
770908e3f739cd80004ca55611d73d54dbb1a286def19b4457e0818bc3a095a78a8cf11cd7bf5a70c4b59d0cec794f53f930fff8ffd7ca343053478322ea869e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat

Filesize
207B

MD5
33c764b57d99f57ceb34c9f212abe740

SHA1
dcfc5a141b24bcf6e79f73cbfcc33c163cf5b71e

SHA256
3510579669fb6da3f67d7ab2a4571d390389336a8ccb5df8d1d8d212661c6b5f

SHA512
925931cddfbe279a76aa8d9f379280751b1690212af342a9d2485d60b6ebc544cf96fe8420dc5e6098a376b2d81ad8f79c11b0777e671e979b8a883a4989b56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat

Filesize
207B

MD5
e8f3b9738704c36aad8db1b007face5a

SHA1
d16122857fb493559f0db5a0a183233bf1c94e28

SHA256
57ef542a3442890a62e3067d83ab9e0f319c08ffedb53590788b4cf25b0ce603

SHA512
07941f78517aa45b5e0c1f031415ecf60d07aa0664a33d01197a2156825d92f0a7272bb8d1bf0a8902c9f5797dbe0a8fd296cc544c894c7644f284d65f9d3670

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ka4euc1k.pd0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat

Filesize
207B

MD5
6df14d3c55d9f40f1bb462c57246d28b

SHA1
43356b12bfee231dfdb7e6a2ddad6bcb1a999f64

SHA256
178b52a6b661b4e17265db2e764adb7c431fe9f26ebc62710d272b777ff04b04

SHA512
fe8b7f00584e9bd59e5623acd4b416b1af5240757232605222829d99c4c5061c213b55c2380ff062c88edf91cd79ccd70f3e709122bba4116c7a7503df55bede

Download Submit
C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat

Filesize
207B

MD5
885638835809124948e7b587ed282c57

SHA1
734a1579194c87cb5f87fb5114c36fb8085ae9e4

SHA256
5a1cb41cb586cffaac25b74024fa01b857f4035cf509f49ee72abf8ca798aebe

SHA512
6e5c9b2cfb57d73f7c6dc394914363c1f44ece6bd0d2ae890c4851e33d75494359369dee3922e90a7c83f8e8db10b117b7dd06dae7b9558d655e8155832dd6d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qKN9Q7Smhq.bat

Filesize
207B

MD5
ce6c327117f86fa00943c8f0e1403e68

SHA1
3aae50dd3d3bbd3ed8e712b63052be94521b3dcc

SHA256
736e86a6c3b37c217fe8ff5878e05a1fd6eebe6c1ca7ad5f8df8a679c2da3a23

SHA512
75b52f4b1ff9163fb4e232f8adfa5a5eea735702e9684989196e35546155f5dbbef1fb003161e7a69d231019bbbd28c002c196b96b4d33e64396ce2a9ca44115

Download Submit
C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat

Filesize
207B

MD5
ee69fd38a041b48f72791c7624590685

SHA1
e30e2c2d4f382e313dc164c5d9c0540f534ea208

SHA256
84789ddef77948844b9ed0c4a05f5e3fda6a6476e096fd15fbec46026bddb5de

SHA512
7b524b256263105de47c9197aab1bb94c48a1bd3a34684c72a7ac4fd6b7b395c461b6f72bdcb403603e0792e73ecb50aaaa52336c594c35b036ec5b12c6c48ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat

Filesize
207B

MD5
91dc91d29d597aca3e7a4051e2d519b1

SHA1
d19c9a5137a27d6f5077adfc9650cab69c3fd1fc

SHA256
4048c5b016ff31a836877d9822d978e07aae074b6fc31eaba306f124211bbcce

SHA512
38b1200614321ae3d9bda5754269fe10b8ed889dea7592fc76c1c2eb1e1b46e223d7387c28610de9bdccaae28b7186cb2e83903e890755b81ebe95cfa32efd42

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/376-323-0x00000000012E0000-0x00000000012F2000-memory.dmp

Filesize
72KB

Download
memory/732-77-0x0000000000C20000-0x0000000000C32000-memory.dmp

Filesize
72KB

Download
memory/832-31-0x000001DCA4810000-0x000001DCA4832000-memory.dmp

Filesize
136KB

Download
memory/864-12-0x00007FFEEB113000-0x00007FFEEB115000-memory.dmp

Filesize
8KB

Download
memory/864-16-0x0000000003010000-0x000000000301C000-memory.dmp

Filesize
48KB

Download
memory/864-15-0x0000000003020000-0x000000000302C000-memory.dmp

Filesize
48KB

Download
memory/864-14-0x0000000003000000-0x0000000003012000-memory.dmp

Filesize
72KB

Download
memory/864-13-0x0000000000BD0000-0x0000000000CE0000-memory.dmp

Filesize
1.1MB

Download
memory/864-17-0x0000000003030000-0x000000000303C000-memory.dmp

Filesize
48KB

Download
memory/1184-308-0x000000001C270000-0x000000001C372000-memory.dmp

Filesize
1.0MB

Download
memory/1184-301-0x00000000015C0000-0x00000000015D2000-memory.dmp

Filesize
72KB

Download
memory/3240-367-0x0000000002DF0000-0x0000000002E02000-memory.dmp

Filesize
72KB

Download
memory/4004-330-0x000000001BAF0000-0x000000001BB02000-memory.dmp

Filesize
72KB

Download
memory/4012-374-0x0000000002290000-0x00000000022A2000-memory.dmp

Filesize
72KB

Download