dcrat | 3a816eb2da3fbbb2b20dc1c78eefc332d586b5a599c26689331b73eea2e0af20

Analysis

max time kernel
146s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3a816eb2da3fbbb2b20dc1c78eefc332d586b5a599c26689331b73eea2e0af20.exe
Size

1.3MB
MD5

f7ed05d3d1b15719e0ff49adb6c86149
SHA1

87c522dcf1a788c841022e46967c4e6740ae2d32
SHA256

3a816eb2da3fbbb2b20dc1c78eefc332d586b5a599c26689331b73eea2e0af20
SHA512

520b99c141dae5446c47a4875d611d681399992649dce0169c41d6e160c34e44a91648d30eeb7014a5bc11350faae12b31177d5d034ff8358e8e2bf4b95af8a0
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3932	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	724	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	2460	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2460	schtasks.exe	90

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b8c-10.dat	dcrat
behavioral2/memory/2208-13-0x0000000000560000-0x0000000000670000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 21 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3940	powershell.exe
1204	powershell.exe
728	powershell.exe
376	powershell.exe
2436	powershell.exe
3708	powershell.exe
4536	powershell.exe
856	powershell.exe
2156	powershell.exe
1216	powershell.exe
4824	powershell.exe
4904	powershell.exe
2100	powershell.exe
2736	powershell.exe
4300	powershell.exe
5072	powershell.exe
4704	powershell.exe
4444	powershell.exe
3604	powershell.exe
992	powershell.exe
3768	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	JaffaCakes118_3a816eb2da3fbbb2b20dc1c78eefc332d586b5a599c26689331b73eea2e0af20.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 15 IoCs

pid	Process
2208	DllCommonsvc.exe
4656	DllCommonsvc.exe
5500	wininit.exe
6004	wininit.exe
8	wininit.exe
5320	wininit.exe
4376	wininit.exe
2008	wininit.exe
5216	wininit.exe
5180	wininit.exe
5664	wininit.exe
5868	wininit.exe
6132	wininit.exe
4196	wininit.exe
1236	wininit.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
46	raw.githubusercontent.com
48	raw.githubusercontent.com
36	raw.githubusercontent.com
20	raw.githubusercontent.com
34	raw.githubusercontent.com
51	raw.githubusercontent.com
19	raw.githubusercontent.com
35	raw.githubusercontent.com
39	raw.githubusercontent.com
40	raw.githubusercontent.com
41	raw.githubusercontent.com
47	raw.githubusercontent.com
49	raw.githubusercontent.com
50	raw.githubusercontent.com

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\38384e6a620884	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Services\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\e1ef82546f0b02	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\Registry.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\ee2ad38f3d4382	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Services\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\de-DE\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Windows\de-DE\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Windows\Tasks\lsass.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Tasks\lsass.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3a816eb2da3fbbb2b20dc1c78eefc332d586b5a599c26689331b73eea2e0af20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	JaffaCakes118_3a816eb2da3fbbb2b20dc1c78eefc332d586b5a599c26689331b73eea2e0af20.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	wininit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1960	schtasks.exe
2804	schtasks.exe
3732	schtasks.exe
1528	schtasks.exe
4644	schtasks.exe
2512	schtasks.exe
1708	schtasks.exe
628	schtasks.exe
1964	schtasks.exe
512	schtasks.exe
644	schtasks.exe
456	schtasks.exe
2356	schtasks.exe
668	schtasks.exe
4308	schtasks.exe
4996	schtasks.exe
1144	schtasks.exe
3560	schtasks.exe
3988	schtasks.exe
668	schtasks.exe
5076	schtasks.exe
5076	schtasks.exe
5112	schtasks.exe
4980	schtasks.exe
3932	schtasks.exe
2268	schtasks.exe
2660	schtasks.exe
1076	schtasks.exe
1532	schtasks.exe
2656	schtasks.exe
2380	schtasks.exe
1340	schtasks.exe
4988	schtasks.exe
4948	schtasks.exe
3696	schtasks.exe
5020	schtasks.exe
3308	schtasks.exe
1600	schtasks.exe
4664	schtasks.exe
1572	schtasks.exe
4160	schtasks.exe
4504	schtasks.exe
4520	schtasks.exe
1244	schtasks.exe
3368	schtasks.exe
4644	schtasks.exe
724	schtasks.exe
3692	schtasks.exe
4956	schtasks.exe
3136	schtasks.exe
2836	schtasks.exe
3272	schtasks.exe
5016	schtasks.exe
4864	schtasks.exe
4404	schtasks.exe
1372	schtasks.exe
1044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2208	DllCommonsvc.exe
2208	DllCommonsvc.exe
2208	DllCommonsvc.exe
5072	powershell.exe
2100	powershell.exe
376	powershell.exe
4904	powershell.exe
4824	powershell.exe
1216	powershell.exe
1216	powershell.exe
4904	powershell.exe
2100	powershell.exe
2100	powershell.exe
1216	powershell.exe
5072	powershell.exe
376	powershell.exe
4824	powershell.exe
4824	powershell.exe
4656	DllCommonsvc.exe
4656	DllCommonsvc.exe
4656	DllCommonsvc.exe
4656	DllCommonsvc.exe
4656	DllCommonsvc.exe
4656	DllCommonsvc.exe
3708	powershell.exe
3708	powershell.exe
3940	powershell.exe
3940	powershell.exe
4704	powershell.exe
4704	powershell.exe
4536	powershell.exe
4536	powershell.exe
1204	powershell.exe
1204	powershell.exe
728	powershell.exe
728	powershell.exe
4444	powershell.exe
4444	powershell.exe
992	powershell.exe
992	powershell.exe
3604	powershell.exe
3604	powershell.exe
4300	powershell.exe
4300	powershell.exe
3768	powershell.exe
3768	powershell.exe
2736	powershell.exe
2736	powershell.exe
856	powershell.exe
856	powershell.exe
2156	powershell.exe
2156	powershell.exe
2436	powershell.exe
2436	powershell.exe
3708	powershell.exe
3708	powershell.exe
3940	powershell.exe
3940	powershell.exe
992	powershell.exe
4704	powershell.exe
4704	powershell.exe
4444	powershell.exe
2436	powershell.exe
3768	powershell.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	DllCommonsvc.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	4656	DllCommonsvc.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	4536	powershell.exe
Token: SeDebugPrivilege	728	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	5500	wininit.exe
Token: SeDebugPrivilege	6004	wininit.exe
Token: SeDebugPrivilege	8	wininit.exe
Token: SeDebugPrivilege	5320	wininit.exe
Token: SeDebugPrivilege	4376	wininit.exe
Token: SeDebugPrivilege	2008	wininit.exe
Token: SeDebugPrivilege	5216	wininit.exe
Token: SeDebugPrivilege	5180	wininit.exe
Token: SeDebugPrivilege	5664	wininit.exe
Token: SeDebugPrivilege	5868	wininit.exe
Token: SeDebugPrivilege	6132	wininit.exe
Token: SeDebugPrivilege	4196	wininit.exe
Token: SeDebugPrivilege	1236	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 2196	4816	JaffaCakes118_3a816eb2da3fbbb2b20dc1c78eefc332d586b5a599c26689331b73eea2e0af20.exe	83
PID 4816 wrote to memory of 2196	4816	JaffaCakes118_3a816eb2da3fbbb2b20dc1c78eefc332d586b5a599c26689331b73eea2e0af20.exe	83
PID 4816 wrote to memory of 2196	4816	JaffaCakes118_3a816eb2da3fbbb2b20dc1c78eefc332d586b5a599c26689331b73eea2e0af20.exe	83
PID 2196 wrote to memory of 4460	2196	WScript.exe	85
PID 2196 wrote to memory of 4460	2196	WScript.exe	85
PID 2196 wrote to memory of 4460	2196	WScript.exe	85
PID 4460 wrote to memory of 2208	4460	cmd.exe	87
PID 4460 wrote to memory of 2208	4460	cmd.exe	87
PID 2208 wrote to memory of 1216	2208	DllCommonsvc.exe	107
PID 2208 wrote to memory of 1216	2208	DllCommonsvc.exe	107
PID 2208 wrote to memory of 5072	2208	DllCommonsvc.exe	108
PID 2208 wrote to memory of 5072	2208	DllCommonsvc.exe	108
PID 2208 wrote to memory of 4824	2208	DllCommonsvc.exe	109
PID 2208 wrote to memory of 4824	2208	DllCommonsvc.exe	109
PID 2208 wrote to memory of 4904	2208	DllCommonsvc.exe	110
PID 2208 wrote to memory of 4904	2208	DllCommonsvc.exe	110
PID 2208 wrote to memory of 376	2208	DllCommonsvc.exe	111
PID 2208 wrote to memory of 376	2208	DllCommonsvc.exe	111
PID 2208 wrote to memory of 2100	2208	DllCommonsvc.exe	112
PID 2208 wrote to memory of 2100	2208	DllCommonsvc.exe	112
PID 2208 wrote to memory of 2580	2208	DllCommonsvc.exe	118
PID 2208 wrote to memory of 2580	2208	DllCommonsvc.exe	118
PID 2580 wrote to memory of 4584	2580	cmd.exe	121
PID 2580 wrote to memory of 4584	2580	cmd.exe	121
PID 2580 wrote to memory of 4656	2580	cmd.exe	126
PID 2580 wrote to memory of 4656	2580	cmd.exe	126
PID 4656 wrote to memory of 2436	4656	DllCommonsvc.exe	169
PID 4656 wrote to memory of 2436	4656	DllCommonsvc.exe	169
PID 4656 wrote to memory of 3940	4656	DllCommonsvc.exe	170
PID 4656 wrote to memory of 3940	4656	DllCommonsvc.exe	170
PID 4656 wrote to memory of 1204	4656	DllCommonsvc.exe	171
PID 4656 wrote to memory of 1204	4656	DllCommonsvc.exe	171
PID 4656 wrote to memory of 4704	4656	DllCommonsvc.exe	172
PID 4656 wrote to memory of 4704	4656	DllCommonsvc.exe	172
PID 4656 wrote to memory of 4444	4656	DllCommonsvc.exe	173
PID 4656 wrote to memory of 4444	4656	DllCommonsvc.exe	173
PID 4656 wrote to memory of 728	4656	DllCommonsvc.exe	174
PID 4656 wrote to memory of 728	4656	DllCommonsvc.exe	174
PID 4656 wrote to memory of 2736	4656	DllCommonsvc.exe	175
PID 4656 wrote to memory of 2736	4656	DllCommonsvc.exe	175
PID 4656 wrote to memory of 3604	4656	DllCommonsvc.exe	176
PID 4656 wrote to memory of 3604	4656	DllCommonsvc.exe	176
PID 4656 wrote to memory of 992	4656	DllCommonsvc.exe	177
PID 4656 wrote to memory of 992	4656	DllCommonsvc.exe	177
PID 4656 wrote to memory of 3768	4656	DllCommonsvc.exe	178
PID 4656 wrote to memory of 3768	4656	DllCommonsvc.exe	178
PID 4656 wrote to memory of 3708	4656	DllCommonsvc.exe	179
PID 4656 wrote to memory of 3708	4656	DllCommonsvc.exe	179
PID 4656 wrote to memory of 4536	4656	DllCommonsvc.exe	180
PID 4656 wrote to memory of 4536	4656	DllCommonsvc.exe	180
PID 4656 wrote to memory of 4300	4656	DllCommonsvc.exe	181
PID 4656 wrote to memory of 4300	4656	DllCommonsvc.exe	181
PID 4656 wrote to memory of 856	4656	DllCommonsvc.exe	182
PID 4656 wrote to memory of 856	4656	DllCommonsvc.exe	182
PID 4656 wrote to memory of 2156	4656	DllCommonsvc.exe	183
PID 4656 wrote to memory of 2156	4656	DllCommonsvc.exe	183
PID 4656 wrote to memory of 3084	4656	DllCommonsvc.exe	199
PID 4656 wrote to memory of 3084	4656	DllCommonsvc.exe	199
PID 3084 wrote to memory of 4060	3084	cmd.exe	203
PID 3084 wrote to memory of 4060	3084	cmd.exe	203
PID 3084 wrote to memory of 5500	3084	cmd.exe	206
PID 3084 wrote to memory of 5500	3084	cmd.exe	206
PID 5500 wrote to memory of 5724	5500	wininit.exe	208
PID 5500 wrote to memory of 5724	5500	wininit.exe	208

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3a816eb2da3fbbb2b20dc1c78eefc332d586b5a599c26689331b73eea2e0af20.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3a816eb2da3fbbb2b20dc1c78eefc332d586b5a599c26689331b73eea2e0af20.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OwuibCFuHI.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4584
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\SppExtComObj.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\fr-FR\Registry.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\RuntimeBroker.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\System.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\regid.1991-06.com.microsoft\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SANCCQJdhV.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4060
        
        C:\Program Files\Windows Media Player\wininit.exe
        
        "C:\Program Files\Windows Media Player\wininit.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat"
        9⤵
        
        PID:5724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:5780
        
        C:\Program Files\Windows Media Player\wininit.exe
        
        "C:\Program Files\Windows Media Player\wininit.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat"
        11⤵
        
        PID:3696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:5264
        
        C:\Program Files\Windows Media Player\wininit.exe
        
        "C:\Program Files\Windows Media Player\wininit.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:8
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\guIa2jZB2U.bat"
        13⤵
        
        PID:4904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1312
        
        C:\Program Files\Windows Media Player\wininit.exe
        
        "C:\Program Files\Windows Media Player\wininit.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat"
        15⤵
        
        PID:1708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:224
        
        C:\Program Files\Windows Media Player\wininit.exe
        
        "C:\Program Files\Windows Media Player\wininit.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"
        17⤵
        
        PID:2304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2448
        
        C:\Program Files\Windows Media Player\wininit.exe
        
        "C:\Program Files\Windows Media Player\wininit.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4WSxKcEorb.bat"
        19⤵
        
        PID:4900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:5124
        
        C:\Program Files\Windows Media Player\wininit.exe
        
        "C:\Program Files\Windows Media Player\wininit.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat"
        21⤵
        
        PID:2964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1752
        
        C:\Program Files\Windows Media Player\wininit.exe
        
        "C:\Program Files\Windows Media Player\wininit.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NADK710Kqv.bat"
        23⤵
        
        PID:4488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:452
        
        C:\Program Files\Windows Media Player\wininit.exe
        
        "C:\Program Files\Windows Media Player\wininit.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat"
        25⤵
        
        PID:5824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4292
        
        C:\Program Files\Windows Media Player\wininit.exe
        
        "C:\Program Files\Windows Media Player\wininit.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iqKdioc4MG.bat"
        27⤵
        
        PID:556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:6140
        
        C:\Program Files\Windows Media Player\wininit.exe
        
        "C:\Program Files\Windows Media Player\wininit.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V9nTU0UPEK.bat"
        29⤵
        
        PID:4864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:4872
        
        C:\Program Files\Windows Media Player\wininit.exe
        
        "C:\Program Files\Windows Media Player\wininit.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat"
        31⤵
        
        PID:3648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:5296
        
        C:\Program Files\Windows Media Player\wininit.exe
        
        "C:\Program Files\Windows Media Player\wininit.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V9nTU0UPEK.bat"
        33⤵
        
        PID:848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Tasks\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Services\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Services\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
057e7742b25e65a341d1341da25b54a8

SHA1
65c874ac4f429a4172bdf89a73922e39873ecab6

SHA256
f8cf996545599e442f94820af5c724fca27d22de96bcef6aa308d0520c3a1468

SHA512
94b461e3705336b9ebf10df506f4a436cee20ac60540cfb6fd2f36c48e011836bf1f9e3f00e5b254ad6e6f1338a976dba495d398b4459687f518e815afde04e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4ca8bd4060a56a81930fee3ae5a9868e

SHA1
e549e772458ee62b5d8517a9ea46b6eb232ce2a3

SHA256
fc4ef88dab905de4a009585e554980907b127615b743e584bd9aa7f4f251b34e

SHA512
54509f7b2dd24d681ed97b0851bba885b8aac2cbafbc4316ea9a73896bca88227361a588909dd8e9cc5857d5ab9a2e17cc0289b84201c0f253ec74ed7986e88a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f0019bc2bc66920665e03498715a8364

SHA1
cec1a82576d060649527425a58ecc18715ee844c

SHA256
95367e6f7a4b5ce8ad79dadcb3f3c52608bdc85981a1e3a11e48695a554189fd

SHA512
ea31b00cfde5f5f3f2f376f0fb4161f589ddbf10bd856002a178711d4b60cf894c7f3a163d0fad1de599112c9f28e5c1903ab735f969c7cb886b61f7efc3d476

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bc421020202701227f71a51112fd4fc1

SHA1
bf72aab52375c4e2ed7043a86682a145aa05bf84

SHA256
a7b1390c894ede8d54a994869a32e33fe1ff91974a7e9bfc7b79f2855c5dab5c

SHA512
739b4a4ac0c3e4577543340c20f199ab55ef5f0594ac4071f7ddf359549fe5344ab5a9ede5477103a8ecc3383e69490d1fb1614277045533c78317173df81fb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a0a39287d24bc34b18568db64efa29b1

SHA1
5bb53178a61ab716bca4dc85e264a0c00b216616

SHA256
3963d61be19049d200deb0407d25fe6949e841ffb4544cc819e08738059bff42

SHA512
930e3bb6ebba499f1a4863145a9816dc157d0e9c91a94d23fe05fee0a0429f73777ae22733d7d29a2b84e537f113aa538a9a2de2bd0ae75b8f2b6b162ee2d47c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
493B

MD5
b1796de023509678d0d6806ccda0bb8b

SHA1
65ad7eeff3f2d0ea359c8ca80fc5d307d0375e55

SHA256
4e2119b1fc31263028cb123f50034d93d0b19b6b2bdbd3e84a32776e45091450

SHA512
76d2b8a0889c5854920243d0a665165cafc0dbd9ca660e14d14acb97fc2e5612699b53fb695e6a5b0cfa3542ee2f3a82d09dd14a098d32b2d300000b535705ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\4WSxKcEorb.bat

Filesize
214B

MD5
e613815af4e29d9b10bfbf1bbbb12c1b

SHA1
a8ad3acb42d3bdcc341004316b429c5a1f70bd7e

SHA256
593f2ca81819b1a054c301bfc119f09793a49b6ca655e751c242577ad9a512d7

SHA512
508ffec802803b9d6c733e04e09020e064ab19bf4a16f26b1a1fd8b48718b012e670aade8ab99a5f61c993cd573d96f95aa3abf9c1ff27ff11ff1abf8d7b2df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat

Filesize
214B

MD5
1170e67a0c89e76b095d8222cab1e3e6

SHA1
524060a2839a6625470aefe17a82a51eff50437f

SHA256
c016d2eb50c3f90fcb93749cb361a6bd537047ebc330e88d9488f90eb55edd1d

SHA512
f6a2aeabb37e8ed52589f16294f2754f5665d9191d02a5ff75b1590b8c81c557cf402e655f550f4b374cc22d646dddea8aec47b1b68397b6cdc1cf7ad106e10b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat

Filesize
214B

MD5
d80fb4e466fba67271d3d3644bb63665

SHA1
c911385a96af29e1c70593d9681176698029a043

SHA256
4342e166751713b04fdc61f1e44c2cebedb49069574444acb27ea6aab98b7bc2

SHA512
ae44265aa485d07b492c287cfe6da281371f7bb586b941f3ed7e54917491bb6b0f19e30f4629f7511091b1bfd9295bc8d64fdb9973e3ba640b936a7b5c3c3b47

Download Submit
C:\Users\Admin\AppData\Local\Temp\NADK710Kqv.bat

Filesize
214B

MD5
f666fe10516d07878fd4e1e935a54b02

SHA1
7d27771c19331f04bfa52eeec07c0f975335dd7a

SHA256
179c50f4ed9b99d86c2df3d8b35e770266bcb0e71b44379fb16d06a3f43655c2

SHA512
df85a5a8f5f249e824596d7529a5ec53a04d629b081c64f66d7518133894b1f139c4cfcd120cb283df533a4b25ba082e463273c18c8e68d34c2f1bf8c031f8a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwuibCFuHI.bat

Filesize
199B

MD5
e48a16f545d736a1b80e3634830a15aa

SHA1
e8cc54b04d6f49c340a0d624374f0c3e4f7a734b

SHA256
6fb5108c31e1813a1a6aa615a288f1b2f200a7f6f8cd75cddbb691e3ae147ce8

SHA512
674ea45642ecf9c90b7a224409cb185b76338a79f644ccf71f1b4e6c905f02177a7355cc8df3234f31bb28d76554998a389beb681bc1275dba0c8ba7e77e55cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat

Filesize
214B

MD5
c560957fcca3cd067250ba62d60359e2

SHA1
b2e79cd5f337bd6eb4582efd6875691a6c01e6eb

SHA256
a0032add1a125d02fe392f9b6dd343d8ddc7956d05172fbd1a86fc83eb6c1d74

SHA512
b5071c2e8a36e28da79d9d86b9ca1f4dec122b5dfe84deb7be85d0f7f2deb103b137e3124f91a88566fd93cd74a514eec22e210a17f34d61c27de6f78ae2775e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SANCCQJdhV.bat

Filesize
214B

MD5
7a77f1e0ff475e5193a39047ce293e56

SHA1
b6f381ec9d456a81973b825f30ec55428d26c285

SHA256
745e5b7e73a3b94dda901de404e4b5473d3d8a85d31b455cb6adcc28736dcce2

SHA512
79c7eed10e2c37d22c90b50c1738b162ddef26b61fb83c494f2f9ccf1c36ecf6ab6f07ea187a353cfd3611bc615be5fcf22e255f5fc818b70b5f31809161366f

Download Submit
C:\Users\Admin\AppData\Local\Temp\V9nTU0UPEK.bat

Filesize
214B

MD5
2fd959cf75d6524e88dc41c8dfec1617

SHA1
937e28752094a8e7015c401787d756fc94ad579d

SHA256
0b69c4770e9832e6840bac8b3159c210165e1bfd4569e1fca3165f47f37228dc

SHA512
dd1b11e860b485929f5f4767e8ab614c4a0d9cc0b7125fcd54066e830519121a7196d6b6cd57af545a06e6bc865626a68455d39048d718053ebba06a1ad5ad22

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat

Filesize
214B

MD5
6e8278c36cea6a2275e031e539ec838b

SHA1
1de1ceb5fcdbbb7b84a1ece8ea58f3d122c2157c

SHA256
e1418f6423b27543c137441f3fb29f4457067b625f1444a383f45844f8e34da1

SHA512
6eb2c44980a9e24e862afe495b95385aaf8308d1e871e9bd1aea3e1806c739790ef0193cce344c53a95862306a22c2667c18173c881417e7101198f041519861

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dtucjvua.zno.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\guIa2jZB2U.bat

Filesize
214B

MD5
81f2eb7204f990d8cb79e49909b1f0c3

SHA1
c27cc5417be0844fbff61d874993d8b23e6b9f50

SHA256
59cae5a988becfb9647fd67750e5a2bc2158dfdacdd5e7b87caac8cd1888dcf8

SHA512
4504b4d8b401b2ca3d9e59463fd1982e7c85c3f0a13eb7b3693a58aec809f2446f3fc677c2af9c316cd67dd3a575c74b0518c8f3054066fd76d06aaae5eda43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqKdioc4MG.bat

Filesize
214B

MD5
6109ac49b5f841c7ddd3a30d395bce38

SHA1
075f6a41cdd6aa0c26531d2aa905042558d6f4ab

SHA256
9fac587f1e5c2ec98e917e51d7d14b57c6535724bb7a5e9fc10f0080e158c3b7

SHA512
e8bc787c1f7e34d970dd3cb707e515e37eff2ea2226903293a5e891acf9bae78b2d54769363427fb09aa6d2e7be4707ad04b20f99f13592bbd4ce175be36568b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat

Filesize
214B

MD5
fd67eda53a3d1c201f63a7ebf33f2084

SHA1
1035c9627c228288a9ffeb1e5e64574c6929c6d1

SHA256
6b49254f9f8f4d6d181ad9bbab241e8efcc5428a60f75809b346b8257b9258d4

SHA512
a800d8021deb817a97f18305224a99608cad9d8a1eb6982e2cc24985bb675323276bd693aabf8f62942744e31167e9612279d287d630be8df4d381782d173926

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat

Filesize
214B

MD5
31cc2b08e74f2dcbceb8c57f7e82a4bc

SHA1
db59294fd0109e784e95e59648a652c336171dca

SHA256
ce7f288fcd6b7651e74295a11de011d15f11b74eed8a540035f8b36265946571

SHA512
132fdda28870417771fbfa993a27793d6b953d2b49e391132add81ccded4de2817841594b6215e1078187851c704a7e34e47f74a177f7053039d6d9baf4dc634

Download Submit
C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat

Filesize
214B

MD5
d633adf3effe20824ae2d481694d02c9

SHA1
8eaf9bf37672602585262189547f4b58adacc093

SHA256
0539493c07c20633e8f30690122f2444ee498e09a5452fbd6517f47835689e17

SHA512
87b8ba4b5ee05885b0bbe5fe8a0125fa35c1ef7b15db05760ed18c8adcf88585d45885a35d987360a4f4d3a6703b70792eb32d0dec508c9a2b214631c927d6aa

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/2008-340-0x00000000010B0000-0x00000000010C2000-memory.dmp

Filesize
72KB

Download
memory/2208-15-0x0000000001010000-0x000000000101C000-memory.dmp

Filesize
48KB

Download
memory/2208-14-0x0000000000E80000-0x0000000000E92000-memory.dmp

Filesize
72KB

Download
memory/2208-13-0x0000000000560000-0x0000000000670000-memory.dmp

Filesize
1.1MB

Download
memory/2208-12-0x00007FFCC1A23000-0x00007FFCC1A25000-memory.dmp

Filesize
8KB

Download
memory/2208-16-0x0000000000FF0000-0x0000000000FFC000-memory.dmp

Filesize
48KB

Download
memory/2208-17-0x0000000001000000-0x000000000100C000-memory.dmp

Filesize
48KB

Download
memory/4656-104-0x0000000002270000-0x0000000002282000-memory.dmp

Filesize
72KB

Download
memory/5072-38-0x000002446F9D0000-0x000002446F9F2000-memory.dmp

Filesize
136KB

Download
memory/5180-354-0x0000000002CF0000-0x0000000002D02000-memory.dmp

Filesize
72KB

Download
memory/5216-347-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/5500-306-0x0000000000A20000-0x0000000000A32000-memory.dmp

Filesize
72KB

Download
memory/6004-315-0x0000000002350000-0x0000000002362000-memory.dmp

Filesize
72KB

Download