dcrat | 70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2023 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afb679b10d49b2052e1239c345dee646.exe
Size

3.0MB
MD5

afb679b10d49b2052e1239c345dee646
SHA1

5cc8ce5753431b0cc4901aa53d8489e37a91c672
SHA256

70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998
SHA512

14983d548e071cd85973739f6056a9ab9ca3392f8f1aa3054ec05cfccaafd00135bfa1cdfc83fad26e5adee35c8f5d2d470e296eaba3cee8d7f7e896d47fb967
SSDEEP

49152:hwQVR+A3rrXAafICZyKC5iEqpVJ2pfexGqjNJ8JrSwAca2R7TQALtMiTdUdvVSMt:hwQVP7x6iEgBxVr8lMfkT1DBUdvge9Gi

Score

10^/10

dcrat evasion infostealer persistence rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Modifies WinLogon for persistence 2 TTPs 1 IoCs
persistence

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

taskhostw.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" taskhostw.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	taskhostw.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3496	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	5076	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	5076	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

taskhostw.exeafb679b10d49b2052e1239c345dee646.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4988-132-0x0000000000D40000-0x0000000001046000-memory.dmp	dcrat
C:\Program Files\Reference Assemblies\Microsoft\Framework\taskhostw.exe	dcrat
C:\Program Files\Reference Assemblies\Microsoft\Framework\taskhostw.exe	dcrat
C:\Users\Admin\dllhost.exe	dcrat
C:\Recovery\WindowsRE\sihost.exe	dcrat
C:\Program Files\Google\Chrome\upfc.exe	dcrat
C:\Recovery\WindowsRE\SearchApp.exe	dcrat
C:\Users\Default\winlogon.exe	dcrat
C:\Users\Default User\fontdrvhost.exe	dcrat
C:\Program Files (x86)\Windows Media Player\en-US\winlogon.exe	dcrat
C:\Windows\Help\OEM\SearchApp.exe	dcrat
C:\Windows\Branding\shellbrd\dwm.exe	dcrat
C:\Windows\Provisioning\Cosa\RuntimeBroker.exe	dcrat
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe	dcrat
C:\Program Files (x86)\Windows Photo Viewer\en-US\taskhostw.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

taskhostw.exe

pid process

3176 taskhostw.exe

pid	process
3176	taskhostw.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

afb679b10d49b2052e1239c345dee646.exetaskhostw.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	afb679b10d49b2052e1239c345dee646.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	taskhostw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

afb679b10d49b2052e1239c345dee646.exetaskhostw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	afb679b10d49b2052e1239c345dee646.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe

Drops file in Program Files directory 10 IoCs

Processes:

afb679b10d49b2052e1239c345dee646.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Media Player\en-US\winlogon.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\Google\Chrome\upfc.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\Google\Chrome\ea1d8f6d871115	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\cc11b995f2a76d	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\9e8d7a4ca61bd9	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\taskhostw.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\ea9f0e6c9e2dcd	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\taskhostw.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\ea9f0e6c9e2dcd	afb679b10d49b2052e1239c345dee646.exe

Drops file in Windows directory 7 IoCs

Processes:

afb679b10d49b2052e1239c345dee646.exe

description	ioc	process
File created	C:\Windows\Help\OEM\38384e6a620884	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Windows\Provisioning\Cosa\RuntimeBroker.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Windows\Provisioning\Cosa\9e8d7a4ca61bd9	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Windows\Branding\shellbrd\dwm.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Windows\Branding\shellbrd\6cb0b6c459d5d3	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Windows\WaaS\tasks\WmiPrvSE.exe	afb679b10d49b2052e1239c345dee646.exe
File created	C:\Windows\Help\OEM\SearchApp.exe	afb679b10d49b2052e1239c345dee646.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4372	schtasks.exe
4712	schtasks.exe
552	schtasks.exe
216	schtasks.exe
3108	schtasks.exe
2264	schtasks.exe
5080	schtasks.exe
4068	schtasks.exe
3588	schtasks.exe
3552	schtasks.exe
1612	schtasks.exe
3596	schtasks.exe
1156	schtasks.exe
820	schtasks.exe
4196	schtasks.exe
3040	schtasks.exe
1816	schtasks.exe
3496	schtasks.exe
1240	schtasks.exe
4840	schtasks.exe
276	schtasks.exe
236	schtasks.exe
3936	schtasks.exe
4336	schtasks.exe
4332	schtasks.exe
3044	schtasks.exe
4104	schtasks.exe
2980	schtasks.exe
3672	schtasks.exe
1504	schtasks.exe
4188	schtasks.exe
3048	schtasks.exe
4492	schtasks.exe
4732	schtasks.exe
3428	schtasks.exe
3236	schtasks.exe
1976	schtasks.exe
4112	schtasks.exe
1520	schtasks.exe

Modifies registry class 2 IoCs

Processes:

afb679b10d49b2052e1239c345dee646.exetaskhostw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	afb679b10d49b2052e1239c345dee646.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	taskhostw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

afb679b10d49b2052e1239c345dee646.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4988	afb679b10d49b2052e1239c345dee646.exe
4988	afb679b10d49b2052e1239c345dee646.exe
4988	afb679b10d49b2052e1239c345dee646.exe
4988	afb679b10d49b2052e1239c345dee646.exe
4988	afb679b10d49b2052e1239c345dee646.exe
4988	afb679b10d49b2052e1239c345dee646.exe
4988	afb679b10d49b2052e1239c345dee646.exe
4988	afb679b10d49b2052e1239c345dee646.exe
4988	afb679b10d49b2052e1239c345dee646.exe
4988	afb679b10d49b2052e1239c345dee646.exe
4988	afb679b10d49b2052e1239c345dee646.exe
4988	afb679b10d49b2052e1239c345dee646.exe
4988	afb679b10d49b2052e1239c345dee646.exe
4988	afb679b10d49b2052e1239c345dee646.exe
4988	afb679b10d49b2052e1239c345dee646.exe
4988	afb679b10d49b2052e1239c345dee646.exe
4988	afb679b10d49b2052e1239c345dee646.exe
4272	powershell.exe
2232	powershell.exe
1200	powershell.exe
1200	powershell.exe
4592	powershell.exe
4592	powershell.exe
2892	powershell.exe
2892	powershell.exe
5060	powershell.exe
5060	powershell.exe
1552	powershell.exe
1552	powershell.exe
2720	powershell.exe
2720	powershell.exe
3016	powershell.exe
3016	powershell.exe
3636	powershell.exe
3636	powershell.exe
2232	powershell.exe
2232	powershell.exe
4272	powershell.exe
4272	powershell.exe
1200	powershell.exe
1200	powershell.exe
924	powershell.exe
924	powershell.exe
2892	powershell.exe
2892	powershell.exe
3700	powershell.exe
3700	powershell.exe
3804	powershell.exe
3804	powershell.exe
3756	powershell.exe
3756	powershell.exe
4592	powershell.exe
4592	powershell.exe
3700	powershell.exe
3756	powershell.exe
924	powershell.exe
5060	powershell.exe
5060	powershell.exe
1552	powershell.exe
1552	powershell.exe
3016	powershell.exe
3636	powershell.exe
2720	powershell.exe
3804	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskhostw.exe

pid process

3176 taskhostw.exe

pid	process
3176	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4988	afb679b10d49b2052e1239c345dee646.exe
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	3700	powershell.exe
Token: SeDebugPrivilege	3804	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	3176	taskhostw.exe
Token: SeBackupPrivilege	1980	vssvc.exe
Token: SeRestorePrivilege	1980	vssvc.exe
Token: SeAuditPrivilege	1980	vssvc.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

afb679b10d49b2052e1239c345dee646.execmd.exetaskhostw.exe

description	pid	process	target process
PID 4988 wrote to memory of 4272	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 4272	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 2232	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 2232	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 1200	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 1200	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 2892	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 2892	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 4592	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 4592	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 1552	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 1552	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 5060	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 5060	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 3016	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 3016	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 2720	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 2720	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 3636	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 3636	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 3700	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 3700	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 3804	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 3804	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 3756	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 3756	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 924	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 924	4988	afb679b10d49b2052e1239c345dee646.exe	powershell.exe
PID 4988 wrote to memory of 2976	4988	afb679b10d49b2052e1239c345dee646.exe	cmd.exe
PID 4988 wrote to memory of 2976	4988	afb679b10d49b2052e1239c345dee646.exe	cmd.exe
PID 2976 wrote to memory of 2288	2976	cmd.exe	w32tm.exe
PID 2976 wrote to memory of 2288	2976	cmd.exe	w32tm.exe
PID 2976 wrote to memory of 3176	2976	cmd.exe	taskhostw.exe
PID 2976 wrote to memory of 3176	2976	cmd.exe	taskhostw.exe
PID 3176 wrote to memory of 3504	3176	taskhostw.exe	WScript.exe
PID 3176 wrote to memory of 3504	3176	taskhostw.exe	WScript.exe
PID 3176 wrote to memory of 1080	3176	taskhostw.exe	WScript.exe
PID 3176 wrote to memory of 1080	3176	taskhostw.exe	WScript.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

afb679b10d49b2052e1239c345dee646.exetaskhostw.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	afb679b10d49b2052e1239c345dee646.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	afb679b10d49b2052e1239c345dee646.exe

C:\Users\Admin\AppData\Local\Temp\afb679b10d49b2052e1239c345dee646.exe
"C:\Users\Admin\AppData\Local\Temp\afb679b10d49b2052e1239c345dee646.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\afb679b10d49b2052e1239c345dee646.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\winlogon.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\fontdrvhost.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\taskhostw.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\OEM\SearchApp.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\shellbrd\dwm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\taskhostw.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\Cosa\RuntimeBroker.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\en-US\winlogon.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\upfc.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\dllhost.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1ukamPVDSD.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2288

C:\Program Files\Reference Assemblies\Microsoft\Framework\taskhostw.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\taskhostw.exe"
3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3176

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0e70117-c372-4acf-9933-45dcef033d65.vbs"
4⤵
PID:1080

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8115a2aa-e828-43b5-965f-49f388adec54.vbs"
4⤵
PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat" "
4⤵
PID:1568

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
5⤵
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\OEM\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Help\OEM\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\Help\OEM\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\Provisioning\Cosa\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Provisioning\Cosa\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Provisioning\Cosa\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Branding\shellbrd\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Branding\shellbrd\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Branding\shellbrd\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3236

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "afb679b10d49b2052e1239c345dee646" /f
1⤵
- Process spawned unexpected child process
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "afb679b10d49b2052e1239c345dee646a" /f
1⤵
- Process spawned unexpected child process
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dllhost" /f
1⤵
- Process spawned unexpected child process
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dllhostd" /f
1⤵
- Process spawned unexpected child process
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "sihost" /f
1⤵
- Process spawned unexpected child process
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "sihosts" /f
1⤵
- Process spawned unexpected child process
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "upfc" /f
1⤵
- Process spawned unexpected child process
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "upfcu" /f
1⤵
- Process spawned unexpected child process
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "winlogon" /f
1⤵
- Process spawned unexpected child process
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "winlogonw" /f
1⤵
- Process spawned unexpected child process
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "SearchApp" /f
1⤵
- Process spawned unexpected child process
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "SearchAppS" /f
1⤵
- Process spawned unexpected child process
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhost" /f
1⤵
- Process spawned unexpected child process
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhostf" /f
1⤵
- Process spawned unexpected child process
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "taskhostw" /f
1⤵
- Process spawned unexpected child process
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "taskhostwt" /f
1⤵
- Process spawned unexpected child process
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "winlogon" /f
1⤵
- Process spawned unexpected child process
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "winlogonw" /f
1⤵
- Process spawned unexpected child process
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "SearchApp" /f
1⤵
- Process spawned unexpected child process
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "SearchAppS" /f
1⤵
- Process spawned unexpected child process
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBroker" /f
1⤵
- Process spawned unexpected child process
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBrokerR" /f
1⤵
- Process spawned unexpected child process
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dwm" /f
1⤵
- Process spawned unexpected child process
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBroker" /f
1⤵
- Process spawned unexpected child process
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dwmd" /f
1⤵
- Process spawned unexpected child process
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBrokerR" /f
1⤵
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "taskhostwt" /f
1⤵
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "taskhostw" /f
1⤵
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "taskhostw" /f
1⤵
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "taskhostwt" /f
1⤵
PID:2848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Media Player\en-US\cc11b995f2a76d
Filesize
10B

MD5
f056bcc3d7ff3705e387303daa364e98

SHA1
ec16d51b649be21fc75acf468015921b812f7c1b

SHA256
27186151d89515fd19191caaadcabbf2691e6d4133385493f5fc7151d9ebe194

SHA512
0253f523dcfcc0f8892ff1523da282f9ca0567c22301bc7592e063f3f80e25e3a1ac5c98280c245645109e1b341836cdbf47b595ea06729fef21dd3004e6f137

Download Submit
C:\Program Files (x86)\Windows Media Player\en-US\winlogon.exe
Filesize
3.0MB

MD5
afb679b10d49b2052e1239c345dee646

SHA1
5cc8ce5753431b0cc4901aa53d8489e37a91c672

SHA256
70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998

SHA512
14983d548e071cd85973739f6056a9ab9ca3392f8f1aa3054ec05cfccaafd00135bfa1cdfc83fad26e5adee35c8f5d2d470e296eaba3cee8d7f7e896d47fb967

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\en-US\ea9f0e6c9e2dcd
Filesize
128B

MD5
b779db8238f1b3fec8a5c52a37d0e160

SHA1
ed09c54c337b9f48bac62fbefab8392c17a93a84

SHA256
becf2659a481454e583d5affa1dbcdfc4aa4d303d15913b4ad83832ea86feac4

SHA512
dbd30b7ed748e60557375f02eaaf649cc9406a060e6a43009ac164170d2cc8f6437b90bceea6fe86754d4203ddc1952b3852aaa9284cb26a5529fb7040f00ebb

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\en-US\taskhostw.exe
Filesize
3.0MB

MD5
afb679b10d49b2052e1239c345dee646

SHA1
5cc8ce5753431b0cc4901aa53d8489e37a91c672

SHA256
70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998

SHA512
14983d548e071cd85973739f6056a9ab9ca3392f8f1aa3054ec05cfccaafd00135bfa1cdfc83fad26e5adee35c8f5d2d470e296eaba3cee8d7f7e896d47fb967

Download Submit
C:\Program Files\Google\Chrome\ea1d8f6d871115
Filesize
527B

MD5
21eaa92a13642729117f1f932317a710

SHA1
94ff21ca37ec60d736a6005baebd5df00ad44b49

SHA256
23c4bae0cf80ad2e00f454efc9ddf9c64a317e727b78279eecfbb2d41610314b

SHA512
fef51fc1d1cd228af16c9c78d777d6180d234d37bfb2de3c8f416b7d66f95d29eed77339d29ed195f865a8ec8765b17eadf7a1e6f9de76c1cff040fa02a4e5d3

Download Submit
C:\Program Files\Google\Chrome\upfc.exe
Filesize
3.0MB

MD5
afb679b10d49b2052e1239c345dee646

SHA1
5cc8ce5753431b0cc4901aa53d8489e37a91c672

SHA256
70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998

SHA512
14983d548e071cd85973739f6056a9ab9ca3392f8f1aa3054ec05cfccaafd00135bfa1cdfc83fad26e5adee35c8f5d2d470e296eaba3cee8d7f7e896d47fb967

Download Submit
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\9e8d7a4ca61bd9
Filesize
505B

MD5
205e0719c42371f9acea281277c767d6

SHA1
e651828134aa730c0bce32ae395efdcf54485a76

SHA256
ba8dd8c17f0cb7e29cc12a433c1159878b131ee34a24db8f24d7905182f13182

SHA512
98d1123cd4e8696e90bc83a9699338213f3a9debe78ab3300801017ff79dee17053f1406769e5bedd447aaca42bf09febeec6d42706a942c2c3a25cb44506ab8

Download Submit
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe
Filesize
3.0MB

MD5
afb679b10d49b2052e1239c345dee646

SHA1
5cc8ce5753431b0cc4901aa53d8489e37a91c672

SHA256
70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998

SHA512
14983d548e071cd85973739f6056a9ab9ca3392f8f1aa3054ec05cfccaafd00135bfa1cdfc83fad26e5adee35c8f5d2d470e296eaba3cee8d7f7e896d47fb967

Download Submit
C:\Program Files\Reference Assemblies\Microsoft\Framework\taskhostw.exe
Filesize
3.0MB

MD5
afb679b10d49b2052e1239c345dee646

SHA1
5cc8ce5753431b0cc4901aa53d8489e37a91c672

SHA256
70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998

SHA512
14983d548e071cd85973739f6056a9ab9ca3392f8f1aa3054ec05cfccaafd00135bfa1cdfc83fad26e5adee35c8f5d2d470e296eaba3cee8d7f7e896d47fb967

Download Submit
C:\Program Files\Reference Assemblies\Microsoft\Framework\taskhostw.exe
Filesize
3.0MB

MD5
afb679b10d49b2052e1239c345dee646

SHA1
5cc8ce5753431b0cc4901aa53d8489e37a91c672

SHA256
70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998

SHA512
14983d548e071cd85973739f6056a9ab9ca3392f8f1aa3054ec05cfccaafd00135bfa1cdfc83fad26e5adee35c8f5d2d470e296eaba3cee8d7f7e896d47fb967

Download Submit
C:\Recovery\WindowsRE\38384e6a620884
Filesize
311B

MD5
275efcb58c5ae56eb94697ee0d70ebc3

SHA1
a9f31a08abd9366d16f9e3f562b52b0b841bdcf2

SHA256
52f57e84f624b1e1008229f6cb269af865bbba66a36a8668fa799c5d79dca8df

SHA512
42a2ab5db985f9de9b6dfec95d34944f9b83aca3c2c605b0cc3c2bf3a9cec9ee7151d2984f9eac78f41518651bdd1bcf731b0448e44390d2fabe8cae34bbd700

Download Submit
C:\Recovery\WindowsRE\66fc9ff0ee96c2
Filesize
599B

MD5
01c224ca1a5f2faf074a5d0d9b0b1d86

SHA1
ce091e34f3e440cb3f494d89c04b2d07afa154c2

SHA256
61961e3bd599bd766f7ab99568a007166156dfe4fe8ab4709098f0f73d83266d

SHA512
6964733b97aecc683374574b175ad8b3f8ae60d638305a913a15431bcae8a8aec486c466ea72054c9dfd318acab76bcd1b795b95ab3731b053f7078b653624a0

Download Submit
C:\Recovery\WindowsRE\SearchApp.exe
Filesize
3.0MB

MD5
afb679b10d49b2052e1239c345dee646

SHA1
5cc8ce5753431b0cc4901aa53d8489e37a91c672

SHA256
70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998

SHA512
14983d548e071cd85973739f6056a9ab9ca3392f8f1aa3054ec05cfccaafd00135bfa1cdfc83fad26e5adee35c8f5d2d470e296eaba3cee8d7f7e896d47fb967

Download Submit
C:\Recovery\WindowsRE\sihost.exe
Filesize
3.0MB

MD5
afb679b10d49b2052e1239c345dee646

SHA1
5cc8ce5753431b0cc4901aa53d8489e37a91c672

SHA256
70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998

SHA512
14983d548e071cd85973739f6056a9ab9ca3392f8f1aa3054ec05cfccaafd00135bfa1cdfc83fad26e5adee35c8f5d2d470e296eaba3cee8d7f7e896d47fb967

Download Submit
C:\Users\Admin\5940a34987c991
Filesize
625B

MD5
10bea9f4af17c9cce917a30f99a421cb

SHA1
85ba9870e08267b669f447c7c1e98c2ffacb8c0a

SHA256
312b7c83e50c290832726d8e8e4f410034d5f18ff9e99425b528f93adc0ec206

SHA512
0d7394e116118f08f0b7fc29049a0e9f01bc7c3247b22dad1b7f9d2e1a16f6b0979f64fe4c30acac9d95de77fc9327149b10eaf3ca9715f833a3ce72283e20f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ef9d71cedd5323bfc244785c7f68bc19

SHA1
488e8873c7af108321bd70c98a84ee630f500521

SHA256
c13e664adc7c2028b9ceade4c170fdb28d00ef62b5b7bf1eb1f5d609ac53b7cc

SHA512
41c36598058c86e0c05f6281d66b4f7fffb56bdc4077903d6fea3740e16d62c17493b99e7eae6f27e516df6f64f8f9e2bb426fffdd68e9433ab2e73375f43af8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ukamPVDSD.bat
Filesize
236B

MD5
949c532793b3cd10184ee8f840e3f98b

SHA1
20eb371ff9dd7c6d4c15d4a33e45161803c00754

SHA256
656c9238ddee653c9973f72c149e8001893ddc26457b3fbab0387aab2245bfc4

SHA512
75db724d8db159b63c432533edaba611ed3f6029f6a8fecfa3b227e344213909e118b4ebf3e51bdcf580ceb51a7f8740adc31944a0b6d534a4fe4a66c8095142

Download Submit
C:\Users\Admin\AppData\Local\Temp\8115a2aa-e828-43b5-965f-49f388adec54.vbs
Filesize
747B

MD5
5e2b3b6d8b9615fa80469cc0b23ec478

SHA1
e1e6bfe7b0c5efa366506f06be60b27bcdeb0a21

SHA256
d86634a5d0898f19be37d2be7ffa989043c921aa0f4da7de6b4b869992a9beee

SHA512
94398cd57654b3309e17e46a6d745623200215e96247c133f3ebd69e3d31ecc7953f85ba4c3abe7e2ef336d878fc0ccebe938a0c2ee2aaeff951af3884e60aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat
Filesize
329B

MD5
204613c7b2462c846fcd51725bd93f96

SHA1
7c322c9ff7a6c1a5a11ae23821388e276962c298

SHA256
4d8fc344c9d241817b7c1a17663ea4550b18de74e6d12572a3aa93292060986c

SHA512
9c12625719096ddf2d00d43025a0b018847140874787a56424dd4fdf0a7fc44c6cf302f65c9da9de40562130a7dbbecda24a5e8dd2e4bfba84d8a010823d34c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0e70117-c372-4acf-9933-45dcef033d65.vbs
Filesize
523B

MD5
abcdf6a04d3a5d5cda78741206c8900c

SHA1
ee166f6f0a41247948aa45c70d51e2d790b07b96

SHA256
7fd799b1a8d6ba64f6f5b7c9286ddf2e01c3b658d268b053b70465148b0a1448

SHA512
3e62fed21e908eb53638cd1ff66794f261363c3152a3bf80fd1d12e641da185a3a611a54c5500ecdee4ac3e32c8db6e55793679405085f0e8b208b16342e6831

Download Submit
C:\Users\Admin\dllhost.exe
Filesize
3.0MB

MD5
afb679b10d49b2052e1239c345dee646

SHA1
5cc8ce5753431b0cc4901aa53d8489e37a91c672

SHA256
70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998

SHA512
14983d548e071cd85973739f6056a9ab9ca3392f8f1aa3054ec05cfccaafd00135bfa1cdfc83fad26e5adee35c8f5d2d470e296eaba3cee8d7f7e896d47fb967

Download Submit
C:\Users\Default User\5b884080fd4f94
Filesize
717B

MD5
b7bcdd160788a16f654aea2642a11746

SHA1
2af4ed93167f88131528a94f8042bb1444384261

SHA256
a045426504c3e5ed950a796dc8295b79ec1be1c2ee1a05bdc3d5f2598a44f7be

SHA512
cf031fe1a0e1e0f9b7ac69efd0274db749c55b26f8ac575b49a956139faf2ac4acbbb6fa163b7ed12e4c098253efde84921e81469d676da8f666adf63d9b587c

Download Submit
C:\Users\Default User\fontdrvhost.exe
Filesize
3.0MB

MD5
afb679b10d49b2052e1239c345dee646

SHA1
5cc8ce5753431b0cc4901aa53d8489e37a91c672

SHA256
70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998

SHA512
14983d548e071cd85973739f6056a9ab9ca3392f8f1aa3054ec05cfccaafd00135bfa1cdfc83fad26e5adee35c8f5d2d470e296eaba3cee8d7f7e896d47fb967

Download Submit
C:\Users\Default\cc11b995f2a76d
Filesize
982B

MD5
221c7a37053bd1e6d7317199da5c663d

SHA1
4e8ac3707f9a6cc7effad9e1dd7c22edb7c27b3f

SHA256
5f37600f78429e90e53144dbfefe59b713909ccd352a2e314a5cbd6ff13f666a

SHA512
196da862b0b3acaac3ea2a081a67ffa9aa7edd530ec95f5434981cbb10b668ffb59d5ca728b8292fa868158a97842d67bef4e55fa9ceb29c9d23273e47c4d905

Download Submit
C:\Users\Default\winlogon.exe
Filesize
3.0MB

MD5
afb679b10d49b2052e1239c345dee646

SHA1
5cc8ce5753431b0cc4901aa53d8489e37a91c672

SHA256
70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998

SHA512
14983d548e071cd85973739f6056a9ab9ca3392f8f1aa3054ec05cfccaafd00135bfa1cdfc83fad26e5adee35c8f5d2d470e296eaba3cee8d7f7e896d47fb967

Download Submit
C:\Windows\Branding\shellbrd\6cb0b6c459d5d3
Filesize
606B

MD5
822fbab847eb3d848e81e3b7b8695dbb

SHA1
d586d6633d1939ee11460fbe40cd64838135fa36

SHA256
2930e609f1622ca43597b466f43ede8a4d49819da2235c9c48471ffbf892ede4

SHA512
87be53872b86e8cff035ed6ec6d88d51f476372778dfd869320052dd43909d32dfb7aa7bd5e5efee9bedda1e41222c2adde9d2995a346b28a444f243072cd81c

Download Submit
C:\Windows\Branding\shellbrd\dwm.exe
Filesize
3.0MB

MD5
afb679b10d49b2052e1239c345dee646

SHA1
5cc8ce5753431b0cc4901aa53d8489e37a91c672

SHA256
70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998

SHA512
14983d548e071cd85973739f6056a9ab9ca3392f8f1aa3054ec05cfccaafd00135bfa1cdfc83fad26e5adee35c8f5d2d470e296eaba3cee8d7f7e896d47fb967

Download Submit
C:\Windows\Help\OEM\38384e6a620884
Filesize
979B

MD5
733ed56bd2d56aa8cf588d6c9a2b93d7

SHA1
b84b79c8a1e8e8137e7935126f9084ca9fca81b0

SHA256
42ce8efacf9c271c5e1c99b1ecd64058a738fc2294249f332ae9064212cbd27c

SHA512
b2a44f08a057bc4b752ab9e49a08d5f0d484ccd1dd59664b7ac05fd755105fd16482d0aac4fafb8357f1d398bfce741cc2c769a1461949a9cf32da4de2bda4e1

Download Submit
C:\Windows\Help\OEM\SearchApp.exe
Filesize
3.0MB

MD5
afb679b10d49b2052e1239c345dee646

SHA1
5cc8ce5753431b0cc4901aa53d8489e37a91c672

SHA256
70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998

SHA512
14983d548e071cd85973739f6056a9ab9ca3392f8f1aa3054ec05cfccaafd00135bfa1cdfc83fad26e5adee35c8f5d2d470e296eaba3cee8d7f7e896d47fb967

Download Submit
C:\Windows\Provisioning\Cosa\9e8d7a4ca61bd9
Filesize
594B

MD5
d0fd3062af2f8f89ffdfd7a7e64dc49e

SHA1
ab2b135499d4dd81416a4988af79d92b9563f583

SHA256
e019c10229ac7cef1c27848c3852bffcd43f1266979c92e614e3c9f2e99454aa

SHA512
b6174f414d612ac8509e1e9e49df4dc87677deeb7370c42b725e303272a9f4ff67da28722b83dd7d3748b12cb0c4d2ac6d054c8ca02dfc8b3a75cb532d1c3615

Download Submit
C:\Windows\Provisioning\Cosa\RuntimeBroker.exe
Filesize
3.0MB

MD5
afb679b10d49b2052e1239c345dee646

SHA1
5cc8ce5753431b0cc4901aa53d8489e37a91c672

SHA256
70e310463aea47e2121969f8a96000a72c44ce574e2786a0e4d5e472ce35f998

SHA512
14983d548e071cd85973739f6056a9ab9ca3392f8f1aa3054ec05cfccaafd00135bfa1cdfc83fad26e5adee35c8f5d2d470e296eaba3cee8d7f7e896d47fb967

Download Submit
memory/924-180-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/924-163-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/924-150-0x0000000000000000-mapping.dmp

Download
memory/1080-202-0x0000000000000000-mapping.dmp

Download
memory/1200-174-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/1200-138-0x0000000000000000-mapping.dmp

Download
memory/1200-154-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/1552-187-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/1552-156-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/1552-141-0x0000000000000000-mapping.dmp

Download
memory/1568-231-0x0000000000000000-mapping.dmp

Download
memory/2232-152-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/2232-137-0x0000000000000000-mapping.dmp

Download
memory/2232-179-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/2288-168-0x0000000000000000-mapping.dmp

Download
memory/2720-158-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/2720-144-0x0000000000000000-mapping.dmp

Download
memory/2720-196-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/2892-139-0x0000000000000000-mapping.dmp

Download
memory/2892-177-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/2892-153-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/2976-159-0x0000000000000000-mapping.dmp

Download
memory/3016-164-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/3016-143-0x0000000000000000-mapping.dmp

Download
memory/3016-191-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/3176-206-0x00007FFD338C0000-0x00007FFD34381000-memory.dmp

Filesize
10.8MB

Download
memory/3176-200-0x00007FFD338C0000-0x00007FFD34381000-memory.dmp

Filesize
10.8MB

Download
memory/3176-234-0x00007FFD338C0000-0x00007FFD34381000-memory.dmp

Filesize
10.8MB

Download
memory/3176-197-0x0000000000000000-mapping.dmp

Download
memory/3176-205-0x000000001E650000-0x000000001E812000-memory.dmp

Filesize
1.8MB

Download
memory/3504-201-0x0000000000000000-mapping.dmp

Download
memory/3636-145-0x0000000000000000-mapping.dmp

Download
memory/3636-190-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/3636-166-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/3700-185-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/3700-167-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/3700-146-0x0000000000000000-mapping.dmp

Download
memory/3756-161-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/3756-193-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/3756-149-0x0000000000000000-mapping.dmp

Download
memory/3804-160-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/3804-147-0x0000000000000000-mapping.dmp

Download
memory/3804-195-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/4272-136-0x0000000000000000-mapping.dmp

Download
memory/4272-151-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/4272-148-0x0000020472B50000-0x0000020472B72000-memory.dmp

Filesize
136KB

Download
memory/4272-176-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/4592-140-0x0000000000000000-mapping.dmp

Download
memory/4592-175-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/4592-155-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/4988-132-0x0000000000D40000-0x0000000001046000-memory.dmp

Filesize
3.0MB

Download
memory/4988-135-0x000000001D940000-0x000000001DE68000-memory.dmp

Filesize
5.2MB

Download
memory/4988-134-0x000000001BB70000-0x000000001BBC0000-memory.dmp

Filesize
320KB

Download
memory/4988-133-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/4988-162-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/5008-233-0x0000000000000000-mapping.dmp

Download
memory/5060-142-0x0000000000000000-mapping.dmp

Download
memory/5060-184-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download
memory/5060-157-0x00007FFD33C10000-0x00007FFD346D1000-memory.dmp

Filesize
10.8MB

Download