dcrat | d1f9b8e8a6b3ec8583f59d0974c19177f71efdfe1e82d79f646172bd08cc826b

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2023, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

caa690c0fc39cd9fd36bec2dd30f03ba.exe
Size

2.9MB
MD5

caa690c0fc39cd9fd36bec2dd30f03ba
SHA1

3c2f8fc34b75a6a3cbf64e946b42808bc9cdbeb0
SHA256

d1f9b8e8a6b3ec8583f59d0974c19177f71efdfe1e82d79f646172bd08cc826b
SHA512

f230928baebe31c183582c3a7db772844a8419591557b23aae24c54ed3c7418be69e87ff95405149685d3f0eed18719d46888c4ea9eb9e75d7fbbbe30c2e2f3a
SSDEEP

49152:CEvU1J8dN6XYbTGw5i+4pK1XWdOcYF62tLmkyWM2tG8r3p+7:CEvA/YbTjt6LkLLt1LrZ

Score

10^/10

dcrat discovery evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3300	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4256	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4260	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	2128	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	2128	schtasks.exe	33

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	caa690c0fc39cd9fd36bec2dd30f03ba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	caa690c0fc39cd9fd36bec2dd30f03ba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	caa690c0fc39cd9fd36bec2dd30f03ba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4544-133-0x0000000000B90000-0x0000000000E70000-memory.dmp	dcrat
behavioral2/files/0x000800000002314e-145.dat	dcrat
behavioral2/files/0x0006000000023180-194.dat	dcrat
behavioral2/files/0x000600000002315d-539.dat	dcrat
behavioral2/files/0x000600000002315d-540.dat	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	caa690c0fc39cd9fd36bec2dd30f03ba.exe

Executes dropped EXE 1 IoCs

pid	Process
5532	WmiPrvSE.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	caa690c0fc39cd9fd36bec2dd30f03ba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	caa690c0fc39cd9fd36bec2dd30f03ba.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
177	ipinfo.io
178	ipinfo.io

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Reference Assemblies\SppExtComObj.exe	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File created	C:\Program Files\Reference Assemblies\e1ef82546f0b02	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RCXC5E6.tmp	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File created	C:\Program Files\Reference Assemblies\SppExtComObj.exe	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\RCXCA2F.tmp	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\54a3c9f5-a40a-430d-817c-3dbb02085571.tmp	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\WmiPrvSE.exe	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\24dbde2999530e	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\RCXCA4F.tmp	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCXCEA8.tmp	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCXCED7.tmp	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230309034721.pma	setup.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\WmiPrvSE.exe	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RCXC5C6.tmp	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\WmiPrvSE.exe	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\24dbde2999530e	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\WmiPrvSE.exe	caa690c0fc39cd9fd36bec2dd30f03ba.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Setup\State\RCXD34F.tmp	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXDAD6.tmp	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\fontdrvhost.exe	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File created	C:\Windows\Setup\State\RuntimeBroker.exe	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File created	C:\Windows\Setup\State\9e8d7a4ca61bd9	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File opened for modification	C:\Windows\Setup\State\RCXD36F.tmp	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File opened for modification	C:\Windows\Setup\State\RuntimeBroker.exe	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXD7E7.tmp	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File created	C:\Windows\Prefetch\ReadyBoot\fontdrvhost.exe	caa690c0fc39cd9fd36bec2dd30f03ba.exe
File created	C:\Windows\Prefetch\ReadyBoot\5b884080fd4f94	caa690c0fc39cd9fd36bec2dd30f03ba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2964	schtasks.exe
1872	schtasks.exe
4260	schtasks.exe
264	schtasks.exe
1488	schtasks.exe
4016	schtasks.exe
4500	schtasks.exe
4400	schtasks.exe
2112	schtasks.exe
4120	schtasks.exe
1436	schtasks.exe
1540	schtasks.exe
3224	schtasks.exe
5112	schtasks.exe
3956	schtasks.exe
4968	schtasks.exe
3980	schtasks.exe
3352	schtasks.exe
4184	schtasks.exe
3360	schtasks.exe
4848	schtasks.exe
4744	schtasks.exe
1548	schtasks.exe
3300	schtasks.exe
5024	schtasks.exe
2616	schtasks.exe
4372	schtasks.exe
3996	schtasks.exe
400	schtasks.exe
3172	schtasks.exe
3200	schtasks.exe
4048	schtasks.exe
1412	schtasks.exe
4524	schtasks.exe
2028	schtasks.exe
820	schtasks.exe
4256	schtasks.exe
4736	schtasks.exe
4188	schtasks.exe
3652	schtasks.exe
4144	schtasks.exe
4752	schtasks.exe
3232	schtasks.exe
4536	schtasks.exe
3332	schtasks.exe
920	schtasks.exe
4012	schtasks.exe
1812	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	caa690c0fc39cd9fd36bec2dd30f03ba.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe
4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe
4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe
4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe
4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe
4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe
4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe
4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe
4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe
4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe
4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe
4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe
4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe
4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe
4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe
4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe
4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe
4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe
4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe
432	powershell.exe
432	powershell.exe
1068	powershell.exe
1068	powershell.exe
2692	powershell.exe
2692	powershell.exe
4536	powershell.exe
4536	powershell.exe
4744	powershell.exe
4744	powershell.exe
3588	powershell.exe
3588	powershell.exe
2396	powershell.exe
2396	powershell.exe
3332	powershell.exe
3332	powershell.exe
2948	powershell.exe
2948	powershell.exe
4304	powershell.exe
4304	powershell.exe
2572	powershell.exe
2572	powershell.exe
4524	powershell.exe
4524	powershell.exe
432	powershell.exe
1068	powershell.exe
3588	powershell.exe
2692	powershell.exe
4744	powershell.exe
3332	powershell.exe
2948	powershell.exe
4536	powershell.exe
2396	powershell.exe
4524	powershell.exe
2572	powershell.exe
4304	powershell.exe
5532	WmiPrvSE.exe
5532	WmiPrvSE.exe
5532	WmiPrvSE.exe
5532	WmiPrvSE.exe
5532	WmiPrvSE.exe
5532	WmiPrvSE.exe
5532	WmiPrvSE.exe
5532	WmiPrvSE.exe
5532	WmiPrvSE.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	4536	powershell.exe
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	3588	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	3332	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	5532	WmiPrvSE.exe
Token: SeBackupPrivilege	5308	vssvc.exe
Token: SeRestorePrivilege	5308	vssvc.exe
Token: SeAuditPrivilege	5308	vssvc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3500	msedge.exe
3500	msedge.exe
3500	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 4536	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	139
PID 4544 wrote to memory of 4536	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	139
PID 4544 wrote to memory of 3588	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	162
PID 4544 wrote to memory of 3588	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	162
PID 4544 wrote to memory of 4744	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	161
PID 4544 wrote to memory of 4744	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	161
PID 4544 wrote to memory of 432	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	160
PID 4544 wrote to memory of 432	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	160
PID 4544 wrote to memory of 2692	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	159
PID 4544 wrote to memory of 2692	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	159
PID 4544 wrote to memory of 3332	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	158
PID 4544 wrote to memory of 3332	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	158
PID 4544 wrote to memory of 1068	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	156
PID 4544 wrote to memory of 1068	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	156
PID 4544 wrote to memory of 2948	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	154
PID 4544 wrote to memory of 2948	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	154
PID 4544 wrote to memory of 4524	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	153
PID 4544 wrote to memory of 4524	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	153
PID 4544 wrote to memory of 4304	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	152
PID 4544 wrote to memory of 4304	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	152
PID 4544 wrote to memory of 2396	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	148
PID 4544 wrote to memory of 2396	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	148
PID 4544 wrote to memory of 2572	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	145
PID 4544 wrote to memory of 2572	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	145
PID 4544 wrote to memory of 1436	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	163
PID 4544 wrote to memory of 1436	4544	caa690c0fc39cd9fd36bec2dd30f03ba.exe	163
PID 1436 wrote to memory of 5184	1436	cmd.exe	165
PID 1436 wrote to memory of 5184	1436	cmd.exe	165
PID 1436 wrote to memory of 5532	1436	cmd.exe	166
PID 1436 wrote to memory of 5532	1436	cmd.exe	166
PID 5532 wrote to memory of 5764	5532	WmiPrvSE.exe	167
PID 5532 wrote to memory of 5764	5532	WmiPrvSE.exe	167
PID 5532 wrote to memory of 5808	5532	WmiPrvSE.exe	168
PID 5532 wrote to memory of 5808	5532	WmiPrvSE.exe	168
PID 5532 wrote to memory of 3500	5532	WmiPrvSE.exe	176
PID 5532 wrote to memory of 3500	5532	WmiPrvSE.exe	176
PID 3500 wrote to memory of 636	3500	msedge.exe	177
PID 3500 wrote to memory of 636	3500	msedge.exe	177
PID 3500 wrote to memory of 5204	3500	msedge.exe	178
PID 3500 wrote to memory of 5204	3500	msedge.exe	178
PID 3500 wrote to memory of 5204	3500	msedge.exe	178
PID 3500 wrote to memory of 5204	3500	msedge.exe	178
PID 3500 wrote to memory of 5204	3500	msedge.exe	178
PID 3500 wrote to memory of 5204	3500	msedge.exe	178
PID 3500 wrote to memory of 5204	3500	msedge.exe	178
PID 3500 wrote to memory of 5204	3500	msedge.exe	178
PID 3500 wrote to memory of 5204	3500	msedge.exe	178
PID 3500 wrote to memory of 5204	3500	msedge.exe	178
PID 3500 wrote to memory of 5204	3500	msedge.exe	178
PID 3500 wrote to memory of 5204	3500	msedge.exe	178
PID 3500 wrote to memory of 5204	3500	msedge.exe	178
PID 3500 wrote to memory of 5204	3500	msedge.exe	178
PID 3500 wrote to memory of 5204	3500	msedge.exe	178
PID 3500 wrote to memory of 5204	3500	msedge.exe	178
PID 3500 wrote to memory of 5204	3500	msedge.exe	178
PID 3500 wrote to memory of 5204	3500	msedge.exe	178
PID 3500 wrote to memory of 5204	3500	msedge.exe	178
PID 3500 wrote to memory of 5204	3500	msedge.exe	178
PID 3500 wrote to memory of 5204	3500	msedge.exe	178
PID 3500 wrote to memory of 5204	3500	msedge.exe	178
PID 3500 wrote to memory of 5204	3500	msedge.exe	178
PID 3500 wrote to memory of 5204	3500	msedge.exe	178
PID 3500 wrote to memory of 5204	3500	msedge.exe	178
PID 3500 wrote to memory of 5204	3500	msedge.exe	178

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	caa690c0fc39cd9fd36bec2dd30f03ba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	caa690c0fc39cd9fd36bec2dd30f03ba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	caa690c0fc39cd9fd36bec2dd30f03ba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\caa690c0fc39cd9fd36bec2dd30f03ba.exe
"C:\Users\Admin\AppData\Local\Temp\caa690c0fc39cd9fd36bec2dd30f03ba.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q1AusS7wFr.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5184
- - C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\WmiPrvSE.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\WmiPrvSE.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:5532
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\470753cc-503d-420e-8471-e4f5d1934e9f.vbs"
      4⤵
      PID:5764
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecce3076-4118-48cf-8ff1-5360502163fa.vbs"
      4⤵
      PID:5808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:12662/
      4⤵
      Enumerates system info in registry
      Modifies registry class
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3500
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ff9a8fb46f8,0x7ff9a8fb4708,0x7ff9a8fb4718
        5⤵
        
        PID:636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
        5⤵
        
        PID:5204
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
        5⤵
        
        PID:3756
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
        5⤵
        
        PID:3480
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
        5⤵
        
        PID:936
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
        5⤵
        
        PID:4548
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
        5⤵
        
        PID:2268
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
        5⤵
        
        PID:1156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
        5⤵
        
        PID:1840
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
        5⤵
        
        PID:4440
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6096 /prefetch:8
        5⤵
        
        PID:5216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        5⤵
        Drops file in Program Files directory
        
        PID:5496
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x220,0x1fc,0x7ff613c95460,0x7ff613c95470,0x7ff613c95480
        6⤵
        
        PID:4496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6096 /prefetch:8
        5⤵
        
        PID:5008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
        5⤵
        
        PID:4104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
        5⤵
        
        PID:2504
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2161633083136100816,1858516970275944934,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:1
        5⤵
        
        PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\odt\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\odt\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Cookies\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\Cookies\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Cookies\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "caa690c0fc39cd9fd36bec2dd30f03bac" /sc MINUTE /mo 9 /tr "'C:\odt\caa690c0fc39cd9fd36bec2dd30f03ba.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "caa690c0fc39cd9fd36bec2dd30f03ba" /sc ONLOGON /tr "'C:\odt\caa690c0fc39cd9fd36bec2dd30f03ba.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "caa690c0fc39cd9fd36bec2dd30f03bac" /sc MINUTE /mo 8 /tr "'C:\odt\caa690c0fc39cd9fd36bec2dd30f03ba.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Adobe\ARM\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\ARM\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Adobe\ARM\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Videos\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Videos\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Videos\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Pictures\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\Prefetch\ReadyBoot\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\ReadyBoot\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3996

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\WmiPrvSE.exe

Filesize
2.9MB

MD5
caa690c0fc39cd9fd36bec2dd30f03ba

SHA1
3c2f8fc34b75a6a3cbf64e946b42808bc9cdbeb0

SHA256
d1f9b8e8a6b3ec8583f59d0974c19177f71efdfe1e82d79f646172bd08cc826b

SHA512
f230928baebe31c183582c3a7db772844a8419591557b23aae24c54ed3c7418be69e87ff95405149685d3f0eed18719d46888c4ea9eb9e75d7fbbbe30c2e2f3a

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\WmiPrvSE.exe

Filesize
2.9MB

MD5
caa690c0fc39cd9fd36bec2dd30f03ba

SHA1
3c2f8fc34b75a6a3cbf64e946b42808bc9cdbeb0

SHA256
d1f9b8e8a6b3ec8583f59d0974c19177f71efdfe1e82d79f646172bd08cc826b

SHA512
f230928baebe31c183582c3a7db772844a8419591557b23aae24c54ed3c7418be69e87ff95405149685d3f0eed18719d46888c4ea9eb9e75d7fbbbe30c2e2f3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0820611471c1bb55fa7be7430c7c6329

SHA1
5ce7a9712722684223aced2522764c1e3a43fbb9

SHA256
f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75

SHA512
77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
425e83cc5a7b1f8edfbec7d986058b01

SHA1
432a90a25e714c618ff30631d9fdbe3606b0d0df

SHA256
060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd

SHA512
4bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
e8afa7a24a0a9417a819cf4daaa8d7af

SHA1
1a2023993e8f25b179bb3fa3acf023c557ecd874

SHA256
2d356c08f80b74ad0d7d1fe2b185f8d92a7120f2b6ce1beacdada6db1a060621

SHA512
29d8e75fdc39c681816cbcc81337aacecc9f61af429a5bffaca90c89398fd1deedeefa516a8be85641dcdfcfddc22073efca6e2683e87900043f5f43fb0887e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
4ea04e93fc7b3abe5f6a8f404f5ca804

SHA1
99851e6acf3b0071e20c0c7696bb75c11f90e537

SHA256
bae1a4600213f2133119ed14bd7be26b11714e24c7ee6c3b1a147f180b669020

SHA512
1f8f1f297b6eb02e89682126543d0110fbb800772221ee8e4fddddbf1801d15379fe1cd2bf98ac95e0fe849ec0b1a91ccf0a6b9c49a44367dcfba8b83a336de6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f64b1222c2f4ace686ed8499f3a69b81

SHA1
0031a4d037b93cbe4e1e835000065b3be512246e

SHA256
b0d117415533a0d1adc1d851e0bcea37de08934c4f7c658a559dea820fd4a666

SHA512
2907920afe88179fec014fb14027f413ba10b9fff7c012693cabe0fd56941fa278f6bb048c4a144da9261e38f58983ed16f201fefb1ae2220b8ec0ad229ff4b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
390369d2b5a99358e8de3ff22119967d

SHA1
fea63ea3cded180bd96c5de2775d13624824fe2a

SHA256
64d4ec084974f4423f50634c5d1af1b4b5a4b78013ecdc8adde28c431d333f78

SHA512
9bd55a993f5e42fd040362def0bbe93e8d344a3b4d53fc55d077cbc69195bab62b396c8a7a2373c7603ad700a52db6f0f55117b353f5cae0f1b8211c0573adf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d53ac35ab3976e67caeed75c4d44ffc1

SHA1
c139ab66d75dc06f98ada34b5baf4d5693266176

SHA256
647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437

SHA512
391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
e4083f01169fcb0a2351424abd55e537

SHA1
6c97baf00d877b1f2a61fdc786aa64867c06a7de

SHA256
52f6188ba382a4be315d9cd9402d6fcddb27b7f919db98179815bc3161850b96

SHA512
dab4787dfdb21fcd41ca384612ac6b0d91067d7db1484342f335373bffff7cedf420ca0afc3d2da4c291817b42113b304c283ef41aa445680a9706d1bb781eca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
aea203d93cf3a720752b0143b5e4cf04

SHA1
f93d568dfbf576837fd3f144d96d1cd38365df81

SHA256
2a8b47e9db08f53e08ac33ea532dc76a9a10da2307c320598641d65990255805

SHA512
94159e733c7ada1b115a3b28b7135a8c544d7c4fb102fb4ad192f9b0efbc42f62ddf990dc62f75174a05da2b5851e3cc6a90610f0eab67e3fbc6e44842075b27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\470753cc-503d-420e-8471-e4f5d1934e9f.vbs

Filesize
735B

MD5
b342a9d4a794111c0cc0c1e620d06df3

SHA1
4d31eaa04abdedfee9f7a46f6a8608799fd0ca1f

SHA256
fda9f937aabb3c2a9a825b6be8bf329802935ceab842a059cfce5eecdb7222dc

SHA512
c3159f439bd843f74de510ecc3e8e79c1d0d132cc06ff1f26c3bb0ca83e0e5b189a1f05e7086575f9206af38f9a05b187e6fa76507d1158664addd24c905132d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hi0fu425.kjt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecce3076-4118-48cf-8ff1-5360502163fa.vbs

Filesize
511B

MD5
f9103125ab6e285f4cc53a0796e33083

SHA1
9b93b162eeaede26e52277d93578f388460dad7d

SHA256
067d20f643a8a143857860c39e35744a0589375e5b15991a118d89653b0ca364

SHA512
786c9f809be36b84ef966cbc74ef65792d97bd8ab0a3f5b41709396c5b343dd46794ce59eda3869095447ea0e1ce9d219196de063e45a82db7ad91bb88e64888

Download Submit
C:\Users\Admin\AppData\Local\Temp\q1AusS7wFr.bat

Filesize
224B

MD5
c632fd7a71f1007df95e6b2114ac76a6

SHA1
5052e39c0fa54a2ab8d16714d4bc4a08bbb435e0

SHA256
495a0db2c21ed6fb5df765bd1d470b46f07308811366191e53c25bb58a21f7e4

SHA512
ed88d0f561ae7091644f2f2f1fa1bbfb44de644f266009447e0e2a699277225aa64faccec60257555128f2a5b44122e18d5bfb3e095f4875f74832ddb0524e6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
6ef2e62f2649123a9ce564107e9d0b61

SHA1
44b7a8086af149293d9face8b697ac368f587173

SHA256
2ec0e42568b4efd70f0fe5c3a8d938eb923faa4ec9314a5511185904b9b289cb

SHA512
0d6e76a4ff81dd120bea8ff5462a227e1d51d6846a417beb83af4646465965d9cf654d27926481ebf424bc40e04b7750a11312919d3902fe52e1e334068fa58a

Download Submit
C:\Users\Default\RCXB792.tmp

Filesize
2.9MB

MD5
393f7810c51e9fae12e95b05a9622404

SHA1
fd639e0d2f80ae4c0157b3184a1b8704ee798057

SHA256
7093de61d6787275ac75f5579086a333e06cceefd4f783d4d1ca3b8999981708

SHA512
f468e6785c7f07dc6eb63d49c2a7568dd9e5232e4d3ba108aa012be1167fc91fd8a89ff07886af695c26ec77f6c14e73c6f14a931f1b5a3e5bda4137fda0e455

Download Submit
C:\odt\backgroundTaskHost.exe

Filesize
2.9MB

MD5
caa690c0fc39cd9fd36bec2dd30f03ba

SHA1
3c2f8fc34b75a6a3cbf64e946b42808bc9cdbeb0

SHA256
d1f9b8e8a6b3ec8583f59d0974c19177f71efdfe1e82d79f646172bd08cc826b

SHA512
f230928baebe31c183582c3a7db772844a8419591557b23aae24c54ed3c7418be69e87ff95405149685d3f0eed18719d46888c4ea9eb9e75d7fbbbe30c2e2f3a

Download Submit
memory/432-507-0x0000025ADF1F0000-0x0000025ADF200000-memory.dmp

Filesize
64KB

Download
memory/432-499-0x0000025ADF1F0000-0x0000025ADF200000-memory.dmp

Filesize
64KB

Download
memory/432-378-0x0000025AC6B70000-0x0000025AC6B92000-memory.dmp

Filesize
136KB

Download
memory/432-459-0x0000025ADF1F0000-0x0000025ADF200000-memory.dmp

Filesize
64KB

Download
memory/1068-500-0x0000019AFB4D0000-0x0000019AFB4E0000-memory.dmp

Filesize
64KB

Download
memory/1068-473-0x0000019AFB4D0000-0x0000019AFB4E0000-memory.dmp

Filesize
64KB

Download
memory/2396-494-0x0000021821CD0000-0x0000021821CE0000-memory.dmp

Filesize
64KB

Download
memory/2396-511-0x0000021821CD0000-0x0000021821CE0000-memory.dmp

Filesize
64KB

Download
memory/2396-505-0x0000021821CD0000-0x0000021821CE0000-memory.dmp

Filesize
64KB

Download
memory/2396-493-0x0000021821CD0000-0x0000021821CE0000-memory.dmp

Filesize
64KB

Download
memory/2572-496-0x000001757CA30000-0x000001757CA40000-memory.dmp

Filesize
64KB

Download
memory/2692-490-0x000001E959170000-0x000001E959180000-memory.dmp

Filesize
64KB

Download
memory/2692-489-0x000001E959170000-0x000001E959180000-memory.dmp

Filesize
64KB

Download
memory/2692-502-0x000001E959170000-0x000001E959180000-memory.dmp

Filesize
64KB

Download
memory/2948-491-0x00000212AF4B0000-0x00000212AF4C0000-memory.dmp

Filesize
64KB

Download
memory/2948-492-0x00000212AF4B0000-0x00000212AF4C0000-memory.dmp

Filesize
64KB

Download
memory/2948-504-0x00000212AF4B0000-0x00000212AF4C0000-memory.dmp

Filesize
64KB

Download
memory/3332-488-0x0000021DEBDE0000-0x0000021DEBDF0000-memory.dmp

Filesize
64KB

Download
memory/3332-484-0x0000021DEBDE0000-0x0000021DEBDF0000-memory.dmp

Filesize
64KB

Download
memory/3588-501-0x000001B297CE0000-0x000001B297CF0000-memory.dmp

Filesize
64KB

Download
memory/3588-509-0x000001B297CE0000-0x000001B297CF0000-memory.dmp

Filesize
64KB

Download
memory/4304-506-0x000001F61A8F0000-0x000001F61A900000-memory.dmp

Filesize
64KB

Download
memory/4304-497-0x000001F61A8F0000-0x000001F61A900000-memory.dmp

Filesize
64KB

Download
memory/4524-495-0x0000024F36DC0000-0x0000024F36DD0000-memory.dmp

Filesize
64KB

Download
memory/4524-510-0x0000024F36DC0000-0x0000024F36DD0000-memory.dmp

Filesize
64KB

Download
memory/4536-438-0x0000025477770000-0x0000025477780000-memory.dmp

Filesize
64KB

Download
memory/4536-508-0x0000025477770000-0x0000025477780000-memory.dmp

Filesize
64KB

Download
memory/4536-437-0x0000025477770000-0x0000025477780000-memory.dmp

Filesize
64KB

Download
memory/4544-134-0x000000001B970000-0x000000001B980000-memory.dmp

Filesize
64KB

Download
memory/4544-133-0x0000000000B90000-0x0000000000E70000-memory.dmp

Filesize
2.9MB

Download
memory/4544-135-0x000000001CD60000-0x000000001CDB0000-memory.dmp

Filesize
320KB

Download
memory/4544-136-0x000000001D350000-0x000000001D878000-memory.dmp

Filesize
5.2MB

Download
memory/4544-297-0x000000001B970000-0x000000001B980000-memory.dmp

Filesize
64KB

Download
memory/4744-512-0x00000263AD350000-0x00000263AD360000-memory.dmp

Filesize
64KB

Download
memory/4744-457-0x00000263AD350000-0x00000263AD360000-memory.dmp

Filesize
64KB

Download
memory/4744-503-0x00000263AD350000-0x00000263AD360000-memory.dmp

Filesize
64KB

Download
memory/5204-613-0x00007FF9CF5B0000-0x00007FF9CF5B1000-memory.dmp

Filesize
4KB

Download
memory/5532-541-0x000000001BF60000-0x000000001BF70000-memory.dmp

Filesize
64KB

Download
memory/5532-551-0x0000000020070000-0x0000000020232000-memory.dmp

Filesize
1.8MB

Download
memory/5532-694-0x000000001D250000-0x000000001D25B000-memory.dmp

Filesize
44KB

Download
memory/5532-739-0x000000001BF60000-0x000000001BF70000-memory.dmp

Filesize
64KB

Download
memory/5532-740-0x000000001BF60000-0x000000001BF70000-memory.dmp

Filesize
64KB

Download
memory/5532-693-0x000000001D200000-0x000000001D227000-memory.dmp

Filesize
156KB

Download
memory/5532-552-0x000000001BF60000-0x000000001BF70000-memory.dmp

Filesize
64KB

Download
memory/5532-553-0x000000001BF60000-0x000000001BF70000-memory.dmp

Filesize
64KB

Download