dcrat | ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59e

Analysis

max time kernel
110s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
Size

1.1MB
MD5

bf13fac7f8484064e0b61d4930e82580
SHA1

08495d92383b65f214c87a4aaed1103fe4cc7330
SHA256

ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59e
SHA512

cfba119bdbe539b7c64a5a9bf2581b21d6fa120154745f54bc36c1aac3ddfa555d4d01dd43c0626c2d95cd5eb0005c1c03387c853a18e8ef3d4d1c9d472ada87
SSDEEP

24576:ZxU376C0skFgqIyXFnbCDQgZ8e7FRsWC9ZRHInh4j1Cf6liXwkOmpd:EPkVXFGDQoP7FRCZRonh4hfewhmpd

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	724	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	3048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	3048	schtasks.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/1372-12-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3912	powershell.exe
4840	powershell.exe
1820	powershell.exe
1148	powershell.exe
2536	powershell.exe
4196	powershell.exe
1956	powershell.exe
4688	powershell.exe
4480	powershell.exe
4912	powershell.exe
3360	powershell.exe
3972	powershell.exe
2424	powershell.exe
1664	powershell.exe
4760	powershell.exe
1356	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exefontdrvhost.exefontdrvhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 5 IoCs

Processes:

fontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

pid process

2308 fontdrvhost.exe
5132 fontdrvhost.exe
6132 fontdrvhost.exe
5796 fontdrvhost.exe
4160 fontdrvhost.exe

pid	process
2308	fontdrvhost.exe
5132	fontdrvhost.exe
6132	fontdrvhost.exe
5796	fontdrvhost.exe
4160	fontdrvhost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exefontdrvhost.exefontdrvhost.exe

description	pid	process	target process
PID 3600 set thread context of 1372	3600	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
PID 2308 set thread context of 5132	2308	fontdrvhost.exe	fontdrvhost.exe
PID 6132 set thread context of 5796	6132	fontdrvhost.exe	fontdrvhost.exe

Drops file in Program Files directory 35 IoCs

Processes:

ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe

description	ioc	process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\unsecapp.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files\Common Files\Services\RCXF0BB.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXF563.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXF7E6.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files\Common Files\Services\886983d96e3d3e	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\29c1c3cc0f7685	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXF562.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RCXFE83.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RCXD06.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files\dotnet\7a0fd90576e088	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXF7A.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files\dotnet\explorer.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\taskhostw.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RuntimeBroker.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ea9f0e6c9e2dcd	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXF7E5.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\unsecapp.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXF79.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files\Common Files\Services\csrss.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\5b884080fd4f94	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RuntimeBroker.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files\dotnet\explorer.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RCXFE82.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RCXD74.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\taskhostw.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files\Common Files\Services\csrss.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files (x86)\Windows Portable Devices\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files (x86)\Windows Portable Devices\fb7bf17bc86597	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files\dotnet\RCXF9EB.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\9e8d7a4ca61bd9	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files\Common Files\Services\RCXF0BC.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Program Files\dotnet\RCXF9EC.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe

Drops file in Windows directory 6 IoCs

Processes:

ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe

description	ioc	process
File opened for modification	C:\Windows\Cursors\explorer.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Windows\diagnostics\system\OfficeClickToRun.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Windows\Cursors\explorer.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File created	C:\Windows\Cursors\7a0fd90576e088	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Windows\Cursors\RCX58D.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
File opened for modification	C:\Windows\Cursors\RCX5FC.tmp	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exeWScript.exepowershell.exepowershell.exeWScript.exepowershell.exeWScript.exepowershell.exepowershell.exefontdrvhost.exefontdrvhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exece76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exeWScript.exepowershell.exepowershell.exepowershell.exece76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exefontdrvhost.exefontdrvhost.exefontdrvhost.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 3 IoCs

Processes:

ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exefontdrvhost.exefontdrvhost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	fontdrvhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
1532	schtasks.exe
2492	schtasks.exe
3688	schtasks.exe
4352	schtasks.exe
468	schtasks.exe
2104	schtasks.exe
3184	schtasks.exe
1752	schtasks.exe
4224	schtasks.exe
224	schtasks.exe
2668	schtasks.exe
4684	schtasks.exe
2456	schtasks.exe
4400	schtasks.exe
2796	schtasks.exe
4336	schtasks.exe
3872	schtasks.exe
2248	schtasks.exe
2228	schtasks.exe
3420	schtasks.exe
1976	schtasks.exe
1880	schtasks.exe
3664	schtasks.exe
4236	schtasks.exe
2296	schtasks.exe
3444	schtasks.exe
1704	schtasks.exe
3960	schtasks.exe
4628	schtasks.exe
684	schtasks.exe
1676	schtasks.exe
3912	schtasks.exe
3248	schtasks.exe
4808	schtasks.exe
724	schtasks.exe
1688	schtasks.exe
3224	schtasks.exe
892	schtasks.exe
3604	schtasks.exe
696	schtasks.exe
2584	schtasks.exe
3876	schtasks.exe
2132	schtasks.exe
4760	schtasks.exe
3436	schtasks.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefontdrvhost.exefontdrvhost.exe

pid	process
1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
1148	powershell.exe
1148	powershell.exe
4760	powershell.exe
4760	powershell.exe
4688	powershell.exe
4688	powershell.exe
2536	powershell.exe
2536	powershell.exe
4196	powershell.exe
4196	powershell.exe
1820	powershell.exe
1820	powershell.exe
3360	powershell.exe
3360	powershell.exe
3972	powershell.exe
3972	powershell.exe
1664	powershell.exe
1664	powershell.exe
1356	powershell.exe
1356	powershell.exe
1956	powershell.exe
1956	powershell.exe
3912	powershell.exe
3912	powershell.exe
2424	powershell.exe
2424	powershell.exe
4912	powershell.exe
4912	powershell.exe
4840	powershell.exe
4840	powershell.exe
4480	powershell.exe
4480	powershell.exe
4760	powershell.exe
1148	powershell.exe
1956	powershell.exe
4196	powershell.exe
1664	powershell.exe
3912	powershell.exe
4688	powershell.exe
4840	powershell.exe
3972	powershell.exe
2536	powershell.exe
4480	powershell.exe
2424	powershell.exe
1356	powershell.exe
3360	powershell.exe
1820	powershell.exe
4912	powershell.exe
5132	fontdrvhost.exe
5796	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	3360	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeDebugPrivilege	5132	fontdrvhost.exe
Token: SeDebugPrivilege	5796	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exece76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exefontdrvhost.exe

description	pid	process	target process
PID 3600 wrote to memory of 1372	3600	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
PID 3600 wrote to memory of 1372	3600	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
PID 3600 wrote to memory of 1372	3600	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
PID 3600 wrote to memory of 1372	3600	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
PID 3600 wrote to memory of 1372	3600	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
PID 3600 wrote to memory of 1372	3600	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
PID 3600 wrote to memory of 1372	3600	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
PID 3600 wrote to memory of 1372	3600	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
PID 1372 wrote to memory of 1148	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 1148	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 1148	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 4760	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 4760	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 4760	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 1820	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 1820	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 1820	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 2424	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 2424	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 2424	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 4840	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 4840	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 4840	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 3912	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 3912	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 3912	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 4196	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 4196	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 4196	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 1664	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 1664	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 1664	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 3972	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 3972	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 3972	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 1356	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 1356	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 1356	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 2536	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 2536	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 2536	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 1956	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 1956	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 1956	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 4688	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 4688	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 4688	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 3360	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 3360	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 3360	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 4912	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 4912	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 4912	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 4480	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 4480	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 4480	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	powershell.exe
PID 1372 wrote to memory of 2308	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	fontdrvhost.exe
PID 1372 wrote to memory of 2308	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	fontdrvhost.exe
PID 1372 wrote to memory of 2308	1372	ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe	fontdrvhost.exe
PID 2308 wrote to memory of 5132	2308	fontdrvhost.exe	fontdrvhost.exe
PID 2308 wrote to memory of 5132	2308	fontdrvhost.exe	fontdrvhost.exe
PID 2308 wrote to memory of 5132	2308	fontdrvhost.exe	fontdrvhost.exe
PID 2308 wrote to memory of 5132	2308	fontdrvhost.exe	fontdrvhost.exe
PID 2308 wrote to memory of 5132	2308	fontdrvhost.exe	fontdrvhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
"C:\Users\Admin\AppData\Local\Temp\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Users\Admin\AppData\Local\Temp\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1148
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4760
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\TrustedInstaller.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1820
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\unsecapp.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4840
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\explorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3912
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4196
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1664
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3972
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1356
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\explorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2536
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\dwm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4688
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\taskhostw.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3360
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4912
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\SearchApp.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4480
- - C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe
      "{path}"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5132
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d0977ba-c264-4a05-9e67-1685277ba8be.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5368
      - C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:6132
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe
        
        "{path}"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5796
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06b43978-457d-4fe5-9e5f-a899247ad81d.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4160
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5877da96-6f7f-4f89-ba1c-68183ecf4659.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5740
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6d82340-a9b6-4571-b358-b06b268a6d11.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Services\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\Services\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\Default User\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\dotnet\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Cursors\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Cursors\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eNc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eNc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\Downloads\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\taskhostw.exe

Filesize
1.1MB

MD5
b8ae25cf43950d6439b1bc6fece07aa0

SHA1
b0aced582eefd994ff4d6bed2a314b91cdac4867

SHA256
4b6afceb57d53e1b214f9ea969ca48389061ca15c1919d50f9d9df88a44292b4

SHA512
c6184ef57d8f38ab1fe480518cf195a4eb231b0f08ea8760a10fed85cdff1a3d650ba6c7d3b7239910506eb7127eb5ed55b78870a40632dfd31f8722fbe9b583

Download Submit
C:\Program Files\dotnet\explorer.exe

Filesize
1.1MB

MD5
bf13fac7f8484064e0b61d4930e82580

SHA1
08495d92383b65f214c87a4aaed1103fe4cc7330

SHA256
ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59e

SHA512
cfba119bdbe539b7c64a5a9bf2581b21d6fa120154745f54bc36c1aac3ddfa555d4d01dd43c0626c2d95cd5eb0005c1c03387c853a18e8ef3d4d1c9d472ada87

Download Submit
C:\Recovery\WindowsRE\dwm.exe

Filesize
1.1MB

MD5
29244f9e07141b9ca74e1bc7299622b2

SHA1
a5f0bcc9115f9dff89eadcc2ace89eafcab13069

SHA256
d1924d8242470bd7e3a1e2005804eda68802eed6fb3029666cfdd1eedf4f004a

SHA512
898e4836dc9741a14767721be4d5fa83a17ffacc3e768841c5255e509aa556954c35eb05aaecc09ce35e5d0afa24a4bfb3a79c730a360840996dce5bf8f6f8e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ce76b43210ba07925ad47c4c9953044670a94e638eafff7e1d172891b51ea59eN.exe.log

Filesize
1KB

MD5
84e77a587d94307c0ac1357eb4d3d46f

SHA1
83cc900f9401f43d181207d64c5adba7a85edc1e

SHA256
e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

SHA512
aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
45876e4bf2b8370532f2075ac7af7e61

SHA1
d7424a35b7df4a7c70d8cb3f4af97f97b56bb26a

SHA256
ef5bcb8eec801f127f644f82a6e275f654b2db4bb6493ab72efacd2f88e24fbe

SHA512
0eb6d333115e89229fb4e3137e8de0e31edaa86c5e6f7b1a617fa1301cd2d9b9a23b0f503b927f65254839b38d472477938658e6e425b852fa5b5c079d488d8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
813e41b5ca2ee3f2b0cf04366a54f875

SHA1
6a3ce2045f150b976ceaadd473b9f598e9dd6629

SHA256
1bf03fca3a34eba77b212d962b0f0648bee28a021be1b7817631127ad09c6f50

SHA512
8051b2c545806fef5c1e1594fc3977face508b9034c5be073b4cee61f690d7f1081653a20990f7a7dc037b4f0eb976c91448bd2781a1a23ac5ada4fd9e797d05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8022ccfee68297661e43de13fb53c7e6

SHA1
825c68266b825a68adeee69bd67aacf4c1dd075b

SHA256
526d7a4efcbf4ed46cb120107c91891835f283e61a07c3d87eb1f6d122f2e3a5

SHA512
44dbb7a0c9ecf7b07ec99f67da8fb4689c6da8ca88fe9c4ca8a8635927fbad5f39c4a9d2a7d7b99918ed637e79a2b303e4791696ad5a9daa48fad468cd0e3d22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
09488b372e3d441f8ef283647dea8f42

SHA1
8e5a1296886ada3b3439dfbd2de06fb4827053f5

SHA256
39b3c5787759bf3b78b475166c18d82ba00b6998e174ab9afca00ea2debf8998

SHA512
037465a4012a768b4b0894c1bbc3f469b3025bed4d06138c171c32566e87baff3e1d98ee5555218f523ede2c340d5f58e4445a0695587ab1f46f6a9fa755890f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
cc14c961b454e1b2b8bb4cddeaf23bc3

SHA1
c16a90273adc90c055d4f47f5ea423f59af492d6

SHA256
d8028232bfe769e6659db59d1aafb29d17fb46cffb18ba9d0c2173af606639bd

SHA512
5c0cb76572ee9c5eeeab16c03f0f675bd4ebcee0511b4c2112858210cbd072e1ab9f3653b4e35461471fc42641b961f6212fbc74df5f2b739644298e2661176f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0dbce8bee6e10102c9070eaf587cb630

SHA1
96318fe02e7cd7782ac03d39ee703babdbecb000

SHA256
4bf75292ff62bad10376e01e8f8c492c7b49b5a33b68b124f25676bdac3a8e3f

SHA512
332af5a798d8f705e2ce37ce928a4e589b86cd18289a5b92a4ffc241d4d4d7b70fdd395c17bd94a3795151521a7bc5794df62c37c552dc084c9c0cd75be97234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d3a66c6655f77a4ddabb7dec251597d4

SHA1
1d244a7b474365a3879ff7914f834a8a954251ae

SHA256
fd8f1e969b637cf798ececb9d0acfef78f3532def810760d905cee51e7545053

SHA512
d50ae21d371a2b5e3611164c9ea8d8d074e868699641648d08ecb91538a24faf96f96c0495fde582ae8eee67b1648048b8f194d1d7d3261166c38e2cdd652ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\06b43978-457d-4fe5-9e5f-a899247ad81d.vbs

Filesize
747B

MD5
aa84074e96a9351d3997f2c1a0319ecf

SHA1
3045c404cb210878ddfc892e7dc8f7238c3f2c00

SHA256
8aa32e239e181209d032464c246de07b8b7e368916ee52e83ea25290bc98c772

SHA512
5cace6cc2184c5dfa1ff69281ab0afc6d5546bec63b988a876a1e53e855b9155b3e31cae25e4370e5e64f0503dfd8357e47f55694965cbf02175d5915665929a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d0977ba-c264-4a05-9e67-1685277ba8be.vbs

Filesize
747B

MD5
24f530cbfa7f34dd06867828d44467ab

SHA1
b2584863187559cd72110280dfabdaf66cf87c60

SHA256
39068c1599104ebb644ad6e742a26563106f25b4115ad012bc2ed5d67ff70d3e

SHA512
909071acf09f04d09cec1a0e26b2224e5dc0927571b562ee00ad8234439d493ff7c003bdfc09077b4844244d740e874c8d83b46472914237f79045577815d866

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yarw4vt0.jpg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6d82340-a9b6-4571-b358-b06b268a6d11.vbs

Filesize
523B

MD5
1369e8f6b180bfe35f5863ca3a37a0cf

SHA1
544349a6a96df4a692c45512bc727a207f8bf8f3

SHA256
7ffc286e2e9dcf1aab7f9ff4a8e729b7e5e5c4c2d70f05938d3feeeaba2b76e0

SHA512
e65704a6e9df214588f68c2a884267d9dfd655546bf9e51bd8c05b1f0b5da6b13e3d3af330c802ca7e4d589f277655fd8dccdc88ce4a9750b1130751073d687f

Download Submit
C:\Users\Admin\dllhost.exe

Filesize
1.1MB

MD5
1113b0d1ddea2e8513532c83ff1249a6

SHA1
6badc9fd0cae57373c306232a02681704c6eb44f

SHA256
9324819abc563b273e0c0e9c7bb1467224071472a940732727b20f3d4530fec1

SHA512
bd0c8fea7d0e9b53e348c29e35eba851c6c4e234de2e3c5a31bdc909e3f8e3f30388920d0b31202eede2719a57eb70516650769c819731934bf92312d618c31d

Download Submit
C:\Users\Default\RuntimeBroker.exe

Filesize
1.1MB

MD5
db5c49371c8ceb7032f7aaa80236838d

SHA1
d559dc588249a062694ccfccfa7de7cb4b2c16aa

SHA256
8a6e271f0cec3908f073e624ecc8f5267ce5dd73c2c1249453263134fad085bf

SHA512
661e0abb7bae3396e014664f6af54208c9cabd92016dc215414c0f328c3ecc6a3f416ab11a49cd3e8856dca877e043049ae251c318998d50f7762c021cac1b59

Download Submit
C:\Users\Public\Downloads\SearchApp.exe

Filesize
1.1MB

MD5
e3d7810f9882cde34ebbb0cb06caf6eb

SHA1
bdd341dbf1feb5df3dd862847d5025b821052e23

SHA256
2c843152b6eabc0a85ec7421e15d09784f1d87d2821ef9e76dcefa622bde2af9

SHA512
a963eaf192ff7c681a347cb32196212fe09f195bdea51487fb578004515618dd4ecbccbea1637b1a9b6caa8b64b37407130329e72fb382efa2a44f8a943a0b8f

Download Submit
memory/1148-245-0x00000000026A0000-0x00000000026D6000-memory.dmp

Filesize
216KB

Download
memory/1148-458-0x0000000070FF0000-0x000000007103C000-memory.dmp

Filesize
304KB

Download
memory/1148-468-0x00000000064E0000-0x00000000064FE000-memory.dmp

Filesize
120KB

Download
memory/1148-473-0x00000000071E0000-0x0000000007283000-memory.dmp

Filesize
652KB

Download
memory/1148-288-0x0000000005220000-0x0000000005848000-memory.dmp

Filesize
6.2MB

Download
memory/1356-594-0x0000000070FF0000-0x000000007103C000-memory.dmp

Filesize
304KB

Download
memory/1372-22-0x0000000005A80000-0x0000000005A92000-memory.dmp

Filesize
72KB

Download
memory/1372-190-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/1372-29-0x0000000005BC0000-0x0000000005BCC000-memory.dmp

Filesize
48KB

Download
memory/1372-28-0x0000000005BA0000-0x0000000005BAA000-memory.dmp

Filesize
40KB

Download
memory/1372-32-0x0000000007670000-0x00000000076D6000-memory.dmp

Filesize
408KB

Download
memory/1372-17-0x0000000004C90000-0x0000000004CAC000-memory.dmp

Filesize
112KB

Download
memory/1372-12-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1372-21-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/1372-23-0x0000000007A90000-0x0000000007FBC000-memory.dmp

Filesize
5.2MB

Download
memory/1372-26-0x0000000005B50000-0x0000000005B5E000-memory.dmp

Filesize
56KB

Download
memory/1372-27-0x0000000005B70000-0x0000000005B7C000-memory.dmp

Filesize
48KB

Download
memory/1372-214-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/1372-19-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/1372-18-0x0000000005A30000-0x0000000005A80000-memory.dmp

Filesize
320KB

Download
memory/1372-25-0x0000000005B30000-0x0000000005B3A000-memory.dmp

Filesize
40KB

Download
memory/1372-24-0x0000000005B20000-0x0000000005B2C000-memory.dmp

Filesize
48KB

Download
memory/1372-393-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/1372-16-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/1372-14-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/1372-20-0x0000000004CE0000-0x0000000004CF6000-memory.dmp

Filesize
88KB

Download
memory/1664-289-0x0000000004BB0000-0x0000000004BD2000-memory.dmp

Filesize
136KB

Download
memory/1664-621-0x00000000070C0000-0x00000000070C8000-memory.dmp

Filesize
32KB

Download
memory/1664-291-0x0000000005490000-0x00000000057E4000-memory.dmp

Filesize
3.3MB

Download
memory/1664-620-0x00000000070E0000-0x00000000070FA000-memory.dmp

Filesize
104KB

Download
memory/1664-290-0x0000000005300000-0x0000000005366000-memory.dmp

Filesize
408KB

Download
memory/1664-513-0x0000000070FF0000-0x000000007103C000-memory.dmp

Filesize
304KB

Download
memory/1820-543-0x0000000070FF0000-0x000000007103C000-memory.dmp

Filesize
304KB

Download
memory/1956-619-0x0000000007770000-0x0000000007784000-memory.dmp

Filesize
80KB

Download
memory/1956-617-0x0000000007730000-0x0000000007741000-memory.dmp

Filesize
68KB

Download
memory/1956-533-0x0000000070FF0000-0x000000007103C000-memory.dmp

Filesize
304KB

Download
memory/2424-553-0x0000000070FF0000-0x000000007103C000-memory.dmp

Filesize
304KB

Download
memory/2536-554-0x0000000070FF0000-0x000000007103C000-memory.dmp

Filesize
304KB

Download
memory/3360-583-0x0000000070FF0000-0x000000007103C000-memory.dmp

Filesize
304KB

Download
memory/3600-11-0x0000000009A10000-0x0000000009B3E000-memory.dmp

Filesize
1.2MB

Download
memory/3600-7-0x0000000006670000-0x0000000006682000-memory.dmp

Filesize
72KB

Download
memory/3600-1-0x00000000004C0000-0x00000000005EC000-memory.dmp

Filesize
1.2MB

Download
memory/3600-2-0x0000000005350000-0x00000000058F4000-memory.dmp

Filesize
5.6MB

Download
memory/3600-3-0x0000000004E80000-0x0000000004F12000-memory.dmp

Filesize
584KB

Download
memory/3600-4-0x0000000005000000-0x000000000509C000-memory.dmp

Filesize
624KB

Download
memory/3600-5-0x0000000004FA0000-0x0000000004FAA000-memory.dmp

Filesize
40KB

Download
memory/3600-6-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/3600-15-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/3600-8-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/3600-9-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/3600-10-0x0000000007440000-0x0000000007536000-memory.dmp

Filesize
984KB

Download
memory/3600-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/3912-483-0x0000000070FF0000-0x000000007103C000-memory.dmp

Filesize
304KB

Download
memory/3912-616-0x0000000007480000-0x0000000007516000-memory.dmp

Filesize
600KB

Download
memory/3972-493-0x0000000070FF0000-0x000000007103C000-memory.dmp

Filesize
304KB

Download
memory/3972-618-0x0000000007780000-0x000000000778E000-memory.dmp

Filesize
56KB

Download
memory/4196-449-0x0000000006160000-0x00000000061AC000-memory.dmp

Filesize
304KB

Download
memory/4196-448-0x0000000006120000-0x000000000613E000-memory.dmp

Filesize
120KB

Download
memory/4196-450-0x00000000072F0000-0x0000000007322000-memory.dmp

Filesize
200KB

Download
memory/4196-451-0x0000000070FF0000-0x000000007103C000-memory.dmp

Filesize
304KB

Download
memory/4480-523-0x0000000070FF0000-0x000000007103C000-memory.dmp

Filesize
304KB

Download
memory/4688-503-0x0000000070FF0000-0x000000007103C000-memory.dmp

Filesize
304KB

Download
memory/4760-615-0x0000000007D00000-0x0000000007D0A000-memory.dmp

Filesize
40KB

Download
memory/4760-600-0x0000000007C90000-0x0000000007CAA000-memory.dmp

Filesize
104KB

Download
memory/4760-593-0x00000000082D0000-0x000000000894A000-memory.dmp

Filesize
6.5MB

Download
memory/4760-472-0x0000000070FF0000-0x000000007103C000-memory.dmp

Filesize
304KB

Download
memory/4840-573-0x0000000070FF0000-0x000000007103C000-memory.dmp

Filesize
304KB

Download
memory/4912-605-0x0000000070FF0000-0x000000007103C000-memory.dmp

Filesize
304KB

Download