dcrat | 46116c9ab1a99b38621209da4c405a638542e11e818f8b93929bba881e619199

Analysis

max time kernel
118s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Size

1.1MB
MD5

2ba1b8f482ac5910dcaa3dd5803c3e01
SHA1

e7928803a85484b7c47e8ab005d900b47ba4f4f0
SHA256

46116c9ab1a99b38621209da4c405a638542e11e818f8b93929bba881e619199
SHA512

55dccab037e6ad7a6dcab0cb3fd5f00952c573ae2250cb9ec3d0e5034256e2de69f60b5e383a303fbc72c12de912ad0782ccbc90500fb778ea9a5cbb873192b7
SSDEEP

24576:ZxU376C0skFgqIyXFnbCDQgZ8e7FRsWC9ZRHInh4j1Cf6liXwkOmpdE:EPkVXFGDQoP7FRCZRonh4hfewhmpdE

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	180	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3832	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	4836	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	4836	schtasks.exe	91

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1108-12-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1376	powershell.exe
4992	powershell.exe
4504	powershell.exe
4304	powershell.exe
4292	powershell.exe
4276	powershell.exe
2088	powershell.exe
4616	powershell.exe
3592	powershell.exe
2664	powershell.exe
4952	powershell.exe
2196	powershell.exe
1856	powershell.exe
4028	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe

Executes dropped EXE 5 IoCs

pid	Process
3312	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
3772	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
5804	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
6056	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
2144	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3804 set thread context of 1108	3804	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	99
PID 3312 set thread context of 3772	3312	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	171
PID 5804 set thread context of 6056	5804	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	177

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Services\explorer.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files (x86)\Common Files\Services\7a0fd90576e088	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXFD17.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files\Windows Portable Devices\RuntimeBroker.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files (x86)\Windows NT\d5a7132610e615	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files\Microsoft Office 15\RCXF871.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files\Microsoft Office 15\spoolsv.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RuntimeBroker.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files\Microsoft Office 15\f3b6ecef712a24	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXFA94.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCX18.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\cc11b995f2a76d	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\RCXF580.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\explorer.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\winlogon.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files\Microsoft Office 15\spoolsv.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\ea9f0e6c9e2dcd	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\winlogon.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files\Microsoft Office 15\RCXF802.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCXBE7.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files\Windows Portable Devices\9e8d7a4ca61bd9	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File created	C:\Program Files (x86)\Windows NT\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\RCXF5FE.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXFA95.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXFD18.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCXFF9A.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCXB79.tmp	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4368	schtasks.exe
3896	schtasks.exe
4612	schtasks.exe
1496	schtasks.exe
3648	schtasks.exe
1856	schtasks.exe
1428	schtasks.exe
1752	schtasks.exe
2616	schtasks.exe
2104	schtasks.exe
4364	schtasks.exe
2376	schtasks.exe
4848	schtasks.exe
1460	schtasks.exe
2452	schtasks.exe
2964	schtasks.exe
880	schtasks.exe
1636	schtasks.exe
4280	schtasks.exe
1768	schtasks.exe
3532	schtasks.exe
1396	schtasks.exe
3940	schtasks.exe
4548	schtasks.exe
5016	schtasks.exe
3836	schtasks.exe
4748	schtasks.exe
2448	schtasks.exe
180	schtasks.exe
2808	schtasks.exe
4508	schtasks.exe
872	schtasks.exe
2092	schtasks.exe
3832	schtasks.exe
2332	schtasks.exe
2188	schtasks.exe
1520	schtasks.exe
2280	schtasks.exe
3156	schtasks.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
4028	powershell.exe
4028	powershell.exe
4504	powershell.exe
4504	powershell.exe
2088	powershell.exe
2088	powershell.exe
2664	powershell.exe
2664	powershell.exe
1856	powershell.exe
1856	powershell.exe
4952	powershell.exe
4952	powershell.exe
4304	powershell.exe
4304	powershell.exe
3592	powershell.exe
3592	powershell.exe
4992	powershell.exe
4992	powershell.exe
1376	powershell.exe
1376	powershell.exe
4616	powershell.exe
4616	powershell.exe
4292	powershell.exe
4292	powershell.exe
2196	powershell.exe
2196	powershell.exe
4276	powershell.exe
4276	powershell.exe
4504	powershell.exe
4028	powershell.exe
2664	powershell.exe
4952	powershell.exe
4276	powershell.exe
2088	powershell.exe
2196	powershell.exe
3592	powershell.exe
4304	powershell.exe
4992	powershell.exe
1856	powershell.exe
1376	powershell.exe
4616	powershell.exe
4292	powershell.exe
3772	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
6056	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	3772	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
Token: SeDebugPrivilege	6056	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 1108	3804	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	99
PID 3804 wrote to memory of 1108	3804	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	99
PID 3804 wrote to memory of 1108	3804	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	99
PID 3804 wrote to memory of 1108	3804	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	99
PID 3804 wrote to memory of 1108	3804	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	99
PID 3804 wrote to memory of 1108	3804	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	99
PID 3804 wrote to memory of 1108	3804	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	99
PID 3804 wrote to memory of 1108	3804	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	99
PID 1108 wrote to memory of 2088	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	142
PID 1108 wrote to memory of 2088	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	142
PID 1108 wrote to memory of 2088	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	142
PID 1108 wrote to memory of 4504	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	143
PID 1108 wrote to memory of 4504	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	143
PID 1108 wrote to memory of 4504	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	143
PID 1108 wrote to memory of 4304	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	144
PID 1108 wrote to memory of 4304	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	144
PID 1108 wrote to memory of 4304	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	144
PID 1108 wrote to memory of 2196	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	145
PID 1108 wrote to memory of 2196	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	145
PID 1108 wrote to memory of 2196	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	145
PID 1108 wrote to memory of 4292	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	148
PID 1108 wrote to memory of 4292	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	148
PID 1108 wrote to memory of 4292	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	148
PID 1108 wrote to memory of 4276	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	150
PID 1108 wrote to memory of 4276	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	150
PID 1108 wrote to memory of 4276	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	150
PID 1108 wrote to memory of 4992	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	151
PID 1108 wrote to memory of 4992	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	151
PID 1108 wrote to memory of 4992	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	151
PID 1108 wrote to memory of 4952	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	152
PID 1108 wrote to memory of 4952	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	152
PID 1108 wrote to memory of 4952	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	152
PID 1108 wrote to memory of 2664	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	153
PID 1108 wrote to memory of 2664	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	153
PID 1108 wrote to memory of 2664	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	153
PID 1108 wrote to memory of 1376	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	154
PID 1108 wrote to memory of 1376	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	154
PID 1108 wrote to memory of 1376	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	154
PID 1108 wrote to memory of 4028	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	155
PID 1108 wrote to memory of 4028	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	155
PID 1108 wrote to memory of 4028	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	155
PID 1108 wrote to memory of 1856	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	156
PID 1108 wrote to memory of 1856	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	156
PID 1108 wrote to memory of 1856	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	156
PID 1108 wrote to memory of 3592	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	157
PID 1108 wrote to memory of 3592	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	157
PID 1108 wrote to memory of 3592	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	157
PID 1108 wrote to memory of 4616	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	158
PID 1108 wrote to memory of 4616	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	158
PID 1108 wrote to memory of 4616	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	158
PID 1108 wrote to memory of 3312	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	170
PID 1108 wrote to memory of 3312	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	170
PID 1108 wrote to memory of 3312	1108	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	170
PID 3312 wrote to memory of 3772	3312	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	171
PID 3312 wrote to memory of 3772	3312	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	171
PID 3312 wrote to memory of 3772	3312	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	171
PID 3312 wrote to memory of 3772	3312	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	171
PID 3312 wrote to memory of 3772	3312	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	171
PID 3312 wrote to memory of 3772	3312	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	171
PID 3312 wrote to memory of 3772	3312	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	171
PID 3312 wrote to memory of 3772	3312	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	171
PID 3772 wrote to memory of 5656	3772	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	173
PID 3772 wrote to memory of 5656	3772	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	173
PID 3772 wrote to memory of 5656	3772	5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe	173

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
"C:\Users\Admin\AppData\Local\Temp\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Users\Admin\AppData\Local\Temp\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4504
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\de-DE\winlogon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4304
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\spoolsv.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4292
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4276
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\explorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4992
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4952
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\unsecapp.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1376
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4028
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1856
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3592
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\fontdrvhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4616
- - C:\Program Files (x86)\Windows NT\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
    "C:\Program Files (x86)\Windows NT\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3312
  - - C:\Program Files (x86)\Windows NT\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
      "{path}"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3772
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76165be7-5e94-46f3-9849-0652bce5f739.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5656
      - C:\Program Files (x86)\Windows NT\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
        
        "C:\Program Files (x86)\Windows NT\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5804
        
        C:\Program Files (x86)\Windows NT\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
        
        "{path}"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6056
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d8cbfac-24d7-4834-99ed-1715156351d9.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Program Files (x86)\Windows NT\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe
        
        "C:\Program Files (x86)\Windows NT\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f09f10c-b140-4fc5-9ad7-feb8aaf96192.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4108
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5db46df9-60ce-41a0-ae2d-43f19da612c2.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Services\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Services\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\All Users\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N5" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N5" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Templates\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Templates\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Templates\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\de-DE\winlogon.exe

Filesize
1.1MB

MD5
2b67cc9c9e47d294f5dcab8fdae8c872

SHA1
6d1ea8cbd88cf88b5b28cd0d5eee20a84ef55c29

SHA256
c5d8f6244f19e25cced172b62352a1415ca7985b103dbddf4bc42294dc7c0783

SHA512
d4cdc86d73d3d41255e5eb3e572a87121ff1201fd434d65b0b83450d6d88c2fb16219bdaaac2659a971b294d7e327dfcd75ac6fe6dacb503ee2e9630387c2dee

Download Submit
C:\Program Files (x86)\Windows NT\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe

Filesize
1.1MB

MD5
9c8c8b64f7f6202ec3bbf78a599ff304

SHA1
a30b0b75d11fea3f8bd5924303f5b1c34bd0615b

SHA256
c8c2bdb38a3cb84be31037bcaab319308e66257cbc8f98b99ae1fbf759bac1ca

SHA512
2356bf0a95a9f69d4165bdb5ea590dfcf41ec756d85475366c347bb40e443d229a8bc1105d25333f2471c07cb9a176fca54413a347e29af1855ffcf7682c7761

Download Submit
C:\Program Files\Microsoft Office 15\spoolsv.exe

Filesize
1.1MB

MD5
0ef4fdfa35db0cc181cfbe9eab6cb599

SHA1
5ef86eb320cbea7d076295e1739d34b727d574e6

SHA256
38748dec29c8cc5403444f518f9b6f0611426d774e961d6b0551b4e9dc62ccc8

SHA512
09136377a0acbdcd99eb95fcc99be0c4f4050b82c5ae089cae7763944ba95395a8763ded4f7aeb053201ef0665cb90d3bcd15869616d97a7d4d784ddf5aab5de

Download Submit
C:\Program Files\Windows Portable Devices\RuntimeBroker.exe

Filesize
1.1MB

MD5
2ba1b8f482ac5910dcaa3dd5803c3e01

SHA1
e7928803a85484b7c47e8ab005d900b47ba4f4f0

SHA256
46116c9ab1a99b38621209da4c405a638542e11e818f8b93929bba881e619199

SHA512
55dccab037e6ad7a6dcab0cb3fd5f00952c573ae2250cb9ec3d0e5034256e2de69f60b5e383a303fbc72c12de912ad0782ccbc90500fb778ea9a5cbb873192b7

Download Submit
C:\ProgramData\unsecapp.exe

Filesize
1.1MB

MD5
ef4718ad2c88bc5f7a5f7901f2dd83b8

SHA1
a86baf1020db6c49deb8e7713d2433c78bd681aa

SHA256
aaa9b9fd4009e6aec1440c5a6d0dd98c099a3b2158a5b4a4c99f6c88e1ce68fb

SHA512
388da9d34f2e87b34b6e32e88b3d91e77d2ceb18bee0a0fda4764a45cb50e218cf8c2331195252fd663a24d1734fbb694a4a4282608500fec3501d171b5e5d45

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.1MB

MD5
2d62e4460664744e313805dd4c794dbc

SHA1
4a3139bd1462f73d89bee7b84c19fad4350f602f

SHA256
77e435a8d21bd15256872ea9464c107c526d78f8617086caa3c9c488ab8ba567

SHA512
d2be750b3c66022596e90b6f91208c886ccb9d4f699d476f5417a8a755da90e549f712b36859b854fa460916108e4f934059b677b47b857806f6bdabddda8fa4

Download Submit
C:\Recovery\WindowsRE\explorer.exe

Filesize
1.1MB

MD5
2d9a3ab6523f7b8993ec9fc3900025ef

SHA1
ba2d248e3381cfc88c3ba0974723c423535319a0

SHA256
0c73b1846258d1752f51ca2ac6420bd779c2cb94b202cc7e9147d109a5c24b63

SHA512
3bcc7f7f6587456551c736ce341db759f02947e5095b836915e618297dacb0f3174d1b981eb685e24470145b5ed494e20378285e9d14fef5283bc084af121bf5

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
1.1MB

MD5
abde421f65c61cff72bef44853c1d095

SHA1
48d7f703e41aec6d8ea171cfc79980c84417deb3

SHA256
335c7b275ea81b7497804e42324c8e7cfea2e70af169cfbcbf436feed3f79a51

SHA512
15e391d0bc6229d8a20b5abc16ebf700ad39437a312aba3792383fdea61b713f922803631cee6f4f20b21e64d9cd5b84851f275106b6f346ec82883c6a9036f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5e24470c0ffbb6df1fd04ff55e861a806efcfe2ba2a486a20643d4e0fe69ac01N.exe.log

Filesize
1KB

MD5
84e77a587d94307c0ac1357eb4d3d46f

SHA1
83cc900f9401f43d181207d64c5adba7a85edc1e

SHA256
e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

SHA512
aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c17bfa7e04aec07da258088ad0389330

SHA1
57cb0ae2bf5cb21ad11df8960b4f5f309ecf34f4

SHA256
80d48e2941827e91077c1ad6596d282bba3f71dffc909112754e5068c2bcedbd

SHA512
7ac8b39372b848ae0290db9710a7b4877dbd79645e3aba4fe99f6d4d263034aedd55188fa5d9cc4e3d509151f5f20183a23add5ea36d810e14084eb53e3feb00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
72290a1e9d791847fc970771b5ff90b3

SHA1
3a233142d5d239dd21804aee310b1376b58686b7

SHA256
d97cff87faa1ad35f803565e4f5cbb5fe59b46a29a7ecea312c3db19035bb351

SHA512
ae9be53d92348ef8384432cb97c3ec5c12ba69880b078ab55ea5a01b2c748cda80ff1f9e1848bdede2901c50a6378191beb1ceb2c30d4772c75a875d68adc119

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1b3117a7a37c07b7adc4e8cee2a71e30

SHA1
d7091754bd440f3c143663322d43e6e45b266d3f

SHA256
8a7940753bb17a0f9d1da8140be6e7ec48d35166ee15784a722879af13e77292

SHA512
da0c370171b6e48dbd1cdc971ed13f6316659406858ccd4b39cbb9f63a1eced6a1c12b27b9cebcae71fa3900bea5904ed9de3a1a4645c2569a2fb0244256642c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
cdcd83b44f611eb4ffb2dd6154437600

SHA1
f8d90891ce1d6886c15aa5749c0a499fe681d0dc

SHA256
ecd1713ab2e86af2f6d83dcc85cd3f6b690f95d81f54f42c0e0700359336c853

SHA512
d1dd2d4dcc967c27bd3d3c66a3d83597c07b8b0e04f35589a8d7a976b90534d7a9040e16fe670daa643a62038b706990d1903673faba976b113dfc8093f34187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
77c935307c29a2391c90c7488ad7d790

SHA1
99ef0bcec712d89eaf54c124f94e555f90048cf6

SHA256
beb565843fcbb5b8ff388ac0c3a39c6cae65a4adcde03e7d26ea6e5d2ac910d6

SHA512
374a692673e4b02682b0fe639109477fca6d590264d854c214f181c65d2ec362ef0785991dac9a75fa39b530a53e2c98eac181fad1bca954efd4bc6b17413ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
552bfd74e058627ef342b0f3ee3b0257

SHA1
3385fbe9934b2e24c0b8021da82a20786520b6ab

SHA256
87d2f98eca7d0f00ae9480e7555d38d2e0fc8c732415759280ea5c4eaccd8670

SHA512
cb68e71f0679c083b773b0dcd0307a351fe1a835b53297b78be42a144afd8966a41ae832a8a7076eb366699d60ad6636c82a8d924edb285e6d2a9730600b5032

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c3421b14867295bddbffda7e595da67c

SHA1
a215e1efddc2a3d9bff756d99b806181e07ee89b

SHA256
2c58060be72dd40f65956ee6a2d9cc8ce0063dd35486e1d907b91870e9b4fbac

SHA512
d60eb636d8059b6d425c163d912470c4356fb80563e2c6984c8fd982889c4a7094fe11f55cd5b87188948777937840cf2c19b3ef4469fab24fdeb0c161651c96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
fa01e0261072de2d18ce701a924cc9dc

SHA1
1bcfe244e8cec7fdd6001d024d8e1f747b15885e

SHA256
faf7d2cacbaef6082dee768e33ce88c321abc0b5076a5eaccf5252fea1303b8c

SHA512
4fbf77afa67529126e5ae3336e6cf3518524f38a9ed67d498199b924ca9c5299254716b5c855c9c90c9c8890207f0cf4e01a65e351bcc9a3f75e6ba71706f543

Download Submit
C:\Users\Admin\AppData\Local\Temp\5db46df9-60ce-41a0-ae2d-43f19da612c2.vbs

Filesize
555B

MD5
c676c36b4499b31009738c2c24e9bbf0

SHA1
b7457cd04e9c0361c30362fd070cf25e21619d27

SHA256
4ed55705b896470e15e1ab4eab4fe20b8dc25928c64206a6056317f885640c19

SHA512
45630916ec8dacec4273d9a0b842629e9c017f707cb4d6e27916d12b1d0f19eec9b745024615cb56e4d11b3d7812cbc646eecb5a4d26fa98966777f861774f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\76165be7-5e94-46f3-9849-0652bce5f739.vbs

Filesize
779B

MD5
26a1749741c30c1d6354d7500882d8cb

SHA1
316cc1ac7f5ed64c5d9218632388be5ca3bc1e55

SHA256
3abf7d9222598f534aa24277615130c53cb7f467eccebab444e6b4c441722f3a

SHA512
3319d822c901d56fe1cfb6e8751bbdcde93e3e5099dce6b40d37b620057ca88e91ad90de4654d33a2bb9fd21fa0f3f60a0624b2ee2b37477f271040d70ed2877

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d8cbfac-24d7-4834-99ed-1715156351d9.vbs

Filesize
779B

MD5
2482cc17f621ca634c04c06b35deef84

SHA1
31f2769cbd17bba69c46135c10c6eaa5e48c18b3

SHA256
d677eff084381333c0473eafb57baaca1c3eabc451e53f935a0805f3f42a71ae

SHA512
7120b412c33e69c2e561b59c05cb2f2e30250b0e57a0e6239946c149e0941305b2ecd7edce289ad8e2a9059d4c07aefb9548fdb186ef24031b76fbda89a95dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wdydinxg.fej.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\fontdrvhost.exe

Filesize
1.1MB

MD5
97b6aebe3e1839045e57986dc45b9673

SHA1
51e547b11dac70a18b29588c35f02296cde287b7

SHA256
bb020e4a1a274be3107ba120db10620fff66ac3336d2215139e955b4cb38833c

SHA512
e4b556cfce42118d6de983d6cb12671012eff86dfb97f55a8809b320e2cf4b1102855bad82faf120f70281dce588e92ecf944c0c1b0ae73b9966e553c3b81b4a

Download Submit
memory/1108-17-0x00000000013C0000-0x00000000013DC000-memory.dmp

Filesize
112KB

Download
memory/1108-22-0x0000000002DB0000-0x0000000002DC2000-memory.dmp

Filesize
72KB

Download
memory/1108-25-0x0000000005C10000-0x0000000005C1A000-memory.dmp

Filesize
40KB

Download
memory/1108-24-0x0000000005C00000-0x0000000005C0C000-memory.dmp

Filesize
48KB

Download
memory/1108-29-0x0000000005CA0000-0x0000000005CAC000-memory.dmp

Filesize
48KB

Download
memory/1108-28-0x0000000005C80000-0x0000000005C8A000-memory.dmp

Filesize
40KB

Download
memory/1108-32-0x00000000088D0000-0x0000000008936000-memory.dmp

Filesize
408KB

Download
memory/1108-27-0x0000000005C50000-0x0000000005C5C000-memory.dmp

Filesize
48KB

Download
memory/1108-23-0x0000000008D00000-0x000000000922C000-memory.dmp

Filesize
5.2MB

Download
memory/1108-12-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1108-21-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/1108-20-0x0000000001410000-0x0000000001426000-memory.dmp

Filesize
88KB

Download
memory/1108-19-0x00000000013F0000-0x0000000001400000-memory.dmp

Filesize
64KB

Download
memory/1108-18-0x0000000005B30000-0x0000000005B80000-memory.dmp

Filesize
320KB

Download
memory/1108-175-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/1108-372-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/1108-16-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/1108-198-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/1108-26-0x0000000005C30000-0x0000000005C3E000-memory.dmp

Filesize
56KB

Download
memory/1108-14-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/1376-520-0x0000000070C90000-0x0000000070CDC000-memory.dmp

Filesize
304KB

Download
memory/1856-459-0x0000000070C90000-0x0000000070CDC000-memory.dmp

Filesize
304KB

Download
memory/2088-489-0x0000000070C90000-0x0000000070CDC000-memory.dmp

Filesize
304KB

Download
memory/2196-469-0x0000000070C90000-0x0000000070CDC000-memory.dmp

Filesize
304KB

Download
memory/2664-427-0x0000000070C90000-0x0000000070CDC000-memory.dmp

Filesize
304KB

Download
memory/3312-391-0x0000000000CF0000-0x0000000000E1C000-memory.dmp

Filesize
1.2MB

Download
memory/3312-575-0x0000000007F80000-0x0000000008076000-memory.dmp

Filesize
984KB

Download
memory/3592-439-0x0000000070C90000-0x0000000070CDC000-memory.dmp

Filesize
304KB

Download
memory/3772-578-0x0000000005D90000-0x0000000005DA2000-memory.dmp

Filesize
72KB

Download
memory/3804-11-0x000000000A110000-0x000000000A23E000-memory.dmp

Filesize
1.2MB

Download
memory/3804-7-0x0000000005820000-0x0000000005832000-memory.dmp

Filesize
72KB

Download
memory/3804-6-0x0000000005680000-0x000000000568A000-memory.dmp

Filesize
40KB

Download
memory/3804-5-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/3804-4-0x0000000005740000-0x00000000057DC000-memory.dmp

Filesize
624KB

Download
memory/3804-3-0x0000000005570000-0x0000000005602000-memory.dmp

Filesize
584KB

Download
memory/3804-8-0x000000007486E000-0x000000007486F000-memory.dmp

Filesize
4KB

Download
memory/3804-2-0x0000000005C50000-0x00000000061F4000-memory.dmp

Filesize
5.6MB

Download
memory/3804-1-0x0000000000BA0000-0x0000000000CCC000-memory.dmp

Filesize
1.2MB

Download
memory/3804-9-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/3804-10-0x0000000006C80000-0x0000000006D76000-memory.dmp

Filesize
984KB

Download
memory/3804-0-0x000000007486E000-0x000000007486F000-memory.dmp

Filesize
4KB

Download
memory/3804-15-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/4028-257-0x0000000006070000-0x00000000060D6000-memory.dmp

Filesize
408KB

Download
memory/4028-543-0x0000000007BC0000-0x0000000007BD4000-memory.dmp

Filesize
80KB

Download
memory/4028-255-0x0000000005ED0000-0x0000000005EF2000-memory.dmp

Filesize
136KB

Download
memory/4028-407-0x0000000070C90000-0x0000000070CDC000-memory.dmp

Filesize
304KB

Download
memory/4028-545-0x0000000007CA0000-0x0000000007CA8000-memory.dmp

Filesize
32KB

Download
memory/4028-544-0x0000000007CC0000-0x0000000007CDA000-memory.dmp

Filesize
104KB

Download
memory/4028-542-0x0000000007BB0000-0x0000000007BBE000-memory.dmp

Filesize
56KB

Download
memory/4276-449-0x0000000070C90000-0x0000000070CDC000-memory.dmp

Filesize
304KB

Download
memory/4292-500-0x0000000070C90000-0x0000000070CDC000-memory.dmp

Filesize
304KB

Download
memory/4304-499-0x0000000070C90000-0x0000000070CDC000-memory.dmp

Filesize
304KB

Download
memory/4504-437-0x0000000007920000-0x0000000007F9A000-memory.dmp

Filesize
6.5MB

Download
memory/4504-267-0x0000000005AB0000-0x0000000005E04000-memory.dmp

Filesize
3.3MB

Download
memory/4504-540-0x0000000007580000-0x0000000007616000-memory.dmp

Filesize
600KB

Download
memory/4504-201-0x00000000029D0000-0x0000000002A06000-memory.dmp

Filesize
216KB

Download
memory/4504-438-0x00000000072E0000-0x00000000072FA000-memory.dmp

Filesize
104KB

Download
memory/4504-249-0x0000000005230000-0x0000000005858000-memory.dmp

Filesize
6.2MB

Download
memory/4504-519-0x0000000007370000-0x000000000737A000-memory.dmp

Filesize
40KB

Download
memory/4504-394-0x0000000007130000-0x0000000007162000-memory.dmp

Filesize
200KB

Download
memory/4504-395-0x0000000070C90000-0x0000000070CDC000-memory.dmp

Filesize
304KB

Download
memory/4504-405-0x0000000007110000-0x000000000712E000-memory.dmp

Filesize
120KB

Download
memory/4504-406-0x0000000007180000-0x0000000007223000-memory.dmp

Filesize
652KB

Download
memory/4504-393-0x0000000006060000-0x00000000060AC000-memory.dmp

Filesize
304KB

Download
memory/4504-392-0x0000000005FA0000-0x0000000005FBE000-memory.dmp

Filesize
120KB

Download
memory/4504-541-0x0000000007500000-0x0000000007511000-memory.dmp

Filesize
68KB

Download
memory/4616-521-0x0000000070C90000-0x0000000070CDC000-memory.dmp

Filesize
304KB

Download
memory/4952-417-0x0000000070C90000-0x0000000070CDC000-memory.dmp

Filesize
304KB

Download
memory/4992-479-0x0000000070C90000-0x0000000070CDC000-memory.dmp

Filesize
304KB

Download
memory/6056-591-0x0000000005030000-0x0000000005042000-memory.dmp

Filesize
72KB

Download