dcrat | 4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
Size

1.7MB
MD5

17ec06d456ef3bb342d301f1a0e7f5ae
SHA1

da6432e5a3cc4f5c52420e0e4adbbb6c22249071
SHA256

4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261
SHA512

bc434febf5ac6600e40134ea72feeef048b895167701bef85c447776a423d533a120bc1feee1173cdeb8b0a13f8d2bddb2d8200b7ec005f3b8aaad430300de28
SSDEEP

49152:D+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:uTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	496	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	496	schtasks.exe	82

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4264-1-0x0000000000120000-0x00000000002E0000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cc4-30.dat	dcrat
behavioral2/files/0x000c000000023cac-84.dat	dcrat
behavioral2/files/0x0009000000023cbf-95.dat	dcrat
behavioral2/files/0x000a000000023cc4-118.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4480	powershell.exe
3872	powershell.exe
4316	powershell.exe
1672	powershell.exe
2340	powershell.exe
1296	powershell.exe
2000	powershell.exe
3708	powershell.exe
2500	powershell.exe
1212	powershell.exe
1388	powershell.exe
2000	powershell.exe
2176	powershell.exe
572	powershell.exe
4992	powershell.exe
1792	powershell.exe
2900	powershell.exe
4776	powershell.exe
4896	powershell.exe
2212	powershell.exe
2604	powershell.exe
1212	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 10 IoCs

pid	Process
3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4280	RuntimeBroker.exe
4932	RuntimeBroker.exe
692	RuntimeBroker.exe
1348	RuntimeBroker.exe
3552	RuntimeBroker.exe
2320	RuntimeBroker.exe
3412	RuntimeBroker.exe
5036	RuntimeBroker.exe
2544	RuntimeBroker.exe

Drops file in Program Files directory 33 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\uk-UA\121e5b5079f7c0	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files\Microsoft Office\taskhostw.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files\7-Zip\Lang\TextInputHost.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files\7-Zip\Lang\22eafd247d37c3	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXA609.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCXACE4.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files\WindowsPowerShell\RCXB1EA.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files\Windows Media Player\uk-UA\fontdrvhost.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files\Microsoft Office\taskhostw.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\cc11b995f2a76d	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files\WindowsPowerShell\9e8d7a4ca61bd9	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXA608.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCXAD52.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\Idle.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\6ccacd8608530f	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files\WindowsPowerShell\RuntimeBroker.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files\Windows Media Player\uk-UA\5b884080fd4f94	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files\Microsoft Office\ea9f0e6c9e2dcd	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\Idle.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files\7-Zip\Lang\TextInputHost.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\explorer.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\7a0fd90576e088	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\uk-UA\sysmon.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\explorer.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files\WindowsPowerShell\RCXB17C.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files\Windows Photo Viewer\uk-UA\sysmon.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\sysmon.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files\WindowsPowerShell\RuntimeBroker.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\sysmon.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\121e5b5079f7c0	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files\Windows Media Player\uk-UA\fontdrvhost.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\TAPI\RuntimeBroker.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\explorer.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\Speech\Engines\SR\de-DE\conhost.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\RCXAA71.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\RCXAADF.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\INF\BITS\winlogon.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\TAPI\9e8d7a4ca61bd9	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\ServiceState\SEMgrSvc\Data\OfficeClickToRun.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\Speech\Common\de-DE\RuntimeBroker.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\TAPI\RuntimeBroker.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\INF\BITS\winlogon.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\ImmersiveControlPanel\7a0fd90576e088	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\INF\BITS\cc11b995f2a76d	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\ImmersiveControlPanel\explorer.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\WaaS\tasks\dwm.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4828	schtasks.exe
3724	schtasks.exe
3028	schtasks.exe
1360	schtasks.exe
3888	schtasks.exe
456	schtasks.exe
3524	schtasks.exe
2388	schtasks.exe
316	schtasks.exe
220	schtasks.exe
2292	schtasks.exe
456	schtasks.exe
4132	schtasks.exe
4964	schtasks.exe
4080	schtasks.exe
1440	schtasks.exe
2776	schtasks.exe
3500	schtasks.exe
3708	schtasks.exe
4972	schtasks.exe
4004	schtasks.exe
3988	schtasks.exe
788	schtasks.exe
4264	schtasks.exe
960	schtasks.exe
3820	schtasks.exe
2272	schtasks.exe
3528	schtasks.exe
396	schtasks.exe
1472	schtasks.exe
3724	schtasks.exe
3344	schtasks.exe
1280	schtasks.exe
3980	schtasks.exe
5048	schtasks.exe
4860	schtasks.exe
3092	schtasks.exe
2644	schtasks.exe
1964	schtasks.exe
3348	schtasks.exe
656	schtasks.exe
4932	schtasks.exe
740	schtasks.exe
1884	schtasks.exe
436	schtasks.exe
4504	schtasks.exe
2140	schtasks.exe
3348	schtasks.exe
4968	schtasks.exe
3668	schtasks.exe
3636	schtasks.exe
3264	schtasks.exe
5088	schtasks.exe
1988	schtasks.exe
1228	schtasks.exe
5092	schtasks.exe
2588	schtasks.exe
3056	schtasks.exe
1196	schtasks.exe
3620	schtasks.exe
1992	schtasks.exe
652	schtasks.exe
2016	schtasks.exe
4184	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
1212	powershell.exe
1672	powershell.exe
1672	powershell.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4480	powershell.exe
4480	powershell.exe
2000	powershell.exe
3708	powershell.exe
2000	powershell.exe
3708	powershell.exe
4776	powershell.exe
4776	powershell.exe
3872	powershell.exe
3872	powershell.exe
2176	powershell.exe
2176	powershell.exe
4316	powershell.exe
4316	powershell.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	4280	RuntimeBroker.exe
Token: SeDebugPrivilege	4932	RuntimeBroker.exe
Token: SeDebugPrivilege	692	RuntimeBroker.exe
Token: SeDebugPrivilege	1348	RuntimeBroker.exe
Token: SeDebugPrivilege	3552	RuntimeBroker.exe
Token: SeDebugPrivilege	2320	RuntimeBroker.exe
Token: SeDebugPrivilege	3412	RuntimeBroker.exe
Token: SeDebugPrivilege	5036	RuntimeBroker.exe
Token: SeDebugPrivilege	2544	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 2900	4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	104
PID 4264 wrote to memory of 2900	4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	104
PID 4264 wrote to memory of 1388	4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	105
PID 4264 wrote to memory of 1388	4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	105
PID 4264 wrote to memory of 4480	4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	106
PID 4264 wrote to memory of 4480	4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	106
PID 4264 wrote to memory of 3708	4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	107
PID 4264 wrote to memory of 3708	4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	107
PID 4264 wrote to memory of 2000	4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	108
PID 4264 wrote to memory of 2000	4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	108
PID 4264 wrote to memory of 1212	4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	109
PID 4264 wrote to memory of 1212	4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	109
PID 4264 wrote to memory of 1672	4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	110
PID 4264 wrote to memory of 1672	4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	110
PID 4264 wrote to memory of 2176	4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	111
PID 4264 wrote to memory of 2176	4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	111
PID 4264 wrote to memory of 4776	4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	112
PID 4264 wrote to memory of 4776	4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	112
PID 4264 wrote to memory of 4316	4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	113
PID 4264 wrote to memory of 4316	4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	113
PID 4264 wrote to memory of 3872	4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	114
PID 4264 wrote to memory of 3872	4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	114
PID 4264 wrote to memory of 4228	4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	126
PID 4264 wrote to memory of 4228	4264	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	126
PID 4228 wrote to memory of 1724	4228	cmd.exe	128
PID 4228 wrote to memory of 1724	4228	cmd.exe	128
PID 4228 wrote to memory of 3160	4228	cmd.exe	132
PID 4228 wrote to memory of 3160	4228	cmd.exe	132
PID 3160 wrote to memory of 572	3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	187
PID 3160 wrote to memory of 572	3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	187
PID 3160 wrote to memory of 2340	3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	188
PID 3160 wrote to memory of 2340	3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	188
PID 3160 wrote to memory of 4896	3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	189
PID 3160 wrote to memory of 4896	3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	189
PID 3160 wrote to memory of 1296	3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	190
PID 3160 wrote to memory of 1296	3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	190
PID 3160 wrote to memory of 2212	3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	191
PID 3160 wrote to memory of 2212	3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	191
PID 3160 wrote to memory of 2604	3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	192
PID 3160 wrote to memory of 2604	3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	192
PID 3160 wrote to memory of 2000	3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	193
PID 3160 wrote to memory of 2000	3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	193
PID 3160 wrote to memory of 1212	3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	194
PID 3160 wrote to memory of 1212	3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	194
PID 3160 wrote to memory of 2500	3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	195
PID 3160 wrote to memory of 2500	3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	195
PID 3160 wrote to memory of 4992	3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	196
PID 3160 wrote to memory of 4992	3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	196
PID 3160 wrote to memory of 1792	3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	197
PID 3160 wrote to memory of 1792	3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	197
PID 3160 wrote to memory of 3480	3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	209
PID 3160 wrote to memory of 3480	3160	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	209
PID 3480 wrote to memory of 1532	3480	cmd.exe	211
PID 3480 wrote to memory of 1532	3480	cmd.exe	211
PID 3480 wrote to memory of 4280	3480	cmd.exe	213
PID 3480 wrote to memory of 4280	3480	cmd.exe	213
PID 4280 wrote to memory of 2280	4280	RuntimeBroker.exe	215
PID 4280 wrote to memory of 2280	4280	RuntimeBroker.exe	215
PID 4280 wrote to memory of 4400	4280	RuntimeBroker.exe	216
PID 4280 wrote to memory of 4400	4280	RuntimeBroker.exe	216
PID 2280 wrote to memory of 4932	2280	WScript.exe	217
PID 2280 wrote to memory of 4932	2280	WScript.exe	217
PID 4932 wrote to memory of 1280	4932	RuntimeBroker.exe	218
PID 4932 wrote to memory of 1280	4932	RuntimeBroker.exe	218

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
"C:\Users\Admin\AppData\Local\Temp\4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6013u8bioA.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1724
- - C:\Users\Admin\AppData\Local\Temp\4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
    "C:\Users\Admin\AppData\Local\Temp\4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:572
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1296
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2212
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1212
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1792
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Xk1H8t4K12.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3480
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1532
    - - C:\Windows\TAPI\RuntimeBroker.exe
        
        "C:\Windows\TAPI\RuntimeBroker.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4280
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8408a522-5da6-4532-8a93-6eb6aee9564a.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd025747-df26-4b7b-ac63-69ca81188c39.vbs"
        8⤵
        
        PID:1280
        
        C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\587ab5b7-8f3e-44fb-82d0-b8cd99c80c90.vbs"
        10⤵
        
        PID:3436
        
        C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b3ebada-fc04-4bfa-9c17-948cf849b1bf.vbs"
        12⤵
        
        PID:4788
        
        C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2bc37d5-ba4f-4de4-b546-30a7472b61b4.vbs"
        14⤵
        
        PID:1084
        
        C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21d58eb4-371a-4362-9727-eff5bf03c1fc.vbs"
        16⤵
        
        PID:1968
        
        C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c666e71-6584-4734-a165-1ff21599fcf4.vbs"
        18⤵
        
        PID:1092
        
        C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\400ca583-2b35-4c0d-98f7-1272f210238a.vbs"
        20⤵
        
        PID:4404
        
        C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46b30cb2-3b58-4d32-948f-082560ef4ab1.vbs"
        22⤵
        
        PID:3620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f9a7df6-010b-462f-9390-ec0e7fbc02c0.vbs"
        22⤵
        
        PID:4768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20bb69de-9674-49c0-8797-d35e16e6a441.vbs"
        20⤵
        
        PID:4504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67568ad9-64d0-4bec-9ee9-6b69114a5790.vbs"
        18⤵
        
        PID:2372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0b75663-74ae-4c45-84b0-8a7f77b23a14.vbs"
        16⤵
        
        PID:4280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a40067ea-21c0-4565-8ff4-c7f8f0153103.vbs"
        14⤵
        
        PID:4560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\033e9879-621f-4d25-82d2-6712857775d9.vbs"
        12⤵
        
        PID:4492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7220dbb3-5fcb-4276-ae1c-61d5442503a6.vbs"
        10⤵
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\411e8b17-bb4d-4a7e-8405-722fd087e95f.vbs"
        8⤵
        
        PID:1456
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57de9839-702c-4297-a0c3-1a37166b332f.vbs"
        6⤵
        
        PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\ImmersiveControlPanel\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\ImmersiveControlPanel\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\uk-UA\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\uk-UA\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\uk-UA\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\INF\BITS\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\INF\BITS\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\INF\BITS\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Downloads\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Downloads\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Recent\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Recent\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Recent\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Roaming\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Roaming\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\TAPI\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\TAPI\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe

Filesize
1.7MB

MD5
17ec06d456ef3bb342d301f1a0e7f5ae

SHA1
da6432e5a3cc4f5c52420e0e4adbbb6c22249071

SHA256
4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261

SHA512
bc434febf5ac6600e40134ea72feeef048b895167701bef85c447776a423d533a120bc1feee1173cdeb8b0a13f8d2bddb2d8200b7ec005f3b8aaad430300de28

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe

Filesize
1.7MB

MD5
3df95a075b98ff17282de92dabfb468b

SHA1
114084e898da6b6dd496d613eac2d525e3f94db4

SHA256
2db6fbf98b07aad6ab5bb78fbfbaeed502e771a22a40f5f9867eeb9c4e86fae0

SHA512
402c0bdce4ae125d38a2e2afa7013b032a9b6ce293449cf1d7b1547540b2f4d68b80965143fe08f592daea716907af216bf8b3e2ccacdd5bc5b1a725c7be1e48

Download Submit
C:\Program Files\WindowsPowerShell\RuntimeBroker.exe

Filesize
1.7MB

MD5
068d962b3b86c116724b218e79d1c790

SHA1
fd3649dc1b6143dbfdfc67909bfcc7e44c08b993

SHA256
5208aa631765e963efa271fc1d2313814eb88c95ed671220ed335b8c7d8de288

SHA512
817504bb9f174d806d94b1f506e6dfe9f707c8355603b7e3d4fbd926be838039e4d8ff3717bece97d3149f64c36f76e7a7c2f6075dbd6feedc250fb91136f8ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a83ce2908066654f712d1858746bc3c4

SHA1
14887f0537ce076cdc91801fb5fa584b25f1089f

SHA256
7c32ae0eaa4fef7404ce708744116ab8ea17d9575bbb3b06eb41a443f963456f

SHA512
991b20116815c7db3497d0ede9a216c7b78795e65f898847ffec513692f0c24d146a123725d14a2e1e3efb5744a626dd025a364f2f55f581e21640794a0cc551

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
07ab6cc81c5230a598c0ad1711b6bd97

SHA1
de7e270e12d447dfc5896b7c96777eb32725778a

SHA256
900aa2c83ec8773c3f9705f75b28fff0eaca57f7adb33dc82564d7ea8f8069a3

SHA512
ffef0ad0824ea0fdab29eb3c44448100f79365a1729c7665eba9aef85a88e60901bc6a6c248de15a28d21be9ce5839d68861e4449ff557d8845927c740ba3a25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
51cf8df21f531e31f7740b4ec487a48a

SHA1
40c6a73b22d71625a62df109aefc92a5f9b9d13e

SHA256
263d9b98a897d1d66da4832af640c4bf5ab0ae91125ba12243453dfe714f3d0d

SHA512
57a85461f6ea96b26a8b53d3a9cca18543e4ddbe996e8f412fc4cf7cf6e9ffe558c96da7b322a42f18bef62020e65aee119bed6102f75e2f605df09b02ec6368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e59140d6693b6a0f6a8617b45bdef9fe

SHA1
7157a22b2533d10fe8ed91d2c5782b44c79bbcde

SHA256
baeb07292d7c8d7ba665a29178999ea08d4b26e8d05bb29c6dee8b8dad8de27e

SHA512
117494cb9415e968827ec38ff11fe6eb4781a76476a2a580f08c5f2d5d4f7ccac425dfd81c16536342a32b42a7b3dffdf471dd2666b1a11ded9f57108c6df7b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b638eec6364092d56ae6f40b415434c9

SHA1
04ae738eb89449e73bfd704fa034f1a09efca6e3

SHA256
22ee195f5c65b53528be0b6cdf72cf02ca063289e8804927e14d91fb5a6d2634

SHA512
c878411addadb54c080ddd3ccf9f0fa6d95e351cd618bceb4b697579042edd5b3347c4535feb03fafe5d201cf1dbbd898b41af2a13f317bc994415b528b4990f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9006afb2f47b3bb7d3669c647651e29c

SHA1
cdc0d7654be8e516df2c36accd9b52eac1f00ffd

SHA256
a025443b35555d64473b1ef01194239e808c49b47c924b99b942514036901302

SHA512
f2e72bbecfa823415bd0be7a091b1272e10e11059a71baf115780aa7ce3e694d114f6642de161ccba24e2182765b8188cc6dbb804fd07e318af9e1917549841c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0517d7daa86e87ab93c37adcb931f498

SHA1
6b243308a84f033c4943c7f63c0f824d8db31a13

SHA256
3a962e5df85eedfa6b55bc984b49cf87f3ee67b81b849121f05defb6cafcad28

SHA512
a573701c9048be1cc7562d76ad5c5ec3be0928d476bcd2deb18e7585391d5d239dea81b528279f2d97c9dff6c08e1c10251b8e7ac162e6b57e602d2d9818593b

Download Submit
C:\Users\Admin\AppData\Local\Temp\21d58eb4-371a-4362-9727-eff5bf03c1fc.vbs

Filesize
709B

MD5
2588f3b7159fdb3616d1f5b348200076

SHA1
8800d1c26cb3f5fb16c758784e19433093ead5fc

SHA256
6781bede04b8109812b72438e3dae29cb60c0be7bdd9a031d6f3cf3b66a7ee8d

SHA512
3b78f6d3709635b3d813c9d817412d470d87cd28f6ff5f70ab2430b9f5e3d751dec2944f73f352eab7e739fb2b506bbcb1b9d1c883d63c296bd944659162064f

Download Submit
C:\Users\Admin\AppData\Local\Temp\400ca583-2b35-4c0d-98f7-1272f210238a.vbs

Filesize
709B

MD5
9e11433e24ec2be079b312dc07bd22e8

SHA1
382650caec3a72b7a138a1c7ecb2e62c6519c06d

SHA256
45d32cc65d31a16d5971049683c0633a01861fb731f5f2207c47e91525d35655

SHA512
9de1d3bb8a6fd7492e797537b06c0fc89f4371617423a7d070a52db3f924f7a30d288111dfc9b97ad733cd3ac4e4a486de17510d745582e035e07f9bc3747ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\46b30cb2-3b58-4d32-948f-082560ef4ab1.vbs

Filesize
709B

MD5
8b0fbb6c89fcbe6d56a70cc9ef42c586

SHA1
1e7c7e988bf94cbede9290471fd820ffa6fce1a9

SHA256
65456fa5734e7b2981a532b75061dfce507d90922b72ff4a1d82fdded6463dbb

SHA512
11d6c245c84c725a19e41cd74a8cbd61ac5227913521864db82f6a6f059f26c2f32979e55852c17a33bfd0b704d2c0f1adc40963fb3f0e46f4456435acdf6f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\57de9839-702c-4297-a0c3-1a37166b332f.vbs

Filesize
485B

MD5
d0c86ddea3a737af0e4a3e70e1073417

SHA1
c561981a973e3dc498a638e6df9b37d0f4313980

SHA256
deb7dc252fcb7d9ac85011229415b126e4e3c9d9c03937074a00528e64a82e57

SHA512
0d3bc2ee0ad2ed1b8a74ab3c9f89359c932b7726b2d6c32970d7da0d396a3ccddf69b9d63f4dacad84cad253237982161a6af4ce4712ab9d16a4dd0cd016a2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\587ab5b7-8f3e-44fb-82d0-b8cd99c80c90.vbs

Filesize
708B

MD5
fe173a72a3346ee533eaf322ba00c487

SHA1
b2e76c838f5f3d07fad9620458a65da2cbe93d53

SHA256
9b31cff9d84c33ed304eacad5a94773e7eca95c19c62058fea522759a62e11d3

SHA512
9024858084f1558bf46b172daa410b39cc1b7f79a3286318be2ec834b42165a23f87eba323d9363eeea2081534305f8c14c9a113480d699a2c67f063a1a20e89

Download Submit
C:\Users\Admin\AppData\Local\Temp\6013u8bioA.bat

Filesize
267B

MD5
861915102d4f96a968567ba983373d51

SHA1
be36309c6301134c4ec9fcd2d3f0a817d8a2fac6

SHA256
acdc4432d9741037891d68171017e61b49b710311cad6b86cdc09739b2fddc69

SHA512
1349a7e7e2740237fdc1579117fe3710ab4e9e8b4a79c77fa9d3ef4fd112d483f960857a94662c1b6a88228623bd06279564ebd77fa2ef7de8b9f20e0dbe34b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8408a522-5da6-4532-8a93-6eb6aee9564a.vbs

Filesize
709B

MD5
d8472b67373b42ec088cc4b6f40cc0bd

SHA1
3690208aa16cef2edbeb8a5ecfb6b27d16aa6641

SHA256
700b14e35aa877c83fc83aca768813dfc78bdcedd0780c251bb927050afc4315

SHA512
285f3b34d51ada7f361c261d4676b5f8839769f23ed3f1b0f04f0d60cefec587155c566999ee6c0b2b088ef397aea7fd87005cb7a18f53c0452bdcd172096260

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b3ebada-fc04-4bfa-9c17-948cf849b1bf.vbs

Filesize
709B

MD5
930f2cd5b371e212ce88293b85f6e7cc

SHA1
4c942bfc8edfbbb0fbdf5e6ab34305d27e9f790f

SHA256
da7411d13c57e24705fb3b4863add6d1ed4dc9ed53999f4356c39185d6335a3f

SHA512
ee705a2051952fef0c389ea86e9a0b4446e4dc11b4c8d11114156eb6d301f13247df794415757c497186437a184eb5bedbfce68643287ae681c840b9ffd1131f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c666e71-6584-4734-a165-1ff21599fcf4.vbs

Filesize
709B

MD5
7fd464e4eb67db875403a0d8d1072ab9

SHA1
5531c17beeaac484a02859e3a28e323d56ab2a8b

SHA256
2839aeab41f5073532ee3738d3eb96815546896bcbf83a02ee0ace0b4a6e757d

SHA512
cbdfc25421a99a5f17be96ba410b3092c6abd3857366f902d7220178807bb7ea4ace0b89c087466e991745ab8cd6970f66acbc1218664d63781e0d15b1ba7328

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xk1H8t4K12.bat

Filesize
198B

MD5
0a4fbc14ec2288ffe46341797cb28376

SHA1
695fc2d0b0bd8cf9fa31ced757c40e70dc5cb379

SHA256
5c9e6f9c3c6475d305ed4f4f69972fad5c0b3a09b65487ed3b4602c29951b0c5

SHA512
c7b1ef59f0767d709e72e2cd0143686b8eec110157b09a37c8cedba7243b07831bfa77f4e457e29b245de50a4a4890f1cd18ca5efeb890ce7000659173d69a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_weqqhoxu.rgi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2bc37d5-ba4f-4de4-b546-30a7472b61b4.vbs

Filesize
709B

MD5
4616b3185863ed3c29674cc71b3a081b

SHA1
278bfa0233100c03e72a4e70069b83e5c4c9a862

SHA256
5ab75e7a4d1f55e380fa3e6ffe8ba68ce1c9d1ddab8170d3bf4337f668f10ec4

SHA512
28d0fc788f86578eca24a658cb2bd517c1d26aad6a070e8831296f312fd50b8c5853ac00bb9bcb16892f783859a476f45944e46407abaf756fcd79b8e35820d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd025747-df26-4b7b-ac63-69ca81188c39.vbs

Filesize
709B

MD5
2a75e6366d02e40976b43d51e71b0edf

SHA1
53f658f9c2fed1bede9f99a094b460cc80641fff

SHA256
2bbd333b1a13ceda7ba741461888e4b1dbf367c9aedccd46ddf1a757cbc98fcc

SHA512
5e05f7322a41fbb332a9e84e4b150ed6bca123be3df4a13523292b4e94e4ba51bbf919548d4c68a3e7ae512f022d9224f321c645c6077f2819f63401568eb658

Download Submit
C:\Windows\ImmersiveControlPanel\explorer.exe

Filesize
1.7MB

MD5
5db65a11192d810f31d03d2d065940f0

SHA1
dfba537709585aedd32bffbbbcb1decf3f18c6f4

SHA256
51dd7ae6864491cd377d6d9f3b73f87c588b9fe85cb23d2273aa58b4b1cb2e66

SHA512
b1df8e099c306ef92a0ea0cc6d8709335ddd5bb1dbe04b53e6b1efac5cd699ea261fb18369025a495d3d9aa1210f77f2cbb8931312a4df570bf7e00fd9d609cb

Download Submit
memory/1672-142-0x000002B03BA30000-0x000002B03BA52000-memory.dmp

Filesize
136KB

Download
memory/3552-498-0x000000001C380000-0x000000001C392000-memory.dmp

Filesize
72KB

Download
memory/4264-12-0x000000001B5D0000-0x000000001B5E2000-memory.dmp

Filesize
72KB

Download
memory/4264-3-0x00000000023C0000-0x00000000023DC000-memory.dmp

Filesize
112KB

Download
memory/4264-22-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/4264-23-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/4264-15-0x000000001B710000-0x000000001B71A000-memory.dmp

Filesize
40KB

Download
memory/4264-16-0x000000001B720000-0x000000001B72E000-memory.dmp

Filesize
56KB

Download
memory/4264-19-0x000000001B850000-0x000000001B85C000-memory.dmp

Filesize
48KB

Download
memory/4264-17-0x000000001B730000-0x000000001B738000-memory.dmp

Filesize
32KB

Download
memory/4264-18-0x000000001B840000-0x000000001B84C000-memory.dmp

Filesize
48KB

Download
memory/4264-14-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/4264-1-0x0000000000120000-0x00000000002E0000-memory.dmp

Filesize
1.8MB

Download
memory/4264-121-0x00007FF974D63000-0x00007FF974D65000-memory.dmp

Filesize
8KB

Download
memory/4264-13-0x000000001BB30000-0x000000001C058000-memory.dmp

Filesize
5.2MB

Download
memory/4264-9-0x000000001B560000-0x000000001B56C000-memory.dmp

Filesize
48KB

Download
memory/4264-10-0x000000001B5C0000-0x000000001B5C8000-memory.dmp

Filesize
32KB

Download
memory/4264-8-0x000000001B550000-0x000000001B560000-memory.dmp

Filesize
64KB

Download
memory/4264-7-0x000000001B530000-0x000000001B546000-memory.dmp

Filesize
88KB

Download
memory/4264-6-0x000000001B520000-0x000000001B530000-memory.dmp

Filesize
64KB

Download
memory/4264-0-0x00007FF974D63000-0x00007FF974D65000-memory.dmp

Filesize
8KB

Download
memory/4264-5-0x0000000000BB0000-0x0000000000BB8000-memory.dmp

Filesize
32KB

Download
memory/4264-4-0x000000001B570000-0x000000001B5C0000-memory.dmp

Filesize
320KB

Download
memory/4264-144-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/4264-2-0x00007FF974D60000-0x00007FF975821000-memory.dmp

Filesize
10.8MB

Download
memory/4932-464-0x000000001C3F0000-0x000000001C402000-memory.dmp

Filesize
72KB

Download