dcrat | 4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
Size

1.8MB
MD5

472159211357c43b60e083a07fec35d6
SHA1

b62f28c445da343e5f05b063b15ffa44cbce671b
SHA256

4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27
SHA512

84acc61cb6e229bac8bad89c53c7f02473acfecdef5a73fe307982b8a1bbded500a3a545b199a9e64101b973bf5fe0ecdf02f83f05b09bab2be4f503d972e4bf
SSDEEP

49152:XWqKKPZ1snfJ+rqDPuQDLME5MT4rDQNpfhV:pKKZ1sRD2Q3N5MT4rQ

Score

10^/10

dcrat discovery evasion execution infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	3840	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	3840	schtasks.exe	82

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1668-1-0x0000000000050000-0x000000000021C000-memory.dmp	dcrat
behavioral2/files/0x000a000000023ba7-32.dat	dcrat
behavioral2/files/0x000c000000023b90-120.dat	dcrat
behavioral2/files/0x000e000000023ba7-141.dat	dcrat
behavioral2/files/0x000c000000023bc4-166.dat	dcrat
behavioral2/files/0x000b000000023bfb-191.dat	dcrat
behavioral2/files/0x0009000000023c22-201.dat	dcrat
behavioral2/files/0x000f000000023c68-250.dat	dcrat
behavioral2/memory/5320-508-0x00000000007C0000-0x000000000098C000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2848	powershell.exe
2804	powershell.exe
4132	powershell.exe
4784	powershell.exe
4404	powershell.exe
1392	powershell.exe
2348	powershell.exe
216	powershell.exe
2636	powershell.exe
4048	powershell.exe
1816	powershell.exe
1440	powershell.exe
4620	powershell.exe
2756	powershell.exe
2540	powershell.exe
2304	powershell.exe
3624	powershell.exe
3636	powershell.exe
5024	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	SearchApp.exe

Executes dropped EXE 1 IoCs

pid	Process
5320	SearchApp.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\fr-FR\Registry.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Program Files (x86)\Google\RCX8908.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File created	C:\Program Files\Windows Multimedia Platform\spoolsv.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\0a1fd5f707cd16	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Program Files (x86)\Google\RCX8909.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX949C.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\SearchApp.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Program Files (x86)\Google\TextInputHost.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File created	C:\Program Files (x86)\Common Files\Oracle\38384e6a620884	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\RCXB0B8.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCXA2F0.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\RCXB0B7.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File created	C:\Program Files (x86)\Google\22eafd247d37c3	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\RCX96B0.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCXA272.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXAE35.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File created	C:\Program Files (x86)\Google\TextInputHost.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX949B.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXAE34.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\Registry.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File created	C:\Program Files (x86)\Common Files\Oracle\SearchApp.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\RCX972E.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File created	C:\Program Files\Internet Explorer\fr-FR\ee2ad38f3d4382	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\6cb0b6c459d5d3	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File created	C:\Program Files\Windows Multimedia Platform\f3b6ecef712a24	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sppsvc.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sppsvc.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\spoolsv.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\DigitalLocker\en-US\MusNotification.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File created	C:\Windows\Web\dllhost.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Windows\it-IT\sppsvc.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Windows\Web\RCXA572.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File created	C:\Windows\it-IT\0a1fd5f707cd16	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File created	C:\Windows\Migration\WTR\ee2ad38f3d4382	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File created	C:\Windows\Web\5940a34987c991	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Windows\Migration\WTR\RCX8B2E.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Windows\it-IT\RCX8D61.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RCX9BB7.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File created	C:\Windows\Migration\WTR\Registry.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Windows\Migration\WTR\Registry.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Windows\Web\dllhost.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File created	C:\Windows\DigitalLocker\en-US\aa97147c4c782d	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Windows\Migration\WTR\RCX8B1D.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Windows\it-IT\RCX8D72.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RCX9B48.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\MusNotification.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File opened for modification	C:\Windows\Web\RCXA573.tmp	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
File created	C:\Windows\it-IT\sppsvc.exe	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	SearchApp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2256	schtasks.exe
4740	schtasks.exe
4620	schtasks.exe
4904	schtasks.exe
2928	schtasks.exe
1952	schtasks.exe
3088	schtasks.exe
2020	schtasks.exe
668	schtasks.exe
2636	schtasks.exe
2628	schtasks.exe
1648	schtasks.exe
1556	schtasks.exe
3408	schtasks.exe
4212	schtasks.exe
1340	schtasks.exe
1676	schtasks.exe
3240	schtasks.exe
4184	schtasks.exe
2060	schtasks.exe
640	schtasks.exe
4056	schtasks.exe
5072	schtasks.exe
3624	schtasks.exe
4004	schtasks.exe
4220	schtasks.exe
2632	schtasks.exe
2420	schtasks.exe
452	schtasks.exe
4420	schtasks.exe
716	schtasks.exe
2128	schtasks.exe
3332	schtasks.exe
2700	schtasks.exe
4020	schtasks.exe
1452	schtasks.exe
1820	schtasks.exe
3256	schtasks.exe
5024	schtasks.exe
876	schtasks.exe
628	schtasks.exe
1724	schtasks.exe
1476	schtasks.exe
4732	schtasks.exe
3636	schtasks.exe
216	schtasks.exe
3576	schtasks.exe
3644	schtasks.exe
4840	schtasks.exe
4236	schtasks.exe
4660	schtasks.exe
3296	schtasks.exe
2800	schtasks.exe
4772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	5320	SearchApp.exe
Token: SeBackupPrivilege	2300	vssvc.exe
Token: SeRestorePrivilege	2300	vssvc.exe
Token: SeAuditPrivilege	2300	vssvc.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 1392	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	140
PID 1668 wrote to memory of 1392	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	140
PID 1668 wrote to memory of 2848	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	141
PID 1668 wrote to memory of 2848	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	141
PID 1668 wrote to memory of 1440	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	142
PID 1668 wrote to memory of 1440	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	142
PID 1668 wrote to memory of 4620	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	143
PID 1668 wrote to memory of 4620	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	143
PID 1668 wrote to memory of 2804	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	144
PID 1668 wrote to memory of 2804	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	144
PID 1668 wrote to memory of 2348	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	145
PID 1668 wrote to memory of 2348	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	145
PID 1668 wrote to memory of 5024	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	146
PID 1668 wrote to memory of 5024	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	146
PID 1668 wrote to memory of 2304	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	147
PID 1668 wrote to memory of 2304	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	147
PID 1668 wrote to memory of 4784	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	148
PID 1668 wrote to memory of 4784	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	148
PID 1668 wrote to memory of 2540	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	149
PID 1668 wrote to memory of 2540	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	149
PID 1668 wrote to memory of 2756	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	150
PID 1668 wrote to memory of 2756	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	150
PID 1668 wrote to memory of 4132	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	151
PID 1668 wrote to memory of 4132	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	151
PID 1668 wrote to memory of 4404	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	152
PID 1668 wrote to memory of 4404	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	152
PID 1668 wrote to memory of 3636	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	154
PID 1668 wrote to memory of 3636	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	154
PID 1668 wrote to memory of 3624	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	155
PID 1668 wrote to memory of 3624	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	155
PID 1668 wrote to memory of 1816	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	157
PID 1668 wrote to memory of 1816	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	157
PID 1668 wrote to memory of 4048	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	158
PID 1668 wrote to memory of 4048	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	158
PID 1668 wrote to memory of 2636	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	160
PID 1668 wrote to memory of 2636	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	160
PID 1668 wrote to memory of 216	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	162
PID 1668 wrote to memory of 216	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	162
PID 1668 wrote to memory of 5320	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	178
PID 1668 wrote to memory of 5320	1668	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe	178
PID 5320 wrote to memory of 3196	5320	SearchApp.exe	180
PID 5320 wrote to memory of 3196	5320	SearchApp.exe	180
PID 5320 wrote to memory of 2592	5320	SearchApp.exe	181
PID 5320 wrote to memory of 2592	5320	SearchApp.exe	181
PID 5320 wrote to memory of 4548	5320	SearchApp.exe	189
PID 5320 wrote to memory of 4548	5320	SearchApp.exe	189
PID 4548 wrote to memory of 5460	4548	msedge.exe	190
PID 4548 wrote to memory of 5460	4548	msedge.exe	190
PID 4548 wrote to memory of 4288	4548	msedge.exe	191
PID 4548 wrote to memory of 4288	4548	msedge.exe	191
PID 4548 wrote to memory of 4288	4548	msedge.exe	191
PID 4548 wrote to memory of 4288	4548	msedge.exe	191
PID 4548 wrote to memory of 4288	4548	msedge.exe	191
PID 4548 wrote to memory of 4288	4548	msedge.exe	191
PID 4548 wrote to memory of 4288	4548	msedge.exe	191
PID 4548 wrote to memory of 4288	4548	msedge.exe	191
PID 4548 wrote to memory of 4288	4548	msedge.exe	191
PID 4548 wrote to memory of 4288	4548	msedge.exe	191
PID 4548 wrote to memory of 4288	4548	msedge.exe	191
PID 4548 wrote to memory of 4288	4548	msedge.exe	191
PID 4548 wrote to memory of 4288	4548	msedge.exe	191
PID 4548 wrote to memory of 4288	4548	msedge.exe	191
PID 4548 wrote to memory of 4288	4548	msedge.exe	191
PID 4548 wrote to memory of 4288	4548	msedge.exe	191

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe
"C:\Users\Admin\AppData\Local\Temp\4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Oracle\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\en-US\MusNotification.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\fr-FR\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:216
- C:\Program Files (x86)\Common Files\Oracle\SearchApp.exe
  "C:\Program Files (x86)\Common Files\Oracle\SearchApp.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5320
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d4f4f70-24c5-4083-8e38-a89c1f1ae35f.vbs"
    3⤵
    PID:3196
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1903534b-8ed0-441e-9f77-aa234ffce5b7.vbs"
    3⤵
    PID:2592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:13347/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8253446f8,0x7ff825344708,0x7ff825344718
      4⤵
      PID:5460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,1900201925935144205,3833607865446793296,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
      4⤵
      PID:4288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,1900201925935144205,3833607865446793296,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
      4⤵
      PID:3056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,1900201925935144205,3833607865446793296,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
      4⤵
      PID:3204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1900201925935144205,3833607865446793296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
      4⤵
      PID:4608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1900201925935144205,3833607865446793296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
      4⤵
      PID:4928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1900201925935144205,3833607865446793296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
      4⤵
      PID:4100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1900201925935144205,3833607865446793296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
      4⤵
      PID:2664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,1900201925935144205,3833607865446793296,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8
      4⤵
      PID:5816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,1900201925935144205,3833607865446793296,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8
      4⤵
      PID:1968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1900201925935144205,3833607865446793296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
      4⤵
      PID:4160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1900201925935144205,3833607865446793296,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
      4⤵
      PID:2820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1900201925935144205,3833607865446793296,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
      4⤵
      PID:1548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1900201925935144205,3833607865446793296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
      4⤵
      PID:1844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1900201925935144205,3833607865446793296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
      4⤵
      PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Windows\Migration\WTR\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Oracle\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Oracle\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d274" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27" /sc ONLOGON /tr "'C:\Users\Public\Desktop\4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d274" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\en-US\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 13 /tr "'C:\Windows\DigitalLocker\en-US\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Users\Default\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\Default\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Web\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Web\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Public\Pictures\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\fr-FR\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\fr-FR\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4212

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4924

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Oracle\SearchApp.exe

Filesize
1.8MB

MD5
33e8031f0af097e23b62597c538eab47

SHA1
60f8c6436534b1c31b4c48a00899006e686235ac

SHA256
b425da8c0a118a0de4d982769b9c37cdc04d3a300b157ff30164f560e0e7f3fa

SHA512
e8eac48f7539187df5d9f54256db486e273ab319b89ce472408b9cf70231089c8666f94d9a647c650bfe4326a69ea650a3aeced0ab753d42ffd09bd281d21422

Download Submit
C:\Program Files\Windows Multimedia Platform\RCXA2F0.tmp

Filesize
1.8MB

MD5
c2bbd34fc7470a221d6402f03613bf6e

SHA1
be4d8b36f94d9e36c628299a1c0862cf9d794414

SHA256
e4e3f8060a5b5e23e502bd2504fbb128d8f6a19c6b2a668c09820abb10febb3c

SHA512
461f1d74fc537ba4c4d068ff46a3825a8aa984987226fb4e2aa15637f3af6c285c7190325bccd313e23b2083d9a42a955adf0e38857ebd755a9241840c9b54ee

Download Submit
C:\Recovery\WindowsRE\System.exe

Filesize
1.8MB

MD5
496dccafea93a8f9a2448285f6afdc74

SHA1
ab6d290699e87f2317e7ab0ba6f180fdbaf91d72

SHA256
0906b7ca25e0f6bce7981b7c1e141768bd7d3c562d3a1c3c4872ad7f6d7cbabe

SHA512
6cb87d6309cfd1a721218605b15e0a50c0e7266adf596e3b495d234a20d2f9de6b06c71835e70d8fe642c7e9fdeb17647b4702fd1c17baf8dfaf8fa58e430d75

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.8MB

MD5
baa5549498906f6ce9d0a74bca3cbb0e

SHA1
bb56a06b85cb96b3acbe0ef65f8d8cb3c840cb43

SHA256
bdf6492e71b24906e96c0a59d948262c3b817ead3b2de5ccade6f179f2f5d8bb

SHA512
c84bdd1ed28cd60367c0234f9986a202d773a2b77ff64eb971d4d70f1855e49d2335b26b2a304fbf4f190c8200a4607863dda2ffacfcef9e7851ddec75b4a8f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\96a61112-e14a-4bf5-8fc2-69b7475695d4.tmp

Filesize
10KB

MD5
be8223a7566843c3e18e3bbf1665bfc3

SHA1
f7fce2acec2dc08eb5a62a616ec8af9af751fc79

SHA256
79857eab56fd3213d0e52b780db87086fc51abcc920c2ca106bc951ea10f92bf

SHA512
2c705f74f521d2f71d522472f52cf65a7b5edf427603f271f1addd41440b692c6861f495957cf7bc210965f855fe21ed364737a0a384b851d644cf2cbcb866b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8676f3d8d17e5ed2d835dea11ce01a8b

SHA1
3065d08d04e0dbdfacbb02b9007d5bf4a3177311

SHA256
ef40a1cebeb98433711be46c2b6954abed03e805cf31c2fa7aad4c5baec9bb3d

SHA512
2d1e3c3479d796ca6bd6ed619303ead81ed491ddd8154132d7c0f3fddd68189ad8d615553d17127c0e7dd698a036de6e0aeebec94f21e6ed7b31201d4f413727

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ccf1389ebf2f709df01b2fea20e4961e

SHA1
e7b4b222abd4f57dbfc0319363d66d204bedbda4

SHA256
7ca70f63992b18b9c88036817f35a9904fbfe0dfe5b084197a53fe0d71311c41

SHA512
cbd39d045df2a7dc84c81937ece0d42dc6ed94b71b510a841dcd4ee001e3a37cf7c26a8c4f2587687b43410967f1064d537aa3731713586163b83021e253c303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
923b7b3a736e807a6b67bd7c96c6465a

SHA1
abb134ba2da87c0975bb1ba8472dbf19efa2b56c

SHA256
5859563ea8dded88a020eff055122949b6f9728cf313cf16c4a53ce61785fe9b

SHA512
f0308a82be6a33d8a6e45587307c1a6d09d79caea3c4a51d212aa0c94b66f90d978ec914bc0e1e04749340fd5b47966fca875aec880a74da06c8335656385e42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
7d7fe48e3a553c9414ab5d6a647d92ee

SHA1
f5ff2f853b326cb9e397971884df5da1998d30c6

SHA256
5f67bcbd540109ba1fb1670c4677b314542967f44917985cc58f727f599ef5bb

SHA512
b784bfdf0454b105abcdb55cf45afbd08ade5db1a52479e61e3cb2dec76b48d8d9c4765fc5ab29c9ad5b9d971a3a3b14736b4707391ab8f9343e161a54d3bfc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
293a5e452e148112857e22e746feff34

SHA1
7a5018bf98a3e38970809531288a7e3efb979532

SHA256
05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551

SHA512
7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

Download Submit
C:\Users\Admin\AppData\Local\Temp\1903534b-8ed0-441e-9f77-aa234ffce5b7.vbs

Filesize
508B

MD5
6462e0c711b31b9ce7f885237716adc1

SHA1
38b17cb1d3a9d46e4e47882d26dea7b04b974564

SHA256
e8ee36587599529c7ec7194f719a57d183e9bcca73ded1188aad252a7ea97ed7

SHA512
83ccc615c618d7fdfabd72ab2caed3dd66bc0fc1be1ec9b8227bf344679ba613d18d6cfdbc4f39ac347d58f734a0dba2d694ed8a20d1fe7174c4127a2b70ec5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d4f4f70-24c5-4083-8e38-a89c1f1ae35f.vbs

Filesize
732B

MD5
8c35a4dfb5207e2311732999eb982be0

SHA1
44a6cb1cdf54c0c0165e9b9a1420d178cd474654

SHA256
e41dd6bf31f3d1a0c1867ad5a553063f9291f0d143edcfcf07937253c302e322

SHA512
cd010e920bc6e2692c1c0bb4d673b9fb8ec5a6595d27bc67ab2b5e26fdcc327d3000a84336ff12bd52b594b3d229c562c37e3f606bbe76ce0ceaf11f20527847

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t21n43fp.tk5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\AccountPictures\SearchApp.exe

Filesize
1.8MB

MD5
472159211357c43b60e083a07fec35d6

SHA1
b62f28c445da343e5f05b063b15ffa44cbce671b

SHA256
4325386ee801c1abeb0d6c544c7a0cbe3b1cba6ed5e20fefb151914bbbde2d27

SHA512
84acc61cb6e229bac8bad89c53c7f02473acfecdef5a73fe307982b8a1bbded500a3a545b199a9e64101b973bf5fe0ecdf02f83f05b09bab2be4f503d972e4bf

Download Submit
C:\Users\Public\AccountPictures\SearchApp.exe

Filesize
1.8MB

MD5
04fee8aaffd99c8dd07adcc1da82677d

SHA1
a653a2a96a870fb2c94ae476319cc84eeb38aaf1

SHA256
7ef143061ebb0d2005ba0bda3a6672af8f0801f02fe88b2ab4fc788eb11fc673

SHA512
ae672fa703af71806e837e246b7e50a4d51bc332e571854356c87a15822576487a12891220c9cfb728546924e46e5a72790f857bbfb397b7d2ab599e7a2f678a

Download Submit
C:\Windows\DigitalLocker\en-US\MusNotification.exe

Filesize
1.8MB

MD5
f41cda6f0ebfe4722843549b3ca9ca23

SHA1
4992e83d15e37048d46d955a3bf696a29e728f11

SHA256
ccc946fd00cde365a0c3bcb07f3d33c0f91afbd2873628ee61fff5d5807c1a60

SHA512
8060389ac6ea9f3f69ba1b273c81828beea9b94fd78ad8127ffba1ed51a03e1317bfae72ff89b3c1cc86f4e8545eeb5ad5d4031d70a036bb2f169be6564e2076

Download Submit
memory/1668-169-0x00007FF82BE53000-0x00007FF82BE55000-memory.dmp

Filesize
8KB

Download
memory/1668-7-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/1668-204-0x00007FF82BE50000-0x00007FF82C911000-memory.dmp

Filesize
10.8MB

Download
memory/1668-229-0x00007FF82BE50000-0x00007FF82C911000-memory.dmp

Filesize
10.8MB

Download
memory/1668-14-0x0000000002660000-0x000000000266C000-memory.dmp

Filesize
48KB

Download
memory/1668-21-0x00000000026D0000-0x00000000026DC000-memory.dmp

Filesize
48KB

Download
memory/1668-1-0x0000000000050000-0x000000000021C000-memory.dmp

Filesize
1.8MB

Download
memory/1668-2-0x00007FF82BE50000-0x00007FF82C911000-memory.dmp

Filesize
10.8MB

Download
memory/1668-509-0x00007FF82BE50000-0x00007FF82C911000-memory.dmp

Filesize
10.8MB

Download
memory/1668-12-0x0000000002640000-0x000000000264C000-memory.dmp

Filesize
48KB

Download
memory/1668-13-0x0000000002650000-0x000000000265C000-memory.dmp

Filesize
48KB

Download
memory/1668-11-0x0000000002630000-0x000000000263C000-memory.dmp

Filesize
48KB

Download
memory/1668-10-0x00000000024B0000-0x00000000024BC000-memory.dmp

Filesize
48KB

Download
memory/1668-5-0x00000000008D0000-0x00000000008D8000-memory.dmp

Filesize
32KB

Download
memory/1668-0-0x00007FF82BE53000-0x00007FF82BE55000-memory.dmp

Filesize
8KB

Download
memory/1668-20-0x00000000026C0000-0x00000000026CC000-memory.dmp

Filesize
48KB

Download
memory/1668-170-0x00007FF82BE50000-0x00007FF82C911000-memory.dmp

Filesize
10.8MB

Download
memory/1668-19-0x00000000026B0000-0x00000000026B8000-memory.dmp

Filesize
32KB

Download
memory/1668-18-0x00000000026A0000-0x00000000026AE000-memory.dmp

Filesize
56KB

Download
memory/1668-25-0x00007FF82BE50000-0x00007FF82C911000-memory.dmp

Filesize
10.8MB

Download
memory/1668-24-0x00007FF82BE50000-0x00007FF82C911000-memory.dmp

Filesize
10.8MB

Download
memory/1668-15-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/1668-16-0x0000000002670000-0x000000000267C000-memory.dmp

Filesize
48KB

Download
memory/1668-17-0x0000000002680000-0x000000000268A000-memory.dmp

Filesize
40KB

Download
memory/1668-9-0x00000000024A0000-0x00000000024AA000-memory.dmp

Filesize
40KB

Download
memory/1668-8-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/1668-6-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/1668-4-0x00000000024C0000-0x0000000002510000-memory.dmp

Filesize
320KB

Download
memory/1668-3-0x0000000002450000-0x000000000246C000-memory.dmp

Filesize
112KB

Download
memory/2756-330-0x000002009D4F0000-0x000002009D512000-memory.dmp

Filesize
136KB

Download
memory/5320-508-0x00000000007C0000-0x000000000098C000-memory.dmp

Filesize
1.8MB

Download