dcrat | 5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383

Analysis

max time kernel
120s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 05:58 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
Size

1.7MB
MD5

8a0759f7965b2fd0495935ea7ddc0040
SHA1

023336bef59c7ea574d784f201689d63f81045de
SHA256

5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383
SHA512

544222b58f4abce10638aef33670e369caa14749590d0c756b1c48fd9c0dbc4648782b107351982965ddefa23b9a6f1dc6354353bf41c7ecc0903f597f3a8611
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:OTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2040	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	2040	schtasks.exe	85

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4044-1-0x0000000000E40000-0x0000000001000000-memory.dmp	dcrat
behavioral2/files/0x0007000000023ccd-30.dat	dcrat
behavioral2/files/0x000a000000023cc2-96.dat	dcrat
behavioral2/files/0x000500000001e748-155.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2084	powershell.exe
4712	powershell.exe
412	powershell.exe
1044	powershell.exe
3344	powershell.exe
2176	powershell.exe
2720	powershell.exe
3624	powershell.exe
4224	powershell.exe
2188	powershell.exe
3888	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	System.exe

Executes dropped EXE 7 IoCs

pid	Process
2992	System.exe
448	System.exe
4448	System.exe
4528	System.exe
1432	System.exe
3636	System.exe
4460	System.exe

Drops file in Program Files directory 50 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\System.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\wininit.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files\Windows Multimedia Platform\TextInputHost.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCXD356.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files\Windows Media Player\TextInputHost.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files\Windows Media Player\22eafd247d37c3	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\TextInputHost.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files\Windows Media Player\RCXCA08.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files (x86)\Adobe\services.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\56085415360792	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files (x86)\Common Files\Adobe\fontdrvhost.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files (x86)\Common Files\Adobe\5b884080fd4f94	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\RCXBE46.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXC33C.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\TextInputHost.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files (x86)\Windows Media Player\5b884080fd4f94	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files\Windows Portable Devices\22eafd247d37c3	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\lsass.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXC33B.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\lsass.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\RCXD57B.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files\Windows Defender\RCXB970.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCXC7E2.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCXC7F3.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXCEAE.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files\Windows Defender\System.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files\Windows Defender\27d1bcfc3c54e0	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\wininit.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXC05A.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXC0D8.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fontdrvhost.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\fontdrvhost.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files (x86)\Windows Media Player\fontdrvhost.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files\Windows Multimedia Platform\22eafd247d37c3	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files\Windows Portable Devices\TextInputHost.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCXBB84.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files\Windows Media Player\RCXCA07.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files\Windows Media Player\TextInputHost.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCXD367.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXCEAF.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files (x86)\Adobe\c5b4cb5e9653cc	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\6203df4a6bafc7	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files\Windows Defender\RCXB95F.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCXBB94.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files (x86)\Adobe\services.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\RCXBE16.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\RCXD58B.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\fr-FR\services.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File created	C:\Windows\fr-FR\c5b4cb5e9653cc	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Windows\fr-FR\RCXD0C4.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Windows\fr-FR\RCXD0C5.tmp	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
File opened for modification	C:\Windows\fr-FR\services.exe	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	System.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4820	schtasks.exe
4944	schtasks.exe
1068	schtasks.exe
5080	schtasks.exe
4644	schtasks.exe
2272	schtasks.exe
696	schtasks.exe
2736	schtasks.exe
1008	schtasks.exe
3928	schtasks.exe
5000	schtasks.exe
3440	schtasks.exe
4392	schtasks.exe
3432	schtasks.exe
4880	schtasks.exe
4320	schtasks.exe
1676	schtasks.exe
3888	schtasks.exe
2792	schtasks.exe
4884	schtasks.exe
1948	schtasks.exe
4712	schtasks.exe
3032	schtasks.exe
4216	schtasks.exe
388	schtasks.exe
3644	schtasks.exe
1496	schtasks.exe
3624	schtasks.exe
4576	schtasks.exe
4092	schtasks.exe
2724	schtasks.exe
3628	schtasks.exe
4848	schtasks.exe
2640	schtasks.exe
2436	schtasks.exe
32	schtasks.exe
3024	schtasks.exe
4824	schtasks.exe
8	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
3344	powershell.exe
3344	powershell.exe
3888	powershell.exe
3888	powershell.exe
2084	powershell.exe
2084	powershell.exe
3624	powershell.exe
3624	powershell.exe
2176	powershell.exe
2176	powershell.exe
1044	powershell.exe
1044	powershell.exe
2188	powershell.exe
2188	powershell.exe
412	powershell.exe
412	powershell.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	3888	powershell.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	4224	powershell.exe
Token: SeDebugPrivilege	2992	System.exe
Token: SeDebugPrivilege	448	System.exe
Token: SeDebugPrivilege	4448	System.exe
Token: SeDebugPrivilege	4528	System.exe
Token: SeDebugPrivilege	1432	System.exe
Token: SeDebugPrivilege	3636	System.exe
Token: SeDebugPrivilege	4460	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 4224	4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	131
PID 4044 wrote to memory of 4224	4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	131
PID 4044 wrote to memory of 3624	4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	132
PID 4044 wrote to memory of 3624	4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	132
PID 4044 wrote to memory of 2720	4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	133
PID 4044 wrote to memory of 2720	4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	133
PID 4044 wrote to memory of 3888	4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	134
PID 4044 wrote to memory of 3888	4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	134
PID 4044 wrote to memory of 412	4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	135
PID 4044 wrote to memory of 412	4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	135
PID 4044 wrote to memory of 4712	4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	136
PID 4044 wrote to memory of 4712	4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	136
PID 4044 wrote to memory of 2084	4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	137
PID 4044 wrote to memory of 2084	4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	137
PID 4044 wrote to memory of 2176	4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	138
PID 4044 wrote to memory of 2176	4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	138
PID 4044 wrote to memory of 2188	4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	139
PID 4044 wrote to memory of 2188	4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	139
PID 4044 wrote to memory of 3344	4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	141
PID 4044 wrote to memory of 3344	4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	141
PID 4044 wrote to memory of 1044	4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	142
PID 4044 wrote to memory of 1044	4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	142
PID 4044 wrote to memory of 2992	4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	153
PID 4044 wrote to memory of 2992	4044	5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe	153
PID 2992 wrote to memory of 2932	2992	System.exe	159
PID 2992 wrote to memory of 2932	2992	System.exe	159
PID 2992 wrote to memory of 3948	2992	System.exe	160
PID 2992 wrote to memory of 3948	2992	System.exe	160
PID 2932 wrote to memory of 448	2932	WScript.exe	161
PID 2932 wrote to memory of 448	2932	WScript.exe	161
PID 448 wrote to memory of 4392	448	System.exe	164
PID 448 wrote to memory of 4392	448	System.exe	164
PID 448 wrote to memory of 2176	448	System.exe	165
PID 448 wrote to memory of 2176	448	System.exe	165
PID 4392 wrote to memory of 4448	4392	WScript.exe	168
PID 4392 wrote to memory of 4448	4392	WScript.exe	168
PID 4448 wrote to memory of 2260	4448	System.exe	170
PID 4448 wrote to memory of 2260	4448	System.exe	170
PID 4448 wrote to memory of 100	4448	System.exe	171
PID 4448 wrote to memory of 100	4448	System.exe	171
PID 2260 wrote to memory of 4528	2260	WScript.exe	173
PID 2260 wrote to memory of 4528	2260	WScript.exe	173
PID 4528 wrote to memory of 2816	4528	System.exe	175
PID 4528 wrote to memory of 2816	4528	System.exe	175
PID 4528 wrote to memory of 5020	4528	System.exe	176
PID 4528 wrote to memory of 5020	4528	System.exe	176
PID 2816 wrote to memory of 1432	2816	WScript.exe	178
PID 2816 wrote to memory of 1432	2816	WScript.exe	178
PID 1432 wrote to memory of 1164	1432	System.exe	180
PID 1432 wrote to memory of 1164	1432	System.exe	180
PID 1432 wrote to memory of 2920	1432	System.exe	181
PID 1432 wrote to memory of 2920	1432	System.exe	181
PID 1164 wrote to memory of 3636	1164	WScript.exe	182
PID 1164 wrote to memory of 3636	1164	WScript.exe	182
PID 3636 wrote to memory of 2720	3636	System.exe	184
PID 3636 wrote to memory of 2720	3636	System.exe	184
PID 3636 wrote to memory of 4204	3636	System.exe	185
PID 3636 wrote to memory of 4204	3636	System.exe	185
PID 2720 wrote to memory of 4460	2720	WScript.exe	187
PID 2720 wrote to memory of 4460	2720	WScript.exe	187
PID 4460 wrote to memory of 4608	4460	System.exe	189
PID 4460 wrote to memory of 4608	4460	System.exe	189
PID 4460 wrote to memory of 428	4460	System.exe	190
PID 4460 wrote to memory of 428	4460	System.exe	190

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe
"C:\Users\Admin\AppData\Local\Temp\5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383N.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Program Files\Windows Defender\System.exe
  "C:\Program Files\Windows Defender\System.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8ee594b-517e-4fd2-9c0e-bec6d8ae3d1d.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Program Files\Windows Defender\System.exe
      "C:\Program Files\Windows Defender\System.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:448
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5cf3b28-7fe3-4926-82f1-b3a6ed54af7f.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4392
      - C:\Program Files\Windows Defender\System.exe
        
        "C:\Program Files\Windows Defender\System.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a869d6af-1516-4e63-b671-d8f36e992ded.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Program Files\Windows Defender\System.exe
        
        "C:\Program Files\Windows Defender\System.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6aa9ec7-0553-4268-9253-ee8ed1a2ac6f.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Program Files\Windows Defender\System.exe
        
        "C:\Program Files\Windows Defender\System.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa3b951d-3630-45f1-a4b3-8b9ecbf523c0.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Program Files\Windows Defender\System.exe
        
        "C:\Program Files\Windows Defender\System.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52c52968-4774-48b4-a34b-e7ba2e0121fb.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Program Files\Windows Defender\System.exe
        
        "C:\Program Files\Windows Defender\System.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb12a16d-eca0-4f54-a86d-2197482752ce.vbs"
        15⤵
        
        PID:4608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac5bd99a-fddf-4da7-945d-5035ecb97e9e.vbs"
        15⤵
        
        PID:428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5572f1da-2a0b-4939-93fa-98f121ba0fb9.vbs"
        13⤵
        
        PID:4204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2072bbf2-f828-4b13-82dc-5a65a88f392c.vbs"
        11⤵
        
        PID:2920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf27e883-0e1d-47f3-901b-fd4b937a1c1e.vbs"
        9⤵
        
        PID:5020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df25cf7e-37d1-4eaf-8634-aa8a86e0b637.vbs"
        7⤵
        
        PID:100
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df9e4f3d-b91f-435b-a6df-f4b23dd97031.vbs"
        5⤵
        
        PID:2176
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf4dfad8-3c47-47fc-9b70-7ab4ba338647.vbs"
    3⤵
    PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Adobe\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Adobe\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

134.130.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

134.130.81.91.in-addr.arpa

IN PTR

Response
DNS

23.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

85.49.80.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

85.49.80.91.in-addr.arpa

IN PTR

Response
DNS

29.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.243.111.52.in-addr.arpa

IN PTR

Response

195.3.223.79:80

System.exe

260 B
200 B
5
5
195.3.223.79:80

System.exe

260 B
200 B
5
5
195.3.223.79:80

System.exe

260 B
200 B
5
5
195.3.223.79:80

System.exe

260 B
200 B
5
5
195.3.223.79:80

System.exe

260 B
200 B
5
5
195.3.223.79:80

System.exe

260 B
200 B
5
5
195.3.223.79:80

System.exe

260 B
200 B
5
5
195.3.223.79:80

System.exe

260 B
200 B
5
5
195.3.223.79:80

System.exe

260 B
200 B
5
5
195.3.223.79:80

System.exe

260 B
200 B
5
5
195.3.223.79:80

System.exe

260 B
200 B
5
5
195.3.223.79:80

System.exe

260 B
200 B
5
5
195.3.223.79:80

System.exe

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

134.130.81.91.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

134.130.81.91.in-addr.arpa
8.8.8.8:53

23.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

23.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

85.49.80.91.in-addr.arpa

dns

70 B
145 B
1
1

DNS Request

85.49.80.91.in-addr.arpa
8.8.8.8:53

29.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

29.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Media Player\fontdrvhost.exe

Filesize
1.7MB

MD5
8a0759f7965b2fd0495935ea7ddc0040

SHA1
023336bef59c7ea574d784f201689d63f81045de

SHA256
5789255e0df862f9c51546ab348e1570bf459dc836e0d3b67b493155cf87f383

SHA512
544222b58f4abce10638aef33670e369caa14749590d0c756b1c48fd9c0dbc4648782b107351982965ddefa23b9a6f1dc6354353bf41c7ecc0903f597f3a8611

Download Submit
C:\Program Files (x86)\Windows Portable Devices\csrss.exe

Filesize
1.7MB

MD5
ca9f73881e7864f02a364654caaf374c

SHA1
ec9c42a80ec043788c278eb0838f7fe3488a244f

SHA256
ad51bb26d77b730872a0f27e82552fd61da93eac9df813c322129bb31818a6fb

SHA512
1185865e4857afc2ccb6251076ddc8e82c1cf58de738eb51c2393e7ae6db844b3083dde9303043c35f7837444108076c38df9b58059948682b5d6e6dd7a28e0e

Download Submit
C:\Recovery\WindowsRE\explorer.exe

Filesize
1.7MB

MD5
1d8654bed7918743fc7eef3761f8fa18

SHA1
c5b4b5b720943722c51bd7decdcff135c96371d4

SHA256
d2e1083f8a3dbc628845e0461c4abc8f0a22d9f061f6d979c79d0bcdbc213e9e

SHA512
2db4bc79278198844b23cf1828b09ea1e28aac9ab683abefffa667930310f19b0e8a0b77d8a16cb9212e6f6ed01c98734eb66234538597484da08aaf9f46baef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\52c52968-4774-48b4-a34b-e7ba2e0121fb.vbs

Filesize
720B

MD5
aae7c70964d9fae2ed78e1ba46aae56c

SHA1
ded8c13069b6a0651ebf69bee60eb218d39410ee

SHA256
d49dec627b0d3f4cbbfd1bd21a6f394e51856eccff4423cd2b2dd159a799d833

SHA512
b1becdb62da636689e3e7cca787b9a347db13616bb6edd7a8572351fc5f00132ebe7e4b57507977d3a9e235d7b04cea1ed6ec1d5fc1a1558d700c31f302e5b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xdrdtzxj.qr5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a869d6af-1516-4e63-b671-d8f36e992ded.vbs

Filesize
720B

MD5
20237093d3ea9cc3be1aac99069568d5

SHA1
dd4a11577b0aea13562ef386f1dd8303b74ca000

SHA256
e6b310690fc8501024209b1597534479ec4c7ec888d43e243633c7ecff0aa8c4

SHA512
badc3d7ce6b970e3537059ead4a5eb7a7f50a6a2dffe3a5dcb91783ebfa1e1771a99a0dfc7d815e69caa0ace5b789e510c71c2b3cb72f36dc2bde0bbb94f0b1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8ee594b-517e-4fd2-9c0e-bec6d8ae3d1d.vbs

Filesize
720B

MD5
a27b81401dc7eae1ab5c6b00e42c65af

SHA1
acb1ba8ecc24d00d6a71cabf526e5f4e29170ee7

SHA256
91ef2924f05cf67c066c115cea3a5837220549aecec98b4e45b99fd271211708

SHA512
445d51769c8e15a4f8122b7b662df37dc77d52ba853d78cf96f51599b0ad4ed69a8cbb2b8d27b777d5404264993aa32dd45bb886cc63dd4964bb720d6c01a2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6aa9ec7-0553-4268-9253-ee8ed1a2ac6f.vbs

Filesize
720B

MD5
f12742f64f1561262fc7e5a4ff61988b

SHA1
14a8020f77683e70d117e90685903701ae1976f0

SHA256
f39d41a5f609516710b59d4d9d7cffbafa6b1ef96bca5b99e4df635f06ce886b

SHA512
e8ab1c846bc4237f1bcd84fd9f5391875a2462e322bc3e29910bc7806fa6d692845582d0d12b9962e53a334789517682985687524a8ca5f9cbdb98a3c77d21bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb12a16d-eca0-4f54-a86d-2197482752ce.vbs

Filesize
720B

MD5
8d6843ed711ae25949f804cbe55745be

SHA1
7e77dbce556992cc4bce5b9f916bb2fdf5db7daa

SHA256
4795d4efad4fbd12cde43fd5f837135244b8700d1b4ddae25556458ef53efb6d

SHA512
9c0466444d3b0ad940e4ddeb2cb6d7aba97b914c4646d38abc7735742a7ef14e2c2a2416bba84c7506e274f0b02e705ad94528551dcffa26a5e279373ea4c96a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf4dfad8-3c47-47fc-9b70-7ab4ba338647.vbs

Filesize
496B

MD5
3e65bb094379290aa309d72263c088f6

SHA1
8255bf70e8a3829848537ccb389c2bc958e7fcb1

SHA256
953233a092660c4ff76c6cd77e5d8e4e7013df3e206e57dd4a9633a732124afe

SHA512
ba395ad457f0b7cf2c8b78b7a1191323541af6488ca711fb5a52e18e817ea0d1bc48c7d5e9d66f39571e8e40542bb28b82798c82cf9fba97d24be00be32214e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5cf3b28-7fe3-4926-82f1-b3a6ed54af7f.vbs

Filesize
719B

MD5
cf87d8b355a994ae6ba89c97977e41a2

SHA1
8bea049f1c7d448cd00d91d5f3168f44049e31bb

SHA256
dcc88a921ecac551a608351203c85a7a9f287cd1860498942ff552d7f71806da

SHA512
17451f64c92f159b3a66bdfa92fccf1e084d1c646f87b92174403683858552dae446a362ff1c0f805204616d75ea0aab31681ca3f675b148e2dda3e174642334

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa3b951d-3630-45f1-a4b3-8b9ecbf523c0.vbs

Filesize
720B

MD5
2b3a7c29e373003d5ef0a7b55da2cc3d

SHA1
2ec7dd12a6aa031f4ac92961cab423d2b8d6a614

SHA256
cce05d20b8aa538914596526d9f3e30b77744239b2825e1d7deb8f44fdd2ec98

SHA512
741f097a6922ccc5c1464254493237c8f0f99af4463935a18bb9166882f0f10564a5bf1fa6302f7ee5d72cafb263dda17b16ac14d511443a24b329b0fad46972

Download Submit
memory/1432-436-0x000000001C240000-0x000000001C252000-memory.dmp

Filesize
72KB

Download
memory/2992-399-0x000000001CC40000-0x000000001CD42000-memory.dmp

Filesize
1.0MB

Download
memory/3888-256-0x00000281EDAF0000-0x00000281EDB12000-memory.dmp

Filesize
136KB

Download
memory/4044-14-0x000000001BC00000-0x000000001BC0C000-memory.dmp

Filesize
48KB

Download
memory/4044-9-0x0000000003280000-0x000000000328C000-memory.dmp

Filesize
48KB

Download
memory/4044-3-0x0000000003100000-0x000000000311C000-memory.dmp

Filesize
112KB

Download
memory/4044-170-0x00007FF976220000-0x00007FF976CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4044-206-0x00007FF976220000-0x00007FF976CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4044-17-0x000000001BC40000-0x000000001BC48000-memory.dmp

Filesize
32KB

Download
memory/4044-4-0x000000001BB80000-0x000000001BBD0000-memory.dmp

Filesize
320KB

Download
memory/4044-367-0x00007FF976220000-0x00007FF976CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4044-10-0x0000000003290000-0x0000000003298000-memory.dmp

Filesize
32KB

Download
memory/4044-12-0x000000001BBD0000-0x000000001BBE2000-memory.dmp

Filesize
72KB

Download
memory/4044-5-0x0000000003120000-0x0000000003128000-memory.dmp

Filesize
32KB

Download
memory/4044-7-0x0000000003250000-0x0000000003266000-memory.dmp

Filesize
88KB

Download
memory/4044-8-0x0000000003270000-0x0000000003280000-memory.dmp

Filesize
64KB

Download
memory/4044-146-0x00007FF976223000-0x00007FF976225000-memory.dmp

Filesize
8KB

Download
memory/4044-0-0x00007FF976223000-0x00007FF976225000-memory.dmp

Filesize
8KB

Download
memory/4044-18-0x000000001BC70000-0x000000001BC7C000-memory.dmp

Filesize
48KB

Download
memory/4044-23-0x00007FF976220000-0x00007FF976CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4044-6-0x0000000003130000-0x0000000003140000-memory.dmp

Filesize
64KB

Download
memory/4044-22-0x00007FF976220000-0x00007FF976CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4044-2-0x00007FF976220000-0x00007FF976CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4044-19-0x000000001BC50000-0x000000001BC5C000-memory.dmp

Filesize
48KB

Download
memory/4044-13-0x000000001C950000-0x000000001CE78000-memory.dmp

Filesize
5.2MB

Download
memory/4044-15-0x000000001BC20000-0x000000001BC2A000-memory.dmp

Filesize
40KB

Download
memory/4044-16-0x000000001BC30000-0x000000001BC3E000-memory.dmp

Filesize
56KB

Download
memory/4044-1-0x0000000000E40000-0x0000000001000000-memory.dmp

Filesize
1.8MB

Download
memory/4460-459-0x00000000033B0000-0x00000000033C2000-memory.dmp

Filesize
72KB

Download
memory/4528-424-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.