dcrat | dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969

Analysis

max time kernel
119s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
Size

1.7MB
MD5

5c23172320d7107e9c3dfd6d6f0abbd0
SHA1

97b7676138ca777520ca12a35eb63d71ca7953e6
SHA256

dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969
SHA512

a049b7045ddd94269fa367b4ebe533097376f4ec4ceccaa00c5a9d641bd145bee72ad3e1ed52e99425a8de1ac0f36314a38957cf397e20205607af88153ada80
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3904	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3300	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	3988	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	3988	schtasks.exe	83

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3004-1-0x0000000000E80000-0x0000000001040000-memory.dmp	dcrat
behavioral2/files/0x0007000000023c7f-30.dat	dcrat
behavioral2/files/0x0009000000023c73-105.dat	dcrat
behavioral2/files/0x000a000000023c7c-129.dat	dcrat
behavioral2/files/0x000c000000023c81-176.dat	dcrat
behavioral2/files/0x000a000000023c8d-194.dat	dcrat
behavioral2/files/0x000d000000023c8d-223.dat	dcrat
behavioral2/files/0x000b000000023c93-229.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2916	powershell.exe
3480	powershell.exe
3056	powershell.exe
536	powershell.exe
3948	powershell.exe
4100	powershell.exe
216	powershell.exe
1412	powershell.exe
2468	powershell.exe
1180	powershell.exe
2732	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Idle.exe

Executes dropped EXE 8 IoCs

pid	Process
2288	Idle.exe
1192	Idle.exe
3632	Idle.exe
4352	Idle.exe
1488	Idle.exe
1068	Idle.exe
4880	Idle.exe
920	Idle.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File created	C:\Program Files\Crashpad\reports\55b276f4edf653	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\6cb0b6c459d5d3	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCXBBE9.tmp	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files\Crashpad\reports\RCXCF03.tmp	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files\Crashpad\reports\StartMenuExperienceHost.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCXBBE8.tmp	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCXB760.tmp	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files\Crashpad\reports\RCXCF04.tmp	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\6ccacd8608530f	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCXB711.tmp	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCXD118.tmp	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\6203df4a6bafc7	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File created	C:\Program Files\Crashpad\reports\StartMenuExperienceHost.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCXBE7B.tmp	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\es-ES\RCXC4E8.tmp	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\es-ES\RCXC4E9.tmp	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\es-ES\dwm.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\6ccacd8608530f	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCXBDFD.tmp	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCXD196.tmp	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File created	C:\Program Files (x86)\Microsoft.NET\9e8d7a4ca61bd9	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\dwm.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\wow64_microsoft-windows-rascmdial_31bf3856ad364e35_10.0.19041.1_none_93ecd32229175e66\fontdrvhost.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	Idle.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4852	schtasks.exe
1584	schtasks.exe
2284	schtasks.exe
3532	schtasks.exe
1512	schtasks.exe
404	schtasks.exe
4164	schtasks.exe
5028	schtasks.exe
1652	schtasks.exe
4756	schtasks.exe
3164	schtasks.exe
4452	schtasks.exe
4636	schtasks.exe
220	schtasks.exe
3308	schtasks.exe
3240	schtasks.exe
2260	schtasks.exe
3128	schtasks.exe
216	schtasks.exe
4532	schtasks.exe
4472	schtasks.exe
3896	schtasks.exe
1168	schtasks.exe
4844	schtasks.exe
3316	schtasks.exe
5068	schtasks.exe
2468	schtasks.exe
468	schtasks.exe
4104	schtasks.exe
3512	schtasks.exe
4264	schtasks.exe
3020	schtasks.exe
4680	schtasks.exe
2732	schtasks.exe
1696	schtasks.exe
4580	schtasks.exe
2276	schtasks.exe
4556	schtasks.exe
1928	schtasks.exe
3904	schtasks.exe
2840	schtasks.exe
1008	schtasks.exe
1976	schtasks.exe
3776	schtasks.exe
1924	schtasks.exe
1476	schtasks.exe
1040	schtasks.exe
3300	schtasks.exe
5076	schtasks.exe
736	schtasks.exe
708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	3948	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	2288	Idle.exe
Token: SeDebugPrivilege	1192	Idle.exe
Token: SeDebugPrivilege	3632	Idle.exe
Token: SeDebugPrivilege	4352	Idle.exe
Token: SeDebugPrivilege	1488	Idle.exe
Token: SeDebugPrivilege	1068	Idle.exe
Token: SeDebugPrivilege	4880	Idle.exe
Token: SeDebugPrivilege	920	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2468	3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	135
PID 3004 wrote to memory of 2468	3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	135
PID 3004 wrote to memory of 1180	3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	136
PID 3004 wrote to memory of 1180	3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	136
PID 3004 wrote to memory of 216	3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	137
PID 3004 wrote to memory of 216	3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	137
PID 3004 wrote to memory of 4100	3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	138
PID 3004 wrote to memory of 4100	3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	138
PID 3004 wrote to memory of 2732	3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	139
PID 3004 wrote to memory of 2732	3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	139
PID 3004 wrote to memory of 536	3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	140
PID 3004 wrote to memory of 536	3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	140
PID 3004 wrote to memory of 3948	3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	142
PID 3004 wrote to memory of 3948	3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	142
PID 3004 wrote to memory of 2916	3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	143
PID 3004 wrote to memory of 2916	3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	143
PID 3004 wrote to memory of 1412	3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	144
PID 3004 wrote to memory of 1412	3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	144
PID 3004 wrote to memory of 3480	3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	145
PID 3004 wrote to memory of 3480	3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	145
PID 3004 wrote to memory of 3056	3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	146
PID 3004 wrote to memory of 3056	3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	146
PID 3004 wrote to memory of 4164	3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	156
PID 3004 wrote to memory of 4164	3004	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	156
PID 4164 wrote to memory of 4636	4164	cmd.exe	159
PID 4164 wrote to memory of 4636	4164	cmd.exe	159
PID 4164 wrote to memory of 2288	4164	cmd.exe	166
PID 4164 wrote to memory of 2288	4164	cmd.exe	166
PID 2288 wrote to memory of 4740	2288	Idle.exe	170
PID 2288 wrote to memory of 4740	2288	Idle.exe	170
PID 2288 wrote to memory of 4564	2288	Idle.exe	171
PID 2288 wrote to memory of 4564	2288	Idle.exe	171
PID 4740 wrote to memory of 1192	4740	WScript.exe	179
PID 4740 wrote to memory of 1192	4740	WScript.exe	179
PID 1192 wrote to memory of 3764	1192	Idle.exe	181
PID 1192 wrote to memory of 3764	1192	Idle.exe	181
PID 1192 wrote to memory of 4264	1192	Idle.exe	182
PID 1192 wrote to memory of 4264	1192	Idle.exe	182
PID 3764 wrote to memory of 3632	3764	WScript.exe	183
PID 3764 wrote to memory of 3632	3764	WScript.exe	183
PID 3632 wrote to memory of 4328	3632	Idle.exe	185
PID 3632 wrote to memory of 4328	3632	Idle.exe	185
PID 3632 wrote to memory of 2712	3632	Idle.exe	186
PID 3632 wrote to memory of 2712	3632	Idle.exe	186
PID 4328 wrote to memory of 4352	4328	WScript.exe	188
PID 4328 wrote to memory of 4352	4328	WScript.exe	188
PID 4352 wrote to memory of 4920	4352	Idle.exe	191
PID 4352 wrote to memory of 4920	4352	Idle.exe	191
PID 4352 wrote to memory of 2244	4352	Idle.exe	192
PID 4352 wrote to memory of 2244	4352	Idle.exe	192
PID 4920 wrote to memory of 1488	4920	WScript.exe	193
PID 4920 wrote to memory of 1488	4920	WScript.exe	193
PID 1488 wrote to memory of 1944	1488	Idle.exe	195
PID 1488 wrote to memory of 1944	1488	Idle.exe	195
PID 1488 wrote to memory of 4960	1488	Idle.exe	196
PID 1488 wrote to memory of 4960	1488	Idle.exe	196
PID 1944 wrote to memory of 1068	1944	WScript.exe	198
PID 1944 wrote to memory of 1068	1944	WScript.exe	198
PID 1068 wrote to memory of 1504	1068	Idle.exe	200
PID 1068 wrote to memory of 1504	1068	Idle.exe	200
PID 1068 wrote to memory of 4476	1068	Idle.exe	201
PID 1068 wrote to memory of 4476	1068	Idle.exe	201
PID 1504 wrote to memory of 4880	1504	WScript.exe	202
PID 1504 wrote to memory of 4880	1504	WScript.exe	202

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
"C:\Users\Admin\AppData\Local\Temp\dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ncnsocFEBw.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4636
- - C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe
    "C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9290b297-8049-4900-af10-55f1ef9ef87f.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1192
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9338aae-bab1-48f1-90c3-a22b1b13cf06.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f9c1910-b566-49af-8d9b-f49b5964ea69.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38ede4ca-1455-4414-a469-c01bb5b2dbed.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8c25d0e-9b2b-425d-b9d3-f881db74b4b9.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e7c52c0-96af-4078-b33c-76a3764064f9.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\279806df-0674-4799-a234-57528c9903dc.vbs"
        16⤵
        
        PID:4092
        
        C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\def19d2a-48f5-4b9c-ac02-88b38b8e86d4.vbs"
        18⤵
        
        PID:5064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\289ca900-9f39-49c0-b247-f624099367e4.vbs"
        18⤵
        
        PID:4104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8357c9e0-2662-416e-8c6d-4f0e617f07d3.vbs"
        16⤵
        
        PID:1916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\700bc61b-1599-47b6-9553-84448b510ecc.vbs"
        14⤵
        
        PID:4476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6725a6b-21ac-4d41-b8ed-d52b8503c5c7.vbs"
        12⤵
        
        PID:4960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9a432e2-95e1-4449-a01a-cad1a2dc7a4e.vbs"
        10⤵
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fa706ef-26c2-427f-ba08-5c8b9632ac5c.vbs"
        8⤵
        
        PID:2712
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11d69c02-33c4-4ef6-84b6-92eb5d81d521.vbs"
        6⤵
        
        PID:4264
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42072c7f-85a7-415c-9b11-7d85923f1bed.vbs"
      4⤵
      PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Templates\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Templates\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Templates\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Crashpad\reports\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Crashpad\reports\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969Nd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N" /sc ONLOGON /tr "'C:\Users\Default\dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969Nd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe

Filesize
1.7MB

MD5
5162e1b0e8498aa7bd07537947c096cf

SHA1
a4efcf6b052068a890af23c16ec53444fd83c7d3

SHA256
26fb4b506cbba58951880a78e622e473a862e41f1c5e9f99f6ee20860c928d10

SHA512
7553f23293771a22938e6733bb10c35fbce685f57378b946ccc5db4084958bac682fe6090a7244ac76f0097e8b9cfdd5e9776e775915e6b996eb50b2cd15a1d0

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe

Filesize
1.7MB

MD5
5c23172320d7107e9c3dfd6d6f0abbd0

SHA1
97b7676138ca777520ca12a35eb63d71ca7953e6

SHA256
dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969

SHA512
a049b7045ddd94269fa367b4ebe533097376f4ec4ceccaa00c5a9d641bd145bee72ad3e1ed52e99425a8de1ac0f36314a38957cf397e20205607af88153ada80

Download Submit
C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe

Filesize
1.7MB

MD5
ae7ea5c54b6a07c1937a363fb7837547

SHA1
5cfc9b8c4f09295a8c4c72d7b600275cafdcb0b3

SHA256
051e3db0bf8c3dfb400bbd32e2f33ca72aebd7690e5e3bc160e7701d30f2d931

SHA512
c6d81bb6f3716d96f43ac3848121fcc4b715910fe9520981ee26fe235c4e40aedf91f65298d493eab2336bfcc3202904e01ef8e34d85ba723126b499049e43b1

Download Submit
C:\Recovery\WindowsRE\RCXCCED.tmp

Filesize
1.7MB

MD5
3375aa65283c802527f81cf7d386842f

SHA1
9c80386ecb15a767fa1d5421318965ea008fcdd2

SHA256
3805beacd72004b4a858a0b4c8f7c1e6e3345c109f4595b6b537f845f7864c4d

SHA512
dff02d5d372545c9904dbc95cb7eb1977a2e3fafc3432508493dae8c1d3bbfef4791c6097bc2b7f2ebe0547a8bc9c1e5e780b53a0344266e48c48e90480f72fc

Download Submit
C:\Recovery\WindowsRE\RCXD3BA.tmp

Filesize
1.7MB

MD5
d52794d88d495a883efa3b7b16a74907

SHA1
f79e9111723cb1a3e0f0fab891fa1bf288598539

SHA256
76dce5d9af03b4f38661cdb47c9c59b09f552a2fbf4de128267f504c7cfae86c

SHA512
df843b7db1184632f6b2968179bd574eb2dd9a3d9ad2ac8bba20401b2749bf689992a2d877c02b49df414aeeea83dbbe112928a804d5bf91dd2c60f2032ab940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\279806df-0674-4799-a234-57528c9903dc.vbs

Filesize
725B

MD5
c982dc0dccf14db5c78756bad8617dfe

SHA1
6c9b01d25593b7bfe10d990ac62af43bcf384ae3

SHA256
31f04ac09a81f1db4b1446e9a4abe9f3c8f1da130b409103d92443e2e04edfa5

SHA512
d8ec6de9700673ff6648ad61f740ed52f0be24b75c15c420b2a786d66faf3ae10c456170f55ea0c86448ac306e289b411cfd5fa9c042cb66204bcc05dc479373

Download Submit
C:\Users\Admin\AppData\Local\Temp\38ede4ca-1455-4414-a469-c01bb5b2dbed.vbs

Filesize
725B

MD5
eac4eab6efc371543e707514a61ff66c

SHA1
1d0d16048ef3a90fe7e92b3ae314937b7b14d8bf

SHA256
91a5ff2f58491594fe3d96eca8c4e83a44fefea52c87b9a3cefa8c2e9b5d52c0

SHA512
14f1449e2ee6d3f783bd2db524b8272f261dd49a5df20834963836cde5f8173db0c5c3e77da1ec5428c533b74c0747781c2bf37078606cd10bf33ff917faea1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\42072c7f-85a7-415c-9b11-7d85923f1bed.vbs

Filesize
501B

MD5
1c66d67035e10175330f006f67433520

SHA1
7a51764e77997488349e5ed90dad194764bae4f4

SHA256
e0b87be09cd80d1b512360b16ad1b087203ad85507b51bdada0b31293f09f5c1

SHA512
1309bd53b7cdd0c81c0a939b956c5b27007ba8f6b068715e8e3ece5c39757f592fcc704e0e987b71ca271a23b15e6bb480b2670038de12d71a340b7163b8264e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e7c52c0-96af-4078-b33c-76a3764064f9.vbs

Filesize
725B

MD5
fbb6dab66e1924657b2d750844ff0e9c

SHA1
a6d274a4079ef384fd213d7c6ff85597e55406f2

SHA256
160b2e62d33acef9237b67dd59e8f7a1be7fb45bf5cb04cfb38eabe25d44cefd

SHA512
5e5e598f5e93896619bef3accb25e19404a31824f919aededf59d8e53846c4e6d35bee32eeb9f8a13972baa226a5698032f4f27230634e5e8d57f8af3213e975

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f9c1910-b566-49af-8d9b-f49b5964ea69.vbs

Filesize
725B

MD5
9fb323e862d44ff449eb21852c755593

SHA1
168bfd81915ba969d993abff0354f7c5f6ab1485

SHA256
f901ef3ef90173f9aedfe1031050fff53c05747d3e1da9ffa179b66055cec10f

SHA512
5dd10be9d92b90cd16bff8e6bce95f04dfd3c80096356e4e194977587a2de5fb3f8c9e7f66cd36c079bb957a94d147376524ae03af146c6347e079d1b6f53399

Download Submit
C:\Users\Admin\AppData\Local\Temp\9290b297-8049-4900-af10-55f1ef9ef87f.vbs

Filesize
725B

MD5
cab8500c4595e96d977b86476ffdad0c

SHA1
3d7840d8f6b03716c64cdce72429511b1939e29e

SHA256
adbcb3ea4cb92a2ddb731e14ae220a7f360939490a64fce6f5cdc33d376cb9e2

SHA512
9351d8ba1dcbe2a227a61dd4404e6f28bdb986b8c35ba1fca984f74a362271873d39a3f07568a26b61c2d4815b6ef52e557e0ce53571acd56c3d8bf4ab7943f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vhculi00.vu2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8c25d0e-9b2b-425d-b9d3-f881db74b4b9.vbs

Filesize
725B

MD5
8f2899ebc2477d8dde8d274c362e86de

SHA1
e5af2fe98cef066706b76b1edb27bbfa991a2969

SHA256
2cadbc6c3ad6647f65867a5c1cf02a5833b047ab918237da4b232f3c894a507f

SHA512
8461e336a670f8c869feb87d7b951ab8e10beb4e40aa9409b6f8cca0e5f0de5c1bedd2b5ced5b7299101c5e9b3711616aecc6ac4252d1a1a224454ad7e75f967

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9338aae-bab1-48f1-90c3-a22b1b13cf06.vbs

Filesize
725B

MD5
a572f9e658ac31a6132cac1e3f25fe79

SHA1
14176c15ec23e2d5bf366e66c791a46d59dd2409

SHA256
664ee603599fac91fa0371217429b1e9063c71cf1a735736398321c0ee36609d

SHA512
3764cb5369fcb72643e7f3dea1c7d6ec441c0b1b5010d0596b0923ccfec53251bc0fd0812f407992fbe6461e0bb645ac944edc677807f61732aed590a0a6883b

Download Submit
C:\Users\Admin\AppData\Local\Temp\def19d2a-48f5-4b9c-ac02-88b38b8e86d4.vbs

Filesize
724B

MD5
d559aabacf7dcd016890ccfc959c345b

SHA1
af09be0db4e3112313539137bd385217c3607098

SHA256
d784feb4e9fde48c81cd7773bbc7c1ff4941d41853eac1ddcb337a67d32c7af1

SHA512
2df0a44526cd6af62c9a488f5b84b671bf2ec1e2702ad497b5a4e21a7c066cb9baa7c30a328a5e6be13c778de69d77037b1e60ddfe6063e5a8e358e6f9c2953e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncnsocFEBw.bat

Filesize
214B

MD5
73a4fc604ff625d1341f2bbf4f2ca5be

SHA1
b0ce369fb6c20e349adcdb6ea02dab55e3bd5ee1

SHA256
29e2281f868d0f4c7282fe7f904923b55bd69262b7b7d3be5535828fdc6bba55

SHA512
6eacb9f09c92e7d44f8822c96a3a005fd303b61bc2041f985568271632238b934d1bc4c7ea5ee451f5e47e3e9aa539ba410331d06b888ef310d17becc1dfdc1d

Download Submit
C:\Users\Default\csrss.exe

Filesize
1.7MB

MD5
5c1b22a8be4ad41842d46981366af281

SHA1
876f42209ba0f034f9320126a092815b714dcd2a

SHA256
a74885aed98e3ccfe49d225b926be0a23d797b5ccd4a74f622c6359633d9defc

SHA512
d54b564ac8d8d41f792cc783d81f77a5f20fd25d1df699a39a703cef8aa0176612e328833cbb9449da0b50df9de3514b9c3168438f74dba84198593403b7cdf7

Download Submit
C:\Users\Public\AccountPictures\Idle.exe

Filesize
1.7MB

MD5
cc5b203774431b400a232b95cac3d149

SHA1
72876feec2ad790c4277480fe3d046c08d834e72

SHA256
b298b06af521eee1bb8a37fc1f68f7bfbb419dde4e6b7f30f75605aafe845460

SHA512
4223ac3482da59d79e1b18586927627ac7c43dcd43278787ead3b29ac9bfe00852565c1815f7523225e4274573f045817f8b2f6c59c4a5cfae91f965a6c6812d

Download Submit
memory/920-463-0x000000001B660000-0x000000001B672000-memory.dmp

Filesize
72KB

Download
memory/1412-268-0x00000153069F0000-0x0000015306A12000-memory.dmp

Filesize
136KB

Download
memory/1488-429-0x000000001B790000-0x000000001B7A2000-memory.dmp

Filesize
72KB

Download
memory/3004-14-0x000000001BD50000-0x000000001BD5C000-memory.dmp

Filesize
48KB

Download
memory/3004-10-0x000000001BD10000-0x000000001BD18000-memory.dmp

Filesize
32KB

Download
memory/3004-258-0x00007FF97C100000-0x00007FF97CBC1000-memory.dmp

Filesize
10.8MB

Download
memory/3004-96-0x00007FF97C103000-0x00007FF97C105000-memory.dmp

Filesize
8KB

Download
memory/3004-20-0x00007FF97C100000-0x00007FF97CBC1000-memory.dmp

Filesize
10.8MB

Download
memory/3004-19-0x000000001C5F0000-0x000000001C5FC000-memory.dmp

Filesize
48KB

Download
memory/3004-15-0x000000001C570000-0x000000001C57A000-memory.dmp

Filesize
40KB

Download
memory/3004-16-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/3004-17-0x000000001C590000-0x000000001C598000-memory.dmp

Filesize
32KB

Download
memory/3004-18-0x000000001C5A0000-0x000000001C5AC000-memory.dmp

Filesize
48KB

Download
memory/3004-120-0x00007FF97C100000-0x00007FF97CBC1000-memory.dmp

Filesize
10.8MB

Download
memory/3004-13-0x000000001C8A0000-0x000000001CDC8000-memory.dmp

Filesize
5.2MB

Download
memory/3004-12-0x000000001BD20000-0x000000001BD32000-memory.dmp

Filesize
72KB

Download
memory/3004-23-0x00007FF97C100000-0x00007FF97CBC1000-memory.dmp

Filesize
10.8MB

Download
memory/3004-9-0x000000001BCB0000-0x000000001BCBC000-memory.dmp

Filesize
48KB

Download
memory/3004-8-0x000000001BCA0000-0x000000001BCB0000-memory.dmp

Filesize
64KB

Download
memory/3004-7-0x000000001BC80000-0x000000001BC96000-memory.dmp

Filesize
88KB

Download
memory/3004-5-0x000000001BB50000-0x000000001BB58000-memory.dmp

Filesize
32KB

Download
memory/3004-6-0x000000001BC70000-0x000000001BC80000-memory.dmp

Filesize
64KB

Download
memory/3004-0-0x00007FF97C103000-0x00007FF97C105000-memory.dmp

Filesize
8KB

Download
memory/3004-4-0x000000001BCC0000-0x000000001BD10000-memory.dmp

Filesize
320KB

Download
memory/3004-3-0x00000000031C0000-0x00000000031DC000-memory.dmp

Filesize
112KB

Download
memory/3004-2-0x00007FF97C100000-0x00007FF97CBC1000-memory.dmp

Filesize
10.8MB

Download
memory/3004-156-0x00007FF97C100000-0x00007FF97CBC1000-memory.dmp

Filesize
10.8MB

Download
memory/3004-1-0x0000000000E80000-0x0000000001040000-memory.dmp

Filesize
1.8MB

Download