dcrat | 6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
Size

1.7MB
MD5

96eb6349f62024cbe4512ce6fe98e9ca
SHA1

ca1e4b20f9a1e3ffb2ab3776370fe94e936ad29f
SHA256

6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c
SHA512

5741d00be28702ea6e64cfb3ea44fe38df4cd2296b5949d5cfe7ed785eae922d9ba82b07893882d4b19e3685e17796e4fba0087d50366fc608939b9ce0cbd0e4
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	4044	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	4044	schtasks.exe	84

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/5008-1-0x0000000000300000-0x00000000004C0000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cb0-30.dat	dcrat
behavioral2/files/0x000c000000023cd8-103.dat	dcrat
behavioral2/files/0x0009000000023cae-114.dat	dcrat
behavioral2/files/0x0009000000023cb0-123.dat	dcrat
behavioral2/files/0x000b000000023cb5-159.dat	dcrat
behavioral2/files/0x000600000001e767-195.dat	dcrat
behavioral2/files/0x000a000000023cc7-231.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
636	powershell.exe
1180	powershell.exe
2592	powershell.exe
2712	powershell.exe
1600	powershell.exe
1760	powershell.exe
2288	powershell.exe
3292	powershell.exe
648	powershell.exe
2660	powershell.exe
4904	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	upfc.exe

Executes dropped EXE 10 IoCs

pid	Process
2000	upfc.exe
3284	upfc.exe
900	upfc.exe
1260	upfc.exe
2000	upfc.exe
4464	upfc.exe
4948	upfc.exe
3872	upfc.exe
2492	upfc.exe
4888	upfc.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\RCXC186.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXD91A.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\TextInputHost.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files\Windows Portable Devices\upfc.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files\ModifiableWindowsApps\SearchApp.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXBC90.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\RCXC108.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\OfficeClickToRun.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCXC881.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\OfficeClickToRun.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\886983d96e3d3e	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXBC8F.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXD8AB.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\e6c9b481da804f	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files (x86)\Windows Mail\TextInputHost.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCXB866.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCXB855.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files\Windows Portable Devices\upfc.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCXC880.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\886983d96e3d3e	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files\Windows Portable Devices\ea1d8f6d871115	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files (x86)\Windows Mail\22eafd247d37c3	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\c5b4cb5e9653cc	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\de-DE\RCXBE95.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\OfficeClickToRun.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\OfficeClickToRun.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\e6c9b481da804f	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\SchCache\RCXCD66.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\SchCache\RCXCD67.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\SchCache\6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\security\audit\RCXD6A6.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\security\audit\csrss.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Windows\SchCache\6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Windows\SchCache\f5c669165c434f	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Windows\security\audit\csrss.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Windows\security\audit\886983d96e3d3e	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\de-DE\RCXBF03.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\de-DE\services.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\security\audit\RCXD6A7.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Windows\de-DE\services.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\RCXC38B.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\RCXC3F9.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	upfc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3588	schtasks.exe
1016	schtasks.exe
1436	schtasks.exe
4992	schtasks.exe
2832	schtasks.exe
4088	schtasks.exe
2780	schtasks.exe
2200	schtasks.exe
1500	schtasks.exe
832	schtasks.exe
320	schtasks.exe
4528	schtasks.exe
4840	schtasks.exe
1600	schtasks.exe
1440	schtasks.exe
2616	schtasks.exe
1496	schtasks.exe
3040	schtasks.exe
4936	schtasks.exe
4780	schtasks.exe
3172	schtasks.exe
4760	schtasks.exe
3968	schtasks.exe
2312	schtasks.exe
1100	schtasks.exe
1124	schtasks.exe
4372	schtasks.exe
4632	schtasks.exe
4384	schtasks.exe
2592	schtasks.exe
920	schtasks.exe
2100	schtasks.exe
4716	schtasks.exe
3244	schtasks.exe
1376	schtasks.exe
536	schtasks.exe
4676	schtasks.exe
32	schtasks.exe
3152	schtasks.exe
4844	schtasks.exe
3188	schtasks.exe
1908	schtasks.exe
3720	schtasks.exe
4020	schtasks.exe
2628	schtasks.exe
2216	schtasks.exe
3016	schtasks.exe
4124	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
636	powershell.exe
636	powershell.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
636	powershell.exe
3292	powershell.exe
3292	powershell.exe
2660	powershell.exe
2660	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	2000	upfc.exe
Token: SeDebugPrivilege	3284	upfc.exe
Token: SeDebugPrivilege	900	upfc.exe
Token: SeDebugPrivilege	1260	upfc.exe
Token: SeDebugPrivilege	2000	upfc.exe
Token: SeDebugPrivilege	4464	upfc.exe
Token: SeDebugPrivilege	4948	upfc.exe
Token: SeDebugPrivilege	3872	upfc.exe
Token: SeDebugPrivilege	2492	upfc.exe
Token: SeDebugPrivilege	4888	upfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 2288	5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	137
PID 5008 wrote to memory of 2288	5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	137
PID 5008 wrote to memory of 4904	5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	138
PID 5008 wrote to memory of 4904	5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	138
PID 5008 wrote to memory of 3292	5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	139
PID 5008 wrote to memory of 3292	5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	139
PID 5008 wrote to memory of 648	5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	140
PID 5008 wrote to memory of 648	5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	140
PID 5008 wrote to memory of 636	5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	141
PID 5008 wrote to memory of 636	5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	141
PID 5008 wrote to memory of 1180	5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	142
PID 5008 wrote to memory of 1180	5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	142
PID 5008 wrote to memory of 2592	5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	143
PID 5008 wrote to memory of 2592	5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	143
PID 5008 wrote to memory of 2712	5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	144
PID 5008 wrote to memory of 2712	5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	144
PID 5008 wrote to memory of 1600	5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	145
PID 5008 wrote to memory of 1600	5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	145
PID 5008 wrote to memory of 1760	5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	146
PID 5008 wrote to memory of 1760	5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	146
PID 5008 wrote to memory of 2660	5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	147
PID 5008 wrote to memory of 2660	5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	147
PID 5008 wrote to memory of 2000	5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	159
PID 5008 wrote to memory of 2000	5008	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	159
PID 2000 wrote to memory of 4196	2000	upfc.exe	163
PID 2000 wrote to memory of 4196	2000	upfc.exe	163
PID 2000 wrote to memory of 4020	2000	upfc.exe	164
PID 2000 wrote to memory of 4020	2000	upfc.exe	164
PID 4196 wrote to memory of 3284	4196	WScript.exe	168
PID 4196 wrote to memory of 3284	4196	WScript.exe	168
PID 3284 wrote to memory of 216	3284	upfc.exe	170
PID 3284 wrote to memory of 216	3284	upfc.exe	170
PID 3284 wrote to memory of 1956	3284	upfc.exe	171
PID 3284 wrote to memory of 1956	3284	upfc.exe	171
PID 216 wrote to memory of 900	216	WScript.exe	176
PID 216 wrote to memory of 900	216	WScript.exe	176
PID 900 wrote to memory of 2064	900	upfc.exe	178
PID 900 wrote to memory of 2064	900	upfc.exe	178
PID 900 wrote to memory of 4844	900	upfc.exe	179
PID 900 wrote to memory of 4844	900	upfc.exe	179
PID 2064 wrote to memory of 1260	2064	WScript.exe	180
PID 2064 wrote to memory of 1260	2064	WScript.exe	180
PID 1260 wrote to memory of 4660	1260	upfc.exe	182
PID 1260 wrote to memory of 4660	1260	upfc.exe	182
PID 1260 wrote to memory of 4032	1260	upfc.exe	183
PID 1260 wrote to memory of 4032	1260	upfc.exe	183
PID 4660 wrote to memory of 2000	4660	WScript.exe	186
PID 4660 wrote to memory of 2000	4660	WScript.exe	186
PID 2000 wrote to memory of 3732	2000	upfc.exe	188
PID 2000 wrote to memory of 3732	2000	upfc.exe	188
PID 2000 wrote to memory of 4952	2000	upfc.exe	189
PID 2000 wrote to memory of 4952	2000	upfc.exe	189
PID 3732 wrote to memory of 4464	3732	WScript.exe	190
PID 3732 wrote to memory of 4464	3732	WScript.exe	190
PID 4464 wrote to memory of 2660	4464	upfc.exe	192
PID 4464 wrote to memory of 2660	4464	upfc.exe	192
PID 4464 wrote to memory of 3260	4464	upfc.exe	193
PID 4464 wrote to memory of 3260	4464	upfc.exe	193
PID 2660 wrote to memory of 4948	2660	WScript.exe	194
PID 2660 wrote to memory of 4948	2660	WScript.exe	194
PID 4948 wrote to memory of 2876	4948	upfc.exe	196
PID 4948 wrote to memory of 2876	4948	upfc.exe	196
PID 4948 wrote to memory of 2032	4948	upfc.exe	197
PID 4948 wrote to memory of 2032	4948	upfc.exe	197

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
"C:\Users\Admin\AppData\Local\Temp\6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Program Files\Windows Portable Devices\upfc.exe
  "C:\Program Files\Windows Portable Devices\upfc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a01006e6-5cae-47e8-acef-0e11a6311df2.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4196
  - - C:\Program Files\Windows Portable Devices\upfc.exe
      "C:\Program Files\Windows Portable Devices\upfc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3284
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36cbb836-8df3-4097-a6f8-82856ff3778b.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:216
      - C:\Program Files\Windows Portable Devices\upfc.exe
        
        "C:\Program Files\Windows Portable Devices\upfc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b7b5260-7429-4d67-b71a-55c43fa668ee.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Program Files\Windows Portable Devices\upfc.exe
        
        "C:\Program Files\Windows Portable Devices\upfc.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e309914f-02e0-44ae-831a-170b173cca9a.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Program Files\Windows Portable Devices\upfc.exe
        
        "C:\Program Files\Windows Portable Devices\upfc.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c36c4a5-3fe8-4e80-bada-a4f6eb34bf32.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Program Files\Windows Portable Devices\upfc.exe
        
        "C:\Program Files\Windows Portable Devices\upfc.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\addeceb5-990c-4fae-a4b7-3094f1984111.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Program Files\Windows Portable Devices\upfc.exe
        
        "C:\Program Files\Windows Portable Devices\upfc.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbc8eeeb-b737-470e-a2a2-f705fa25dc65.vbs"
        15⤵
        
        PID:2876
        
        C:\Program Files\Windows Portable Devices\upfc.exe
        
        "C:\Program Files\Windows Portable Devices\upfc.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24366344-4df2-4908-9c84-624660babe83.vbs"
        17⤵
        
        PID:5088
        
        C:\Program Files\Windows Portable Devices\upfc.exe
        
        "C:\Program Files\Windows Portable Devices\upfc.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fb2082f-c8ad-4942-8acd-bd720c47f313.vbs"
        19⤵
        
        PID:2656
        
        C:\Program Files\Windows Portable Devices\upfc.exe
        
        "C:\Program Files\Windows Portable Devices\upfc.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6c27357-5834-466a-83a9-ff43174b2d35.vbs"
        21⤵
        
        PID:3592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f9f2add-83be-4802-81ba-93229071b31f.vbs"
        21⤵
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7bdbd1d-fcb7-4328-9f0f-032099a542a1.vbs"
        19⤵
        
        PID:1472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65685f89-6f8e-4667-83fe-e398f5d050a3.vbs"
        17⤵
        
        PID:3328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d062bf42-91db-402e-b431-d11f206cf373.vbs"
        15⤵
        
        PID:2032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b08998b-210e-4a08-a79b-f0b0ba01d1b0.vbs"
        13⤵
        
        PID:3260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08135458-67c9-41a5-9442-b01fd9356fd7.vbs"
        11⤵
        
        PID:4952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\865b69c9-cc7b-4442-bdf3-e9a0ee2d4353.vbs"
        9⤵
        
        PID:4032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4013126-2e62-41ed-b112-3b19a0bc8571.vbs"
        7⤵
        
        PID:4844
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\390fb02b-4121-4c2e-82b3-190fd2e61c5d.vbs"
        5⤵
        
        PID:1956
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9a1b4c0-5fed-4700-b14b-a91f8f53760c.vbs"
    3⤵
    PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\de-DE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\Downloads\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Downloads\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c6" /sc MINUTE /mo 12 /tr "'C:\Windows\SchCache\6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c" /sc ONLOGON /tr "'C:\Windows\SchCache\6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c6" /sc MINUTE /mo 13 /tr "'C:\Windows\SchCache\6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\Libraries\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\security\audit\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\security\audit\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\security\audit\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Mail\TextInputHost.exe

Filesize
1.7MB

MD5
6094b5345964cb49f32476502f5bc85d

SHA1
9ab85fef4357b86f2b098f332140787c6e6d0de5

SHA256
87732c226ab5afda9fdcd23c7a7be6f732b94017e000e5d56b6782073cb34782

SHA512
5ee5080a9ec5aca9278cd70c852646059b6ead2f8a6d35ba11594cb0107c0fefe3b3ea6d2cbc50dda22bf1260b0badf556d57c6f82f11ed73302d64a9bac683e

Download Submit
C:\Program Files (x86)\Windows Media Player\es-ES\OfficeClickToRun.exe

Filesize
1.7MB

MD5
96eb6349f62024cbe4512ce6fe98e9ca

SHA1
ca1e4b20f9a1e3ffb2ab3776370fe94e936ad29f

SHA256
6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c

SHA512
5741d00be28702ea6e64cfb3ea44fe38df4cd2296b5949d5cfe7ed785eae922d9ba82b07893882d4b19e3685e17796e4fba0087d50366fc608939b9ce0cbd0e4

Download Submit
C:\Program Files (x86)\Windows Media Player\es-ES\OfficeClickToRun.exe

Filesize
1.7MB

MD5
b56fa96c24c4834b67e72479cde1cc44

SHA1
bf94cbb07527a3585f4fb730887f2ea6f8ebcf17

SHA256
3bc202c8fc8f9bc13a5f19751675dcfda5902ad21b33b34ae286b0463378145e

SHA512
0f7190937d6057f6cead0ef46d4ba0ff24de2b123983ccc314087b79b33c33741bbcaf0181a1fc83a1d2e93a752e1abe583ec1f034d410a71f3a9a427e089c74

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\smss.exe

Filesize
1.7MB

MD5
fdb65a70256886e5bbc19191bcffe96b

SHA1
9d119c3dfaee96a5730c654d1183b0445bfd4f01

SHA256
00ef10ffd6a332180d9e6311061f5e73d59355c332e432ec0276db37a4b1e2d6

SHA512
a8aa032a6395a66f727e4839028b13516a524c83b3144fce0f66899d461b9d561ff8be34c83fd7d2767fc7c79ef64423b94ed5c19112035f91d14c25d7b64d54

Download Submit
C:\Recovery\WindowsRE\taskhostw.exe

Filesize
1.7MB

MD5
c96ece00781bcfdd568b2e25bb13ef09

SHA1
e50ad5b672b41dc58b4c54c7605a65453cc58e44

SHA256
16e184ba1c8e01fac7e010457e8b1bae6a5a4f5b98329cd94e4cecaef0e70e75

SHA512
19d65e625651a6be84ef978f5a2c9133690f19835f748a2fb69d4bfcad711df1e8f3efd27c8676a5f2da0d2359d475f336c711da05aa102a6b6affdb30d27e24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\24366344-4df2-4908-9c84-624660babe83.vbs

Filesize
726B

MD5
00d6572c297930d420e2cec55cd05b17

SHA1
568499af85267ac7113e39733efdb468bdcc8f34

SHA256
295a7f5d19f2c4c9a1e1c48dbb2d16b4173adc86fa30c9fe851ce5b36d0781bd

SHA512
504fd0519a985742f8be97d1ad4fc861ac9653d81172ea788173c5f2710eaa2b949645da66be9414b1829279e1fc38850ab3df2d9b2c706911f96ea65ae5c702

Download Submit
C:\Users\Admin\AppData\Local\Temp\36cbb836-8df3-4097-a6f8-82856ff3778b.vbs

Filesize
726B

MD5
96476359501215c699f86c46d36ccf95

SHA1
0fa3d70937239c5bf53efaf03148d38313e72857

SHA256
60bdd0605c1c35b5d191a891446936a9406e47321e5c000d2e13af729cb6e6f9

SHA512
e26d98be4b31414d26bd1cb48b64444b3b34ad6838638b62c11ec11a91631ef4f29ca1ccd5697842560fe25fa0d337ca8b947a315acabe46bfc8154d9ced0014

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b7b5260-7429-4d67-b71a-55c43fa668ee.vbs

Filesize
725B

MD5
088ff89de8ecb2e3708c578d24dade63

SHA1
001454aeee860daab6ba16b96bddfe24a89f99a8

SHA256
9ea6e4ce6132e3957c61afcfbe6fe8eac28bf19f1d57dee8b6c97ea8bc86a80f

SHA512
3712198851767cba8c0a386c8b2e9fbc264ba94b09d5e05082aacb382605e3263ea35b617a986fae77fdd48e5995366bfca112829d147eb8ccdb6f2cab16aa21

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fb2082f-c8ad-4942-8acd-bd720c47f313.vbs

Filesize
726B

MD5
97c00d2a55885b48b06091db5e21428f

SHA1
aa0480f22a15dc605076fd9ea270bcfe1dd2391d

SHA256
b4b32cebeb68bfedd274358e0ee4d98e544b09fd2ab019043966ca0608707673

SHA512
0f3ce000aa955d692777f5e848d939547a6eed562a14859e80d0085440eaf6732bee104bc2105dc54975050b5962519a74dc64606314b3989d6a957c3dc661ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fvvwem4g.vvl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a01006e6-5cae-47e8-acef-0e11a6311df2.vbs

Filesize
726B

MD5
269d16349f27892b0ee942535a8b8217

SHA1
8eca52f1a82c0e67ee938d5421c050f8cabeeff6

SHA256
5aaf5ac8b0ff34c5c82b8e12cdbaf5553d3225a0d6c51fc9ab4418526e7243d1

SHA512
a1cc22f08c2879bdf56ed00aa61bf0cc77272ceef3fb20557a494498d68188f340d063bbc268121d93806d6ba14cf0fb39baeb35c11cc7f0f9037370692fd52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\addeceb5-990c-4fae-a4b7-3094f1984111.vbs

Filesize
726B

MD5
ad7dc798b342ac4d792c1d5ca53e5148

SHA1
2ec12a0dff07a653558150a748d9b7ce85ecfe61

SHA256
4c809f97c35a20b5d320bd45ae8c75010a3d8eecb20e59f51430417c55dd495b

SHA512
d9d77c371e7430004ff482fb9cd1504a430c852408691fc4e2dccf1863f656ea7ce722b2e8ae73a4292fe07116d13bbeb733233f8969997f512630852144d8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6c27357-5834-466a-83a9-ff43174b2d35.vbs

Filesize
726B

MD5
9fc2947d4761a9ef984cffdcfdda64ff

SHA1
1134c6cd5239cd3312a8dd1af3fb78b8c6bbbbf4

SHA256
5da558bd4d7fd7e2e5b1aab44913827e20bc6fdb60cec699fa5cc1e6cd245577

SHA512
8535019c75198fea5e8f234d4b1aef4c6af69d4613b7c64a63a89bd713fbb5ac1ce4c834f697202d64f5c9e102c3ed635dff5af20f11199994a5a4456cdbb9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\e309914f-02e0-44ae-831a-170b173cca9a.vbs

Filesize
726B

MD5
b7f29ce1772c3d154c0cc5e4c3550b5d

SHA1
de2ba9c9d6382ebb3b46fa5a7d27464d0e151ed0

SHA256
33882370ffd67690c53025275b3c144a39e370cf60506a3ae75ba8a315636efb

SHA512
1ac2bd1ae0f6bc773c5551a09ef90436435a1dab631270f2ddfeef21187e6bb1e0179e1ba590537053fe15e4a9a3939dd4e829306db49167de39577d178b8a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9a1b4c0-5fed-4700-b14b-a91f8f53760c.vbs

Filesize
502B

MD5
44d72a9a8868a0654695fca77523fb79

SHA1
0cb652235fc49bf7d6d6703392ba25e2f706964d

SHA256
21a7b89b82699360479573943cdf86ff6e96cb58e77d45faad70c0134b972409

SHA512
5a0fb83cfe68ee8a7211534683a924c144b664cfe735112a70668bcc48e8791e67812cd0afc819e15b43f2864cf65ed416ff3d22bbde35cde4079f3606029f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbc8eeeb-b737-470e-a2a2-f705fa25dc65.vbs

Filesize
726B

MD5
e9eec3cca0910b8461b5b1b65a6bbb29

SHA1
5ded4e1c7eead47f3154c87ff856e3a3df754c9d

SHA256
5d42bf34ed1c87706f4eb5cfc361a0adc7df7aae877cb3d7eb58e3a1025daad6

SHA512
b3b82ee7ba84d6cccb7382528536061c25eeccb3453c6ef59c07f510a1f0957a23118a213ca131f1c18a8830b9ee3d9d0f8cd75b34e700419df529594dd454a6

Download Submit
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\OfficeClickToRun.exe

Filesize
1.7MB

MD5
76c2c38a90649e49cb51734c9e15d7b5

SHA1
ea93e0f81450258906d81cad03177507dbcc9839

SHA256
4d1ce5bf40b174bb974f09b93d83d16479860c02828736e26193294810cb378e

SHA512
402bec36c6d4173b09b321301cfc48d0c2f70c10af1550a6f3c280f52546dbee3aae8811d19ca948ac1545a2594e7d911e38014761ce322391039df49b028d0a

Download Submit
C:\Windows\de-DE\services.exe

Filesize
1.7MB

MD5
cb194dd640610d29521f03711f0a8071

SHA1
afdd8aabbd41a2c142ce6d8c330a9024b1ab5def

SHA256
07877716bd79657c614e7d6c04187456f73829e78add2cb55ef67bb2f5961376

SHA512
6cb62f06380d003f646b0a50093fb75e86d071717ebe4bb168a686b43e515fb5751dbc310d3813d30973506541fa9945f7fe5dd77d121f1c54aaaae79aebdf84

Download Submit
memory/636-300-0x000002E2AD9B0000-0x000002E2AD9D2000-memory.dmp

Filesize
136KB

Download
memory/2000-477-0x00000000029C0000-0x00000000029D2000-memory.dmp

Filesize
72KB

Download
memory/3284-443-0x000000001C1E0000-0x000000001C1F2000-memory.dmp

Filesize
72KB

Download
memory/4196-440-0x000001CA35000000-0x000001CA3504E000-memory.dmp

Filesize
312KB

Download
memory/4888-533-0x000000001B0C0000-0x000000001B0D2000-memory.dmp

Filesize
72KB

Download
memory/5008-18-0x000000001B110000-0x000000001B11C000-memory.dmp

Filesize
48KB

Download
memory/5008-222-0x00007FFBB8960000-0x00007FFBB9421000-memory.dmp

Filesize
10.8MB

Download
memory/5008-198-0x00007FFBB8960000-0x00007FFBB9421000-memory.dmp

Filesize
10.8MB

Download
memory/5008-174-0x00007FFBB8960000-0x00007FFBB9421000-memory.dmp

Filesize
10.8MB

Download
memory/5008-406-0x00007FFBB8960000-0x00007FFBB9421000-memory.dmp

Filesize
10.8MB

Download
memory/5008-150-0x00007FFBB8963000-0x00007FFBB8965000-memory.dmp

Filesize
8KB

Download
memory/5008-23-0x00007FFBB8960000-0x00007FFBB9421000-memory.dmp

Filesize
10.8MB

Download
memory/5008-22-0x00007FFBB8960000-0x00007FFBB9421000-memory.dmp

Filesize
10.8MB

Download
memory/5008-19-0x000000001B120000-0x000000001B12C000-memory.dmp

Filesize
48KB

Download
memory/5008-15-0x000000001B0E0000-0x000000001B0EA000-memory.dmp

Filesize
40KB

Download
memory/5008-16-0x000000001B0F0000-0x000000001B0FE000-memory.dmp

Filesize
56KB

Download
memory/5008-17-0x000000001B100000-0x000000001B108000-memory.dmp

Filesize
32KB

Download
memory/5008-0-0x00007FFBB8963000-0x00007FFBB8965000-memory.dmp

Filesize
8KB

Download
memory/5008-14-0x00000000027A0000-0x00000000027AC000-memory.dmp

Filesize
48KB

Download
memory/5008-13-0x000000001BD90000-0x000000001C2B8000-memory.dmp

Filesize
5.2MB

Download
memory/5008-12-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/5008-10-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/5008-9-0x0000000002750000-0x000000000275C000-memory.dmp

Filesize
48KB

Download
memory/5008-7-0x0000000002730000-0x0000000002746000-memory.dmp

Filesize
88KB

Download
memory/5008-8-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/5008-5-0x0000000000C80000-0x0000000000C88000-memory.dmp

Filesize
32KB

Download
memory/5008-6-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/5008-4-0x000000001B090000-0x000000001B0E0000-memory.dmp

Filesize
320KB

Download
memory/5008-3-0x00000000025E0000-0x00000000025FC000-memory.dmp

Filesize
112KB

Download
memory/5008-2-0x00007FFBB8960000-0x00007FFBB9421000-memory.dmp

Filesize
10.8MB

Download
memory/5008-1-0x0000000000300000-0x00000000004C0000-memory.dmp

Filesize
1.8MB

Download