dcrat | c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
Size

1.7MB
MD5

6bcfacff2920b20d946173bf95750330
SHA1

7a6166a959e12742b8d01ffe953ca1bd63bc000f
SHA256

c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339
SHA512

896bac1f6043b3f1b863f120450f747154d3d116c4bdcd725bc0d6c63b59345e8ca4ada1e0a794561854db8468356dfd9e17dac296dfa8097621f2d3b90c584f
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3804	3916	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	3916	schtasks.exe	83

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3936-1-0x0000000000610000-0x00000000007D0000-memory.dmp	dcrat
behavioral2/files/0x0007000000023ca9-30.dat	dcrat
behavioral2/files/0x000a000000023cd4-139.dat	dcrat
behavioral2/files/0x000a000000023cbc-204.dat	dcrat
behavioral2/files/0x000b000000023cbc-216.dat	dcrat
behavioral2/files/0x000d000000023cbc-245.dat	dcrat
behavioral2/files/0x0007000000023ce5-494.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
692	powershell.exe
228	powershell.exe
4168	powershell.exe
2776	powershell.exe
2040	powershell.exe
836	powershell.exe
2944	powershell.exe
4536	powershell.exe
4516	powershell.exe
2392	powershell.exe
908	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe

Executes dropped EXE 7 IoCs

pid	Process
4948	upfc.exe
1500	upfc.exe
3540	upfc.exe
2784	upfc.exe
4236	upfc.exe
4424	upfc.exe
2944	upfc.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\66fc9ff0ee96c2	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\TextInputHost.exe	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\66fc9ff0ee96c2	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File created	C:\Program Files\Windows Defender\uk-UA\TextInputHost.exe	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\services.exe	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\sihost.exe	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXE613.tmp	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\sihost.exe	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\RCXE895.tmp	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\services.exe	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\cc11b995f2a76d	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\sihost.exe	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\RCXEF81.tmp	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCXD84B.tmp	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXE614.tmp	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXEAAB.tmp	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\lsass.exe	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RCXED6D.tmp	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File created	C:\Program Files (x86)\Common Files\Oracle\sysmon.exe	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File created	C:\Program Files\Windows Defender\uk-UA\22eafd247d37c3	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RCXED6C.tmp	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File created	C:\Program Files (x86)\Common Files\Oracle\121e5b5079f7c0	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File created	C:\Program Files (x86)\Windows Mail\6203df4a6bafc7	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\c5b4cb5e9653cc	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCXCDD2.tmp	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\Idle.exe	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File created	C:\Program Files (x86)\Windows Mail\lsass.exe	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\6ccacd8608530f	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCXCDA2.tmp	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCXD84C.tmp	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\RCXE3FE.tmp	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\RCXE3FF.tmp	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXEABB.tmp	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File created	C:\Program Files (x86)\Windows Mail\sihost.exe	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\Idle.exe	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\RCXEFFF.tmp	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\sysmon.exe	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\RCXE896.tmp	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Speech\Engines\SR\c5b4cb5e9653cc	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Windows\Speech\Engines\SR\RCXD1EC.tmp	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Windows\Speech\Engines\SR\RCXD21C.tmp	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Windows\Speech\Engines\SR\services.exe	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Windows\SchCache\RCXDA60.tmp	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File created	C:\Windows\Speech\Engines\SR\services.exe	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File created	C:\Windows\SchCache\c5b4cb5e9653cc	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Windows\SchCache\RCXDADE.tmp	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File opened for modification	C:\Windows\SchCache\services.exe	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
File created	C:\Windows\SchCache\services.exe	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4404	schtasks.exe
3476	schtasks.exe
3808	schtasks.exe
4544	schtasks.exe
4092	schtasks.exe
2508	schtasks.exe
1044	schtasks.exe
4056	schtasks.exe
1196	schtasks.exe
2484	schtasks.exe
2236	schtasks.exe
384	schtasks.exe
2132	schtasks.exe
3944	schtasks.exe
4832	schtasks.exe
4748	schtasks.exe
4880	schtasks.exe
4892	schtasks.exe
2900	schtasks.exe
4904	schtasks.exe
3504	schtasks.exe
3320	schtasks.exe
32	schtasks.exe
4216	schtasks.exe
1548	schtasks.exe
1364	schtasks.exe
4032	schtasks.exe
1392	schtasks.exe
5048	schtasks.exe
964	schtasks.exe
3440	schtasks.exe
4804	schtasks.exe
3620	schtasks.exe
4836	schtasks.exe
2128	schtasks.exe
700	schtasks.exe
3340	schtasks.exe
4348	schtasks.exe
404	schtasks.exe
3816	schtasks.exe
4100	schtasks.exe
3804	schtasks.exe
4364	schtasks.exe
808	schtasks.exe
1920	schtasks.exe
3040	schtasks.exe
3016	schtasks.exe
2640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
2040	powershell.exe
2040	powershell.exe
836	powershell.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	4536	powershell.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	4948	upfc.exe
Token: SeDebugPrivilege	1500	upfc.exe
Token: SeDebugPrivilege	3540	upfc.exe
Token: SeDebugPrivilege	2784	upfc.exe
Token: SeDebugPrivilege	4236	upfc.exe
Token: SeDebugPrivilege	4424	upfc.exe
Token: SeDebugPrivilege	2944	upfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 4536	3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe	144
PID 3936 wrote to memory of 4536	3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe	144
PID 3936 wrote to memory of 4168	3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe	145
PID 3936 wrote to memory of 4168	3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe	145
PID 3936 wrote to memory of 4516	3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe	146
PID 3936 wrote to memory of 4516	3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe	146
PID 3936 wrote to memory of 2392	3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe	147
PID 3936 wrote to memory of 2392	3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe	147
PID 3936 wrote to memory of 2776	3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe	148
PID 3936 wrote to memory of 2776	3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe	148
PID 3936 wrote to memory of 2040	3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe	149
PID 3936 wrote to memory of 2040	3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe	149
PID 3936 wrote to memory of 908	3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe	150
PID 3936 wrote to memory of 908	3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe	150
PID 3936 wrote to memory of 836	3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe	151
PID 3936 wrote to memory of 836	3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe	151
PID 3936 wrote to memory of 692	3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe	152
PID 3936 wrote to memory of 692	3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe	152
PID 3936 wrote to memory of 228	3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe	153
PID 3936 wrote to memory of 228	3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe	153
PID 3936 wrote to memory of 2944	3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe	154
PID 3936 wrote to memory of 2944	3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe	154
PID 3936 wrote to memory of 4948	3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe	166
PID 3936 wrote to memory of 4948	3936	c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe	166
PID 4948 wrote to memory of 4596	4948	upfc.exe	168
PID 4948 wrote to memory of 4596	4948	upfc.exe	168
PID 4948 wrote to memory of 2712	4948	upfc.exe	169
PID 4948 wrote to memory of 2712	4948	upfc.exe	169
PID 4596 wrote to memory of 1500	4596	WScript.exe	170
PID 4596 wrote to memory of 1500	4596	WScript.exe	170
PID 1500 wrote to memory of 5116	1500	upfc.exe	172
PID 1500 wrote to memory of 5116	1500	upfc.exe	172
PID 1500 wrote to memory of 4080	1500	upfc.exe	173
PID 1500 wrote to memory of 4080	1500	upfc.exe	173
PID 5116 wrote to memory of 3540	5116	WScript.exe	177
PID 5116 wrote to memory of 3540	5116	WScript.exe	177
PID 3540 wrote to memory of 1748	3540	upfc.exe	179
PID 3540 wrote to memory of 1748	3540	upfc.exe	179
PID 3540 wrote to memory of 3988	3540	upfc.exe	180
PID 3540 wrote to memory of 3988	3540	upfc.exe	180
PID 1748 wrote to memory of 2784	1748	WScript.exe	181
PID 1748 wrote to memory of 2784	1748	WScript.exe	181
PID 2784 wrote to memory of 700	2784	upfc.exe	183
PID 2784 wrote to memory of 700	2784	upfc.exe	183
PID 2784 wrote to memory of 3428	2784	upfc.exe	184
PID 2784 wrote to memory of 3428	2784	upfc.exe	184
PID 700 wrote to memory of 4236	700	WScript.exe	186
PID 700 wrote to memory of 4236	700	WScript.exe	186
PID 4236 wrote to memory of 1416	4236	upfc.exe	188
PID 4236 wrote to memory of 1416	4236	upfc.exe	188
PID 4236 wrote to memory of 4216	4236	upfc.exe	189
PID 4236 wrote to memory of 4216	4236	upfc.exe	189
PID 1416 wrote to memory of 4424	1416	WScript.exe	191
PID 1416 wrote to memory of 4424	1416	WScript.exe	191
PID 4424 wrote to memory of 3928	4424	upfc.exe	193
PID 4424 wrote to memory of 3928	4424	upfc.exe	193
PID 4424 wrote to memory of 5024	4424	upfc.exe	194
PID 4424 wrote to memory of 5024	4424	upfc.exe	194
PID 3928 wrote to memory of 2944	3928	WScript.exe	195
PID 3928 wrote to memory of 2944	3928	WScript.exe	195
PID 2944 wrote to memory of 3320	2944	upfc.exe	197
PID 2944 wrote to memory of 3320	2944	upfc.exe	197
PID 2944 wrote to memory of 3796	2944	upfc.exe	198
PID 2944 wrote to memory of 3796	2944	upfc.exe	198

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe
"C:\Users\Admin\AppData\Local\Temp\c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339N.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Recovery\WindowsRE\upfc.exe
  "C:\Recovery\WindowsRE\upfc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c6d2c2e-3bf7-4d0c-8116-5da20e613534.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Recovery\WindowsRE\upfc.exe
      C:\Recovery\WindowsRE\upfc.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1500
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b40722e-d506-4080-9491-d18600c1c646.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5116
      - C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae0a03ec-f9a6-4558-ac24-e5c291be9335.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c3384aa-ca19-4d04-aa72-7c0f27792925.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8aa999ca-28f3-4ce6-8acb-7d5cb0994f79.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87fa328b-84e0-4b1d-8096-9fff2068e336.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f292cba-73b4-4f71-b95a-b6f0feb10e93.vbs"
        15⤵
        
        PID:3320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54675ef1-08a1-4ce4-ba51-8fdbe985f3f3.vbs"
        15⤵
        
        PID:3796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff404931-0e28-44fb-98eb-479932a2fbbe.vbs"
        13⤵
        
        PID:5024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\875a4df8-a0e4-4c30-8ef3-03b2d313a009.vbs"
        11⤵
        
        PID:4216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e80ceaf-39d3-4fcc-a353-3d03daefb327.vbs"
        9⤵
        
        PID:3428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a397543a-b0f5-43f7-8f0b-ce131adbb92e.vbs"
        7⤵
        
        PID:3988
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28c9f10a-e62d-45cb-8737-cf6256b83672.vbs"
        5⤵
        
        PID:4080
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd8a4537-353a-449b-93ec-b80bdd5863e4.vbs"
    3⤵
    PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\PrintHood\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Speech\Engines\SR\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\SR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech\Engines\SR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\SchCache\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\SchCache\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Oracle\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Oracle\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\uninstall\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\uninstall\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\uk-UA\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\uk-UA\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\uk-UA\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Mail\RCXEAAB.tmp

Filesize
1.7MB

MD5
7416e3c625fed6cfffc4ac126b8edce5

SHA1
f391dc6805c38883604ff174ad70342f5c923749

SHA256
6e230982b7c38726684391ad261aac2b43902159ea25ce715c35bac613ea1969

SHA512
c7e5905d00784bdb0c81d9af86b8238e5a932e8b01fc7b429473c61e50a9de1a24fd8d47e5150bb9c33ae8d419053ff7b464aa566c5bf3ad75f5278b254f026d

Download Submit
C:\Program Files\Mozilla Firefox\uninstall\RCXE895.tmp

Filesize
1.7MB

MD5
76daddb2ba9ba90c0078b38f78a8087c

SHA1
b519ac2e9ce67fca0dcffc7db832983d69b370dd

SHA256
1206b4b4f0926d1fd3c4b7d074fc1ec0f70574ac4195cee6beff7dc5bc47c026

SHA512
14ba836b018b254ad78116e9ca41f26ef1a804d07a0c4bc8342d3e5bb8bd6d42ca1b6c47bc25094a602a0f1f131bfb70504d23145fdd9c6781c60f7bf22939be

Download Submit
C:\Program Files\Windows Defender\uk-UA\TextInputHost.exe

Filesize
1.7MB

MD5
5016a9dec6a5b7a81408571087186abd

SHA1
1b1efbdb853fc73228644888803f5fe74e2d5f8b

SHA256
3bf76f43cf838f2017884061e3196fa639fea76d7f86900dacf9cbed35e32525

SHA512
cad5397ace8bfc21991070f417799a859c40147d12f5a315395f972202b4892b3c98b44391be8a488c8ce73edeadf6aca5c68d2acb79d4da4b13dd8902404257

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.7MB

MD5
6bcfacff2920b20d946173bf95750330

SHA1
7a6166a959e12742b8d01ffe953ca1bd63bc000f

SHA256
c94fe393a995fde11c3e7923320972f8000d18a40a597d886258784684ad4339

SHA512
896bac1f6043b3f1b863f120450f747154d3d116c4bdcd725bc0d6c63b59345e8ca4ada1e0a794561854db8468356dfd9e17dac296dfa8097621f2d3b90c584f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f292cba-73b4-4f71-b95a-b6f0feb10e93.vbs

Filesize
706B

MD5
2b0bdba4de63455a49334e4d828f12f2

SHA1
7940b330125d4499afb7761befb65cae3227c375

SHA256
8674fca3049078da740dda4a2791528916fb419f61fe5c8a76fbc97b4ec267a6

SHA512
5aba87b231a66661646e1289346c20ea764175725aad5a3f034d4fc6a141e7a1e88ab8f16cf994ec3db3b2ac42c49b96b1559b47d72e9c0608f54f2fbd16ac31

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c3384aa-ca19-4d04-aa72-7c0f27792925.vbs

Filesize
706B

MD5
2e01f38540b3e99d4c1f3b8053759c44

SHA1
89b32adeacd6bc9d2c4509ac486531684fbb3b84

SHA256
f3900eac7b40b038e7f5b56b96870904394e7695b2da0b3b8c2ac1a51e5c8440

SHA512
1bbbd983b227018c681b4e346d5ef624a4a08ba01fd4973fba5d3fcc19fc020ccdc7c17f865fe7353a2fe841436e174d57b269d25b3b95f88e5596b5758be48a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5edfc987bd98fe17c49292bad60a62e8950f292d.exe

Filesize
1.7MB

MD5
6659c17a684b7bfec95a772a1b9f4a81

SHA1
c7c3ab047839e2b3246cedad9677432c13a15628

SHA256
de442e9c4d593d262ad57a024c351e1c12876625b66cce00e545d64799c11b33

SHA512
99df721de02feffd9299ce1886585fc204b21962d5c48f2c8e0e791d0c939c9f4b95607943d52831786d6e6d3a4cb7f894029a3e8ff98e2d28375f8ea3e5eeec

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b40722e-d506-4080-9491-d18600c1c646.vbs

Filesize
706B

MD5
2d89cdc8d0f1eca3c11a136228f9e545

SHA1
4cdd038e1d2ae883c151be9fe91130d333e60e52

SHA256
1c9253e85046823e4276f0e12361036a16d3563fb74c7cfb32b869ff85b9bbbf

SHA512
353233ea79f6bda0cfe70468bb7809cfd22ec06540146fda871e92b2f6198fd278d609523ee3dc19006f0b26f6fbbd3d5551582715211ace0d445e8a7fc60478

Download Submit
C:\Users\Admin\AppData\Local\Temp\87fa328b-84e0-4b1d-8096-9fff2068e336.vbs

Filesize
706B

MD5
65bf82f36d856aee82b0d3e211708deb

SHA1
ee4570f9488cb1fbc519f56fb94872a5323a0975

SHA256
77757b4c63bf36917329310199c76e8f4f5d2a3f314aaf9374f4f9726359659b

SHA512
25718ee0719a9197f995d8fd51928362f34e48eac01ada9cd6698e02e07d2b4bf5df07afa91b54b2cabfe8d29a3a491c9df01745a89128bec5cc55b70c0502e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8aa999ca-28f3-4ce6-8acb-7d5cb0994f79.vbs

Filesize
706B

MD5
078a8881996be03658f2f6bb899cd828

SHA1
c4235d0cc6b45eafc0bd4839ba300b5829225280

SHA256
3638d42d45c3d70e81523de473f5d8687bb0d04e47886ccf5ee458caf8b67242

SHA512
586b034d48e26e61a443ef35130d082e43de39f4c8416f6188736a356314b727588c410c9af86d387cd1f7a0ecb44c48339e3d4a15b1930fd0578bc0646f91d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c6d2c2e-3bf7-4d0c-8116-5da20e613534.vbs

Filesize
706B

MD5
65ecdcf2e91837c0d8c035fa29f2bbe1

SHA1
fd0a6a39b6be530f117dc8a86654589e2d130cc4

SHA256
d9145162baf11e665ab941c6ca310f1a942a7b8a03996594ff76754963cd973a

SHA512
8e086ebabdc18d454bb75158c65efcd4a8b59a2d3116576e74a53c247d1dff0b489492b65b420103d440a1f593e08f012a3c837de6f48850b0fc4d6632f5e858

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ce1nib4.qlk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae0a03ec-f9a6-4558-ac24-e5c291be9335.vbs

Filesize
706B

MD5
a5057d26411e4db58d87f966499e3476

SHA1
5707a8b014e232e9554ea18aad4f538d14db0365

SHA256
a236b8839d3b40559edd3da8857a97ae396c4c04b1a388ac566d3b1022ea8591

SHA512
581749bd7b1f022f7c8580893afd575b1312f34735d45b8d969028806f3ec636918384b7a0c54a63abb70fda9e1b67be1083ad0a57d0267d62f11dac68f0b722

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd8a4537-353a-449b-93ec-b80bdd5863e4.vbs

Filesize
482B

MD5
813200d6c9254f5ac26ef10b49e946ec

SHA1
2e430f761b0e183c5fe3c16ceee6a8d1908a0310

SHA256
fe3a106cadbab17ad41dd054a4d87e7ffbc1937b1721112d8a4375e9279bd5cd

SHA512
b674f0262056700708cf3482691a58582ce7af3e0fd3d1505de969c4046519a8519edc2865bdb296ee74f9f41138b91613c0d73f6c1f8a55d23559dc9ccc3448

Download Submit
C:\Windows\SchCache\services.exe

Filesize
1.7MB

MD5
008719da0e54ca68379c5744f1cd0f2a

SHA1
45ee867f5bfa4eef691452334d357cb764cc4274

SHA256
46492e2fe17071d0de042a4f09bc351b484c89459a426deb7e259a232af3576f

SHA512
86f5f649f20c27dbf74d77f57cb58b08903ec1b4738549e9f9d651f609398fed827a0d90ed950b95d3b7f2e79e804ddaacf3c238bb09018c317e6c5942ff2668

Download Submit
memory/908-297-0x000002247FE90000-0x000002247FEB2000-memory.dmp

Filesize
136KB

Download
memory/1500-445-0x0000000003180000-0x0000000003192000-memory.dmp

Filesize
72KB

Download
memory/3936-13-0x000000001C0A0000-0x000000001C5C8000-memory.dmp

Filesize
5.2MB

Download
memory/3936-14-0x000000001B460000-0x000000001B46C000-memory.dmp

Filesize
48KB

Download
memory/3936-189-0x00007FFF28EB0000-0x00007FFF29971000-memory.dmp

Filesize
10.8MB

Download
memory/3936-23-0x00007FFF28EB0000-0x00007FFF29971000-memory.dmp

Filesize
10.8MB

Download
memory/3936-22-0x00007FFF28EB0000-0x00007FFF29971000-memory.dmp

Filesize
10.8MB

Download
memory/3936-224-0x00007FFF28EB0000-0x00007FFF29971000-memory.dmp

Filesize
10.8MB

Download
memory/3936-16-0x000000001B600000-0x000000001B60E000-memory.dmp

Filesize
56KB

Download
memory/3936-17-0x000000001B610000-0x000000001B618000-memory.dmp

Filesize
32KB

Download
memory/3936-19-0x000000001B630000-0x000000001B63C000-memory.dmp

Filesize
48KB

Download
memory/3936-408-0x00007FFF28EB0000-0x00007FFF29971000-memory.dmp

Filesize
10.8MB

Download
memory/3936-1-0x0000000000610000-0x00000000007D0000-memory.dmp

Filesize
1.8MB

Download
memory/3936-18-0x000000001B620000-0x000000001B62C000-memory.dmp

Filesize
48KB

Download
memory/3936-15-0x000000001B5F0000-0x000000001B5FA000-memory.dmp

Filesize
40KB

Download
memory/3936-165-0x00007FFF28EB3000-0x00007FFF28EB5000-memory.dmp

Filesize
8KB

Download
memory/3936-0-0x00007FFF28EB3000-0x00007FFF28EB5000-memory.dmp

Filesize
8KB

Download
memory/3936-12-0x000000001B450000-0x000000001B462000-memory.dmp

Filesize
72KB

Download
memory/3936-10-0x000000001B440000-0x000000001B448000-memory.dmp

Filesize
32KB

Download
memory/3936-9-0x000000001B430000-0x000000001B43C000-memory.dmp

Filesize
48KB

Download
memory/3936-8-0x000000001B420000-0x000000001B430000-memory.dmp

Filesize
64KB

Download
memory/3936-7-0x000000001B400000-0x000000001B416000-memory.dmp

Filesize
88KB

Download
memory/3936-5-0x0000000002900000-0x0000000002908000-memory.dmp

Filesize
32KB

Download
memory/3936-6-0x0000000002910000-0x0000000002920000-memory.dmp

Filesize
64KB

Download
memory/3936-2-0x00007FFF28EB0000-0x00007FFF29971000-memory.dmp

Filesize
10.8MB

Download
memory/3936-4-0x000000001B580000-0x000000001B5D0000-memory.dmp

Filesize
320KB

Download
memory/3936-3-0x00000000028E0000-0x00000000028FC000-memory.dmp

Filesize
112KB

Download
memory/4236-479-0x000000001B210000-0x000000001B222000-memory.dmp

Filesize
72KB

Download
memory/4948-409-0x000000001BA50000-0x000000001BA62000-memory.dmp

Filesize
72KB

Download