dcrat | 4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/12/2024, 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
Size

1.7MB
MD5

9fe8f36d8984b0c20ab3c05e692239d7
SHA1

fb06e1b686d106f94da0b7715b665d91022d57ba
SHA256

4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8
SHA512

f7ded57cf10048307be5f8824eadc58c7bb8574173050cecac82d68ea41899facc444f561f554fd22a239263eb81949da138f67ffb57a888f0c987493ccefd7d
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvQ:OTHUxUoh1IF9gl25

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3768	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	628	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	628	schtasks.exe	83

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2788-1-0x0000000000FE0000-0x00000000011A0000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b87-30.dat	dcrat
behavioral2/files/0x000e000000023c31-111.dat	dcrat
behavioral2/files/0x000c000000023b87-124.dat	dcrat
behavioral2/files/0x000e000000023b9b-195.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4576	powershell.exe
1520	powershell.exe
1492	powershell.exe
4800	powershell.exe
2432	powershell.exe
2888	powershell.exe
1392	powershell.exe
4168	powershell.exe
3884	powershell.exe
2220	powershell.exe
772	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe

Executes dropped EXE 8 IoCs

pid	Process
2568	dwm.exe
3448	dwm.exe
2464	dwm.exe
3636	dwm.exe
4820	dwm.exe
2432	dwm.exe
2860	dwm.exe
1628	dwm.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\sihost.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Program Files\Common Files\Services\RCX98E7.tmp	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXB1F4.tmp	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File created	C:\Program Files\WindowsApps\Mutable\SppExtComObj.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Program Files\Common Files\Services\RCX98E6.tmp	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Program Files\Common Files\System\RCX9D02.tmp	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Program Files\Common Files\System\dwm.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Program Files\Common Files\Services\winlogon.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File created	C:\Program Files\Common Files\Services\cc11b995f2a76d	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File created	C:\Program Files\Common Files\System\6cb0b6c459d5d3	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\sihost.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXB176.tmp	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCXB842.tmp	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File created	C:\Program Files\Common Files\Services\winlogon.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File created	C:\Program Files\Common Files\System\dwm.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\69ddcba757bf72	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File created	C:\Program Files (x86)\Windows Mail\66fc9ff0ee96c2	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Program Files\Common Files\System\RCX9D01.tmp	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCXB843.tmp	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\Windows\tracing\upfc.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\StartMenuExperienceHost.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\55b276f4edf653	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Windows\tracing\upfc.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Windows\Tasks\RCXAEF4.tmp	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Windows\L2Schemas\RCXB3F9.tmp	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Windows\L2Schemas\sihost.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File created	C:\Windows\tracing\ea1d8f6d871115	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File created	C:\Windows\Boot\Fonts\RuntimeBroker.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Windows\appcompat\encapsulation\RCXAADA.tmp	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXB62E.tmp	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File created	C:\Windows\L2Schemas\sihost.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File created	C:\Windows\L2Schemas\66fc9ff0ee96c2	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Windows\Tasks\RCXAEF3.tmp	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Windows\Tasks\csrss.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Windows\L2Schemas\RCXB3FA.tmp	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Windows\appcompat\encapsulation\backgroundTaskHost.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File created	C:\Windows\appcompat\encapsulation\backgroundTaskHost.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File created	C:\Windows\appcompat\encapsulation\eddb19405b7ce1	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File created	C:\Windows\Tasks\csrss.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File created	C:\Windows\Tasks\886983d96e3d3e	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Windows\tracing\RCX9F17.tmp	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Windows\tracing\RCX9F18.tmp	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Windows\appcompat\encapsulation\RCXAAC9.tmp	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXB62D.tmp	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\StartMenuExperienceHost.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dwm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3628	schtasks.exe
4092	schtasks.exe
4712	schtasks.exe
1472	schtasks.exe
3768	schtasks.exe
2368	schtasks.exe
3508	schtasks.exe
4520	schtasks.exe
4740	schtasks.exe
4300	schtasks.exe
4688	schtasks.exe
2660	schtasks.exe
4916	schtasks.exe
4328	schtasks.exe
732	schtasks.exe
2172	schtasks.exe
1500	schtasks.exe
3880	schtasks.exe
228	schtasks.exe
4612	schtasks.exe
1920	schtasks.exe
3788	schtasks.exe
2008	schtasks.exe
4532	schtasks.exe
2452	schtasks.exe
1912	schtasks.exe
1828	schtasks.exe
4820	schtasks.exe
4504	schtasks.exe
5092	schtasks.exe
2940	schtasks.exe
4856	schtasks.exe
4160	schtasks.exe
2908	schtasks.exe
4232	schtasks.exe
2856	schtasks.exe
1804	schtasks.exe
1984	schtasks.exe
2412	schtasks.exe
324	schtasks.exe
4476	schtasks.exe
4040	schtasks.exe
2736	schtasks.exe
624	schtasks.exe
3536	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
1392	powershell.exe
1392	powershell.exe
772	powershell.exe
772	powershell.exe
2432	powershell.exe
2432	powershell.exe
4168	powershell.exe
4168	powershell.exe
2220	powershell.exe
2220	powershell.exe
1492	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	2568	dwm.exe
Token: SeDebugPrivilege	3448	dwm.exe
Token: SeDebugPrivilege	2464	dwm.exe
Token: SeDebugPrivilege	3636	dwm.exe
Token: SeDebugPrivilege	4820	dwm.exe
Token: SeDebugPrivilege	2432	dwm.exe
Token: SeDebugPrivilege	2860	dwm.exe
Token: SeDebugPrivilege	1628	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 4800	2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	132
PID 2788 wrote to memory of 4800	2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	132
PID 2788 wrote to memory of 2432	2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	133
PID 2788 wrote to memory of 2432	2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	133
PID 2788 wrote to memory of 3884	2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	134
PID 2788 wrote to memory of 3884	2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	134
PID 2788 wrote to memory of 2888	2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	135
PID 2788 wrote to memory of 2888	2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	135
PID 2788 wrote to memory of 1392	2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	136
PID 2788 wrote to memory of 1392	2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	136
PID 2788 wrote to memory of 2220	2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	137
PID 2788 wrote to memory of 2220	2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	137
PID 2788 wrote to memory of 772	2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	138
PID 2788 wrote to memory of 772	2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	138
PID 2788 wrote to memory of 4168	2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	139
PID 2788 wrote to memory of 4168	2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	139
PID 2788 wrote to memory of 1492	2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	140
PID 2788 wrote to memory of 1492	2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	140
PID 2788 wrote to memory of 1520	2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	141
PID 2788 wrote to memory of 1520	2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	141
PID 2788 wrote to memory of 4576	2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	144
PID 2788 wrote to memory of 4576	2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	144
PID 2788 wrote to memory of 1828	2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	153
PID 2788 wrote to memory of 1828	2788	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	153
PID 1828 wrote to memory of 1992	1828	cmd.exe	156
PID 1828 wrote to memory of 1992	1828	cmd.exe	156
PID 1828 wrote to memory of 2568	1828	cmd.exe	163
PID 1828 wrote to memory of 2568	1828	cmd.exe	163
PID 2568 wrote to memory of 2908	2568	dwm.exe	167
PID 2568 wrote to memory of 2908	2568	dwm.exe	167
PID 2568 wrote to memory of 3508	2568	dwm.exe	168
PID 2568 wrote to memory of 3508	2568	dwm.exe	168
PID 2908 wrote to memory of 3448	2908	WScript.exe	171
PID 2908 wrote to memory of 3448	2908	WScript.exe	171
PID 3448 wrote to memory of 1492	3448	dwm.exe	173
PID 3448 wrote to memory of 1492	3448	dwm.exe	173
PID 3448 wrote to memory of 4468	3448	dwm.exe	174
PID 3448 wrote to memory of 4468	3448	dwm.exe	174
PID 1492 wrote to memory of 2464	1492	WScript.exe	176
PID 1492 wrote to memory of 2464	1492	WScript.exe	176
PID 2464 wrote to memory of 2684	2464	dwm.exe	178
PID 2464 wrote to memory of 2684	2464	dwm.exe	178
PID 2464 wrote to memory of 2728	2464	dwm.exe	179
PID 2464 wrote to memory of 2728	2464	dwm.exe	179
PID 2684 wrote to memory of 3636	2684	WScript.exe	180
PID 2684 wrote to memory of 3636	2684	WScript.exe	180
PID 3636 wrote to memory of 1980	3636	dwm.exe	182
PID 3636 wrote to memory of 1980	3636	dwm.exe	182
PID 3636 wrote to memory of 1368	3636	dwm.exe	183
PID 3636 wrote to memory of 1368	3636	dwm.exe	183
PID 1980 wrote to memory of 4820	1980	WScript.exe	185
PID 1980 wrote to memory of 4820	1980	WScript.exe	185
PID 4820 wrote to memory of 3456	4820	dwm.exe	187
PID 4820 wrote to memory of 3456	4820	dwm.exe	187
PID 4820 wrote to memory of 1012	4820	dwm.exe	188
PID 4820 wrote to memory of 1012	4820	dwm.exe	188
PID 3456 wrote to memory of 2432	3456	WScript.exe	190
PID 3456 wrote to memory of 2432	3456	WScript.exe	190
PID 2432 wrote to memory of 3920	2432	dwm.exe	192
PID 2432 wrote to memory of 3920	2432	dwm.exe	192
PID 2432 wrote to memory of 3032	2432	dwm.exe	193
PID 2432 wrote to memory of 3032	2432	dwm.exe	193
PID 3920 wrote to memory of 2860	3920	WScript.exe	194
PID 3920 wrote to memory of 2860	3920	WScript.exe	194

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
"C:\Users\Admin\AppData\Local\Temp\4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4EcyJCEgyq.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1992
- - C:\Program Files\Common Files\System\dwm.exe
    "C:\Program Files\Common Files\System\dwm.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\532d0f20-53b6-4c69-9644-aed764c58194.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Program Files\Common Files\System\dwm.exe
        
        "C:\Program Files\Common Files\System\dwm.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3448
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7b03498-4def-400e-80eb-4655fa9b716d.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Program Files\Common Files\System\dwm.exe
        
        "C:\Program Files\Common Files\System\dwm.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4321251-f8db-41dc-b6de-c2ae5261fcec.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Program Files\Common Files\System\dwm.exe
        
        "C:\Program Files\Common Files\System\dwm.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a69e88fb-a4ff-4dd7-81b1-6a28a94c22a9.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Program Files\Common Files\System\dwm.exe
        
        "C:\Program Files\Common Files\System\dwm.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7fbf67f-09da-49c7-af42-ef7fea15ea09.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Program Files\Common Files\System\dwm.exe
        
        "C:\Program Files\Common Files\System\dwm.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41fb7c38-9f1d-444a-b9f6-b3a22c08003d.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Program Files\Common Files\System\dwm.exe
        
        "C:\Program Files\Common Files\System\dwm.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15828e3d-a4e8-40fd-9c20-58386742c107.vbs"
        16⤵
        
        PID:4224
        
        C:\Program Files\Common Files\System\dwm.exe
        
        "C:\Program Files\Common Files\System\dwm.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bbd22ca-d489-44a4-86be-87130cc29d29.vbs"
        18⤵
        
        PID:1448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6dab6d27-5b5c-4196-839b-6556b2e89e4c.vbs"
        18⤵
        
        PID:752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81127566-724d-44a4-8636-4c86e1e49140.vbs"
        16⤵
        
        PID:3644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b4bf4f1-2c3e-432c-824c-e7dc7fd57e68.vbs"
        14⤵
        
        PID:3032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\217e5caf-7a03-48d8-b7bb-db70d31b5b09.vbs"
        12⤵
        
        PID:1012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6def125b-85f5-4a82-b317-91864884e22b.vbs"
        10⤵
        
        PID:1368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f57867b-dd27-4a45-82a0-6fcf4c205655.vbs"
        8⤵
        
        PID:2728
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca957fa6-1624-4a5c-a52c-3e61a4810797.vbs"
        6⤵
        
        PID:4468
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9c418b1-57c0-482c-93b4-d26a4bc7d0a1.vbs"
      4⤵
      PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Services\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\Services\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\System\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\System\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\tracing\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe84" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Application Data\4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8" /sc ONLOGON /tr "'C:\Users\Default\Application Data\4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe84" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Application Data\4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe84" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8" /sc ONLOGON /tr "'C:\Users\All Users\4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe84" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\appcompat\encapsulation\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Windows\appcompat\encapsulation\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Mail\sihost.exe

Filesize
1.7MB

MD5
5066c117c32d3d25722f5019ac885f31

SHA1
10a8d5d84fe0ee54135ab2d3ef6bdee728321b34

SHA256
5f53ef9c7e19a2126da059b6dd796e110b1ad1950e31abfc24b40b749b19678e

SHA512
35719897c020c34090fe4b79d31e5ef0f2dab7bcc118176ff6c11c7bf94f9ef27ac1807b4da1af47a5705ee3fdd6b7f86176f08230b40be2398eb86c4ece2b8f

Download Submit
C:\Recovery\WindowsRE\Registry.exe

Filesize
1.7MB

MD5
ef8cc4a858498366510b41f61aa7441e

SHA1
d523a513804d039f530ce5a6eee8222b02c9ff26

SHA256
cc138371dbd2d45b9f6197518d2fae27f780caa9ba2332dc1c5acff3cbd98dee

SHA512
ec3c3856039717e8728f7dca470dc7199f33893a73379250c91861b40ac079a2aaae724517274221806c0880373d55db4b05d355e1e25cd033f656db65b86a1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\15828e3d-a4e8-40fd-9c20-58386742c107.vbs

Filesize
720B

MD5
6689eddbe331e39f13ef55ec0601efea

SHA1
2cd85658b8c688d2d4053f06d1a69ee4d5885405

SHA256
ddcce336b64214897e3cc4d6397138e4b11f11a1943f0ca64f55c025cdcdd744

SHA512
1a7e9768e7d6095057b7cb27bf7ca8485ec62c88c98314757a3340ee8166457a45f47c0fecf04d3603a8f32031afdc067400f0dd886f009e3f03623042e86e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\41fb7c38-9f1d-444a-b9f6-b3a22c08003d.vbs

Filesize
720B

MD5
afdd87a90cbc1b2e2564f1fc8960f646

SHA1
1191877d21ff218ebdb33b44ae47d9d451411e94

SHA256
1dabf6ebe18db8a1df777ec48a7159554c371620a5d27c918493d33357a97f57

SHA512
465034ce718e0fb60639b8277e6d6886f4b5a973cd5d7a4458b56f2d9d1a3c55f1b0dcd158bb53754c7edf0b86dee88460fe0d1606560175a6b384a59fbb5cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\4EcyJCEgyq.bat

Filesize
209B

MD5
27caf1985fa31e863adb2e0c84b23928

SHA1
b0bb3ff3389a1c6bf1d1718a581af67c6a88e621

SHA256
5ebfe94f90d87b027ec1f2e770709637e617d8556fd8e6acea39eb1714495868

SHA512
4f56f9118971d8e90bc3e4366bf73c83c7683a2acd0fc2e6257960ebaeb04c65471de1c1fd4f3a16f50325077a5d79231bd1455cf5d87c639cc858ab97ce9598

Download Submit
C:\Users\Admin\AppData\Local\Temp\532d0f20-53b6-4c69-9644-aed764c58194.vbs

Filesize
720B

MD5
0b3cac22defa1cead73a4abe09b98437

SHA1
08509ccea6e7b234d53a97f820c6060705ff48e3

SHA256
024da47d7302dc5194a5d9b1ad833a08a0b2b47875c754cf1f20e4077a0a7607

SHA512
f165fa1bb02399024ab87a766a11ef9ebe90d6f561a3513086ef64783ccb91a4aa95188fd3e90484ace8db3c462f3bad9d722e535225f85ccb587930c7a5d80d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8bbd22ca-d489-44a4-86be-87130cc29d29.vbs

Filesize
720B

MD5
44446ef9e9a509badf9582896ea5c1c9

SHA1
9a02340d8709c20e6232f9a12be1a284b759371d

SHA256
4dc7579cf29d4ef30ac2ee4972aeec87660ecc43fc8b049169e6eae5716b388b

SHA512
b6d1e940a4e640131336a5a54c7d214de920f289df2d83fc96ab55e8c2f6cd1008ae3ae4d8501db85c160ade821cebe804f8ab67a8fd4c689e1cfb0ccb984c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i3nyuve1.nlr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a69e88fb-a4ff-4dd7-81b1-6a28a94c22a9.vbs

Filesize
720B

MD5
629ccfaa6ef6ee395ff659090e426011

SHA1
095251b41727e204e4083e4450109ad14358ceda

SHA256
587b427e7846204de52448022d8129fa1e181d054179bf10377c17430719f612

SHA512
5f6d13a37b0c641176a494f6e8dad2cd7c1d430129e41a52ead380f9ee6f804126dfe7c5b55e45a382d4802473bec0a0c3d2ed65085e5b5d50c625348bbf860f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9c418b1-57c0-482c-93b4-d26a4bc7d0a1.vbs

Filesize
496B

MD5
f05316913f3b31d1f19ebd1b996b8d87

SHA1
a3fde79b5206dd6e31cffc04de131830c86ed41d

SHA256
316e8a999687e84f8420087c27489d524d1696dceebe0047a260dc076a4574c6

SHA512
eb223cba24ad049806d408999d8698f39b317bb8fd7702e29c04f2c28de4813bba968f16c3f5b95c741f3b7bfda4c4e3bc24d6879074840c5ce9366f943a7861

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7b03498-4def-400e-80eb-4655fa9b716d.vbs

Filesize
720B

MD5
2467d05ec54869d0b2cb9cc7e6498ef8

SHA1
83d0f9e2b0025574a3784ae5932c15018729a77f

SHA256
0f135b21f486138c2eb61207b182d1a4114fec8e709f77e7bc01eb79c230235a

SHA512
3dd7fde67ee50d82d4ba4fd25a1831426238caa18393b7d36bab0dc20a71b29c1a1c2a917ebc880870cd371fc355332e3c5b629b18bc6a04bb5b8e42a430527d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7fbf67f-09da-49c7-af42-ef7fea15ea09.vbs

Filesize
720B

MD5
454f672d8db3abaa923c7bb6ae97b07a

SHA1
d2248a1102562eadff959e729c1194399e20798f

SHA256
ec667fcd3e27849ef12d2db44474316b052f6195632d744f9f0d111055555257

SHA512
bdf32e4740692ddc68847637992da55cb0fae5f08694571fc7c9dcde387afe774baa96a1140dcca6847f5692d0c21d64e9f6ab59b5371597d56ad37a565c07f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4321251-f8db-41dc-b6de-c2ae5261fcec.vbs

Filesize
720B

MD5
09aa654d9dae560fb6335ff0188ebba5

SHA1
0d89392de29488de67cc7f8ebf40aad58b92ea87

SHA256
a6b018213b380d23ecec9a751e6151bcf837ddc4266ed19ef0e4288c6438ee6a

SHA512
868175e83aceafd0ce18f027f52b24832c0270d90c3891d93c23aea73c0877afc349d0730e62c3fa24a8f63342d01fb280114871653ce07766aa1efa3909cf07

Download Submit
C:\Users\Default\AppData\Roaming\4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe

Filesize
1.7MB

MD5
9fe8f36d8984b0c20ab3c05e692239d7

SHA1
fb06e1b686d106f94da0b7715b665d91022d57ba

SHA256
4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8

SHA512
f7ded57cf10048307be5f8824eadc58c7bb8574173050cecac82d68ea41899facc444f561f554fd22a239263eb81949da138f67ffb57a888f0c987493ccefd7d

Download Submit
C:\Users\Default\AppData\Roaming\4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe

Filesize
1.7MB

MD5
db2ab4a40a9666ecaa2ce811d9b0335d

SHA1
e0f92b65aaff1ab7aa695cfece0fdab613d3842a

SHA256
4bda29aedef7c725023742cd65522048847b5e0b55250bf4616645ba7d7ddc07

SHA512
48943f6c31820abfb9469a1801de0a8d786e71556526b24e50fa7b0e1ee7ecdf5d2f149863e60e7b22a23be7a89f0800e154e5617977b0f40fd8467c6bb6550c

Download Submit
memory/1492-243-0x000001FC72DF0000-0x000001FC72E12000-memory.dmp

Filesize
136KB

Download
memory/2788-13-0x000000001C9F0000-0x000000001CF18000-memory.dmp

Filesize
5.2MB

Download
memory/2788-14-0x000000001C4C0000-0x000000001C4CC000-memory.dmp

Filesize
48KB

Download
memory/2788-139-0x00007FFD6D783000-0x00007FFD6D785000-memory.dmp

Filesize
8KB

Download
memory/2788-151-0x00007FFD6D780000-0x00007FFD6E241000-memory.dmp

Filesize
10.8MB

Download
memory/2788-22-0x00007FFD6D780000-0x00007FFD6E241000-memory.dmp

Filesize
10.8MB

Download
memory/2788-198-0x00007FFD6D780000-0x00007FFD6E241000-memory.dmp

Filesize
10.8MB

Download
memory/2788-223-0x00007FFD6D780000-0x00007FFD6E241000-memory.dmp

Filesize
10.8MB

Download
memory/2788-242-0x00007FFD6D780000-0x00007FFD6E241000-memory.dmp

Filesize
10.8MB

Download
memory/2788-19-0x000000001C710000-0x000000001C71C000-memory.dmp

Filesize
48KB

Download
memory/2788-15-0x000000001C5D0000-0x000000001C5DA000-memory.dmp

Filesize
40KB

Download
memory/2788-17-0x000000001C5F0000-0x000000001C5F8000-memory.dmp

Filesize
32KB

Download
memory/2788-18-0x000000001C700000-0x000000001C70C000-memory.dmp

Filesize
48KB

Download
memory/2788-16-0x000000001C5E0000-0x000000001C5EE000-memory.dmp

Filesize
56KB

Download
memory/2788-23-0x00007FFD6D780000-0x00007FFD6E241000-memory.dmp

Filesize
10.8MB

Download
memory/2788-0-0x00007FFD6D783000-0x00007FFD6D785000-memory.dmp

Filesize
8KB

Download
memory/2788-12-0x000000001BE20000-0x000000001BE32000-memory.dmp

Filesize
72KB

Download
memory/2788-10-0x000000001BE10000-0x000000001BE18000-memory.dmp

Filesize
32KB

Download
memory/2788-9-0x000000001BE00000-0x000000001BE0C000-memory.dmp

Filesize
48KB

Download
memory/2788-8-0x000000001BDF0000-0x000000001BE00000-memory.dmp

Filesize
64KB

Download
memory/2788-7-0x00000000033F0000-0x0000000003406000-memory.dmp

Filesize
88KB

Download
memory/2788-4-0x000000001C470000-0x000000001C4C0000-memory.dmp

Filesize
320KB

Download
memory/2788-5-0x00000000033D0000-0x00000000033D8000-memory.dmp

Filesize
32KB

Download
memory/2788-6-0x00000000033E0000-0x00000000033F0000-memory.dmp

Filesize
64KB

Download
memory/2788-3-0x00000000033B0000-0x00000000033CC000-memory.dmp

Filesize
112KB

Download
memory/2788-2-0x00007FFD6D780000-0x00007FFD6E241000-memory.dmp

Filesize
10.8MB

Download
memory/2788-1-0x0000000000FE0000-0x00000000011A0000-memory.dmp

Filesize
1.8MB

Download