dcrat | daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
Size

1.7MB
MD5

9c9f667755228a71dfa3a01557768ec8
SHA1

c6e0a94e9aff6428a253b20ebc888b8337baadf2
SHA256

daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d
SHA512

744754a61e279983e9186924c3ff02ec345e2d87e53bf63bc10b042f54ba18f4a23124a6a67b9bb5c3c40af431ad53160d766426311e217e6f523293bae3732a
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:OTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3868	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	3988	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	488	3988	schtasks.exe	82

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/5040-1-0x0000000000120000-0x00000000002E0000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cb8-30.dat	dcrat
behavioral2/files/0x0009000000023cde-65.dat	dcrat
behavioral2/files/0x0008000000023cb2-89.dat	dcrat
behavioral2/files/0x0009000000023cb2-99.dat	dcrat
behavioral2/files/0x000d000000023cb5-134.dat	dcrat
behavioral2/files/0x000400000001e754-158.dat	dcrat
behavioral2/files/0x0008000000023cca-181.dat	dcrat
behavioral2/files/0x000a000000023ccc-205.dat	dcrat
behavioral2/memory/5032-393-0x0000000000F10000-0x00000000010D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3736	powershell.exe
4888	powershell.exe
3992	powershell.exe
3884	powershell.exe
5084	powershell.exe
828	powershell.exe
2376	powershell.exe
3636	powershell.exe
4008	powershell.exe
3860	powershell.exe
5116	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	unsecapp.exe

Executes dropped EXE 9 IoCs

pid	Process
5032	unsecapp.exe
3136	unsecapp.exe
1464	unsecapp.exe
1316	unsecapp.exe
1056	unsecapp.exe
640	unsecapp.exe
3136	unsecapp.exe
2884	unsecapp.exe
3280	unsecapp.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXD6F3.tmp	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File created	C:\Program Files\ModifiableWindowsApps\fontdrvhost.exe	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Schema\SearchApp.exe	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Program Files\WindowsPowerShell\RCXBC6E.tmp	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXC5DC.tmp	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXD675.tmp	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Program Files\WindowsPowerShell\fontdrvhost.exe	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RCXD461.tmp	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Schema\RCXDB2D.tmp	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\9e8d7a4ca61bd9	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\csrss.exe	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\56085415360792	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Schema\38384e6a620884	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Schema\SearchApp.exe	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File created	C:\Program Files\WindowsPowerShell\fontdrvhost.exe	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Program Files\WindowsPowerShell\RCXBC8E.tmp	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RCXD460.tmp	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\csrss.exe	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Schema\RCXDB2C.tmp	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File created	C:\Program Files\WindowsPowerShell\5b884080fd4f94	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\886983d96e3d3e	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXC5DD.tmp	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\PLA\System\unsecapp.exe	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Windows\PLA\System\unsecapp.exe	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File created	C:\Windows\PLA\System\29c1c3cc0f7685	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Windows\PLA\System\RCXB99D.tmp	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Windows\PLA\System\RCXBA6A.tmp	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	unsecapp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
232	schtasks.exe
3044	schtasks.exe
3060	schtasks.exe
3548	schtasks.exe
1080	schtasks.exe
4072	schtasks.exe
560	schtasks.exe
5032	schtasks.exe
3668	schtasks.exe
2064	schtasks.exe
3296	schtasks.exe
224	schtasks.exe
488	schtasks.exe
1368	schtasks.exe
3868	schtasks.exe
3908	schtasks.exe
4540	schtasks.exe
2936	schtasks.exe
4560	schtasks.exe
3892	schtasks.exe
220	schtasks.exe
1132	schtasks.exe
2268	schtasks.exe
2960	schtasks.exe
5016	schtasks.exe
3340	schtasks.exe
3408	schtasks.exe
3056	schtasks.exe
2156	schtasks.exe
5084	schtasks.exe
4212	schtasks.exe
3584	schtasks.exe
3444	schtasks.exe
3100	schtasks.exe
708	schtasks.exe
2124	schtasks.exe
1276	schtasks.exe
4696	schtasks.exe
1148	schtasks.exe
4296	schtasks.exe
1468	schtasks.exe
4372	schtasks.exe
4964	schtasks.exe
1980	schtasks.exe
464	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
3860	powershell.exe
3860	powershell.exe
3636	powershell.exe
3636	powershell.exe
4888	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	828	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeDebugPrivilege	4008	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	5032	unsecapp.exe
Token: SeDebugPrivilege	3136	unsecapp.exe
Token: SeDebugPrivilege	1464	unsecapp.exe
Token: SeDebugPrivilege	1316	unsecapp.exe
Token: SeDebugPrivilege	640	unsecapp.exe
Token: SeDebugPrivilege	3136	unsecapp.exe
Token: SeDebugPrivilege	2884	unsecapp.exe
Token: SeDebugPrivilege	3280	unsecapp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 2376	5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	131
PID 5040 wrote to memory of 2376	5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	131
PID 5040 wrote to memory of 5116	5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	132
PID 5040 wrote to memory of 5116	5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	132
PID 5040 wrote to memory of 3860	5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	133
PID 5040 wrote to memory of 3860	5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	133
PID 5040 wrote to memory of 4888	5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	134
PID 5040 wrote to memory of 4888	5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	134
PID 5040 wrote to memory of 3736	5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	135
PID 5040 wrote to memory of 3736	5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	135
PID 5040 wrote to memory of 828	5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	136
PID 5040 wrote to memory of 828	5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	136
PID 5040 wrote to memory of 4008	5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	137
PID 5040 wrote to memory of 4008	5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	137
PID 5040 wrote to memory of 5084	5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	138
PID 5040 wrote to memory of 5084	5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	138
PID 5040 wrote to memory of 3884	5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	139
PID 5040 wrote to memory of 3884	5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	139
PID 5040 wrote to memory of 3636	5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	140
PID 5040 wrote to memory of 3636	5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	140
PID 5040 wrote to memory of 3992	5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	141
PID 5040 wrote to memory of 3992	5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	141
PID 5040 wrote to memory of 5032	5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	153
PID 5040 wrote to memory of 5032	5040	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	153
PID 5032 wrote to memory of 4360	5032	unsecapp.exe	155
PID 5032 wrote to memory of 4360	5032	unsecapp.exe	155
PID 5032 wrote to memory of 3828	5032	unsecapp.exe	156
PID 5032 wrote to memory of 3828	5032	unsecapp.exe	156
PID 4360 wrote to memory of 3136	4360	WScript.exe	160
PID 4360 wrote to memory of 3136	4360	WScript.exe	160
PID 3136 wrote to memory of 1456	3136	unsecapp.exe	161
PID 3136 wrote to memory of 1456	3136	unsecapp.exe	161
PID 3136 wrote to memory of 1436	3136	unsecapp.exe	162
PID 3136 wrote to memory of 1436	3136	unsecapp.exe	162
PID 1456 wrote to memory of 1464	1456	WScript.exe	164
PID 1456 wrote to memory of 1464	1456	WScript.exe	164
PID 1464 wrote to memory of 1120	1464	unsecapp.exe	165
PID 1464 wrote to memory of 1120	1464	unsecapp.exe	165
PID 1464 wrote to memory of 652	1464	unsecapp.exe	166
PID 1464 wrote to memory of 652	1464	unsecapp.exe	166
PID 1120 wrote to memory of 1316	1120	WScript.exe	167
PID 1120 wrote to memory of 1316	1120	WScript.exe	167
PID 1316 wrote to memory of 1564	1316	unsecapp.exe	168
PID 1316 wrote to memory of 1564	1316	unsecapp.exe	168
PID 1316 wrote to memory of 632	1316	unsecapp.exe	169
PID 1316 wrote to memory of 632	1316	unsecapp.exe	169
PID 1564 wrote to memory of 1056	1564	WScript.exe	170
PID 1564 wrote to memory of 1056	1564	WScript.exe	170
PID 3664 wrote to memory of 640	3664	WScript.exe	173
PID 3664 wrote to memory of 640	3664	WScript.exe	173
PID 640 wrote to memory of 4512	640	unsecapp.exe	174
PID 640 wrote to memory of 4512	640	unsecapp.exe	174
PID 640 wrote to memory of 2224	640	unsecapp.exe	175
PID 640 wrote to memory of 2224	640	unsecapp.exe	175
PID 4512 wrote to memory of 3136	4512	WScript.exe	176
PID 4512 wrote to memory of 3136	4512	WScript.exe	176
PID 3136 wrote to memory of 376	3136	unsecapp.exe	177
PID 3136 wrote to memory of 376	3136	unsecapp.exe	177
PID 3136 wrote to memory of 4584	3136	unsecapp.exe	178
PID 3136 wrote to memory of 4584	3136	unsecapp.exe	178
PID 376 wrote to memory of 2884	376	WScript.exe	179
PID 376 wrote to memory of 2884	376	WScript.exe	179
PID 2884 wrote to memory of 1368	2884	unsecapp.exe	180
PID 2884 wrote to memory of 1368	2884	unsecapp.exe	180

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
"C:\Users\Admin\AppData\Local\Temp\daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3992
- C:\Windows\PLA\System\unsecapp.exe
  "C:\Windows\PLA\System\unsecapp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d712c417-eb57-4ec7-baa3-b8156212e061.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Windows\PLA\System\unsecapp.exe
      C:\Windows\PLA\System\unsecapp.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3136
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc9aa19b-bb57-428a-b9a7-01e47bd9c79d.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1456
      - C:\Windows\PLA\System\unsecapp.exe
        
        C:\Windows\PLA\System\unsecapp.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\323e5bb8-e355-4384-a81f-f2a7d310823e.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\PLA\System\unsecapp.exe
        
        C:\Windows\PLA\System\unsecapp.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae9ee9d4-0488-43ae-a95d-e26f455b1f14.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\PLA\System\unsecapp.exe
        
        C:\Windows\PLA\System\unsecapp.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa4ddc80-5f23-449f-8ec6-a6487b5ca1f6.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\PLA\System\unsecapp.exe
        
        C:\Windows\PLA\System\unsecapp.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f76d0c6a-ff56-4557-a713-9862a6e3344d.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\PLA\System\unsecapp.exe
        
        C:\Windows\PLA\System\unsecapp.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32fb40e2-95a6-41f1-a0b1-9c1ed34837db.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\PLA\System\unsecapp.exe
        
        C:\Windows\PLA\System\unsecapp.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\174fc4ea-db7c-4236-b797-9563326301f3.vbs"
        17⤵
        
        PID:1368
        
        C:\Windows\PLA\System\unsecapp.exe
        
        C:\Windows\PLA\System\unsecapp.exe
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90858d47-60e6-42aa-9e85-0894523d7618.vbs"
        19⤵
        
        PID:5080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0facaba5-c123-4ab4-abc3-9a025d293cfe.vbs"
        19⤵
        
        PID:2904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3918dcd0-f98b-45ff-9458-4f6cd868ef32.vbs"
        17⤵
        
        PID:3872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\844e3b23-80ca-432b-a3ab-0f0b9e7ef50d.vbs"
        15⤵
        
        PID:4584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c235014-0b36-4f99-a0cc-db9ec02ff2d8.vbs"
        13⤵
        
        PID:2224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3202d16-6ccd-4a45-b1d3-82eca806c054.vbs"
        11⤵
        
        PID:4740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5a74d2e-d816-4999-a0e3-22e982f78ed4.vbs"
        9⤵
        
        PID:632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68492141-e101-4014-b656-705dac01a4c6.vbs"
        7⤵
        
        PID:652
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\619b61e3-971e-4233-a0f2-0b2b44a42dad.vbs"
        5⤵
        
        PID:1436
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac6812a5-d0cc-4d00-a6c2-6a99a2770806.vbs"
    3⤵
    PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\System\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\PLA\System\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\System\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\All Users\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Public\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Public\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Templates\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Templates\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe

Filesize
1.7MB

MD5
926cc749e39ca173d38c691ab8f9dc8f

SHA1
fdef5ca4ff5acd45cc147327defc06ccd42a190c

SHA256
070c3125cc76faf70bd426fa4a4cfce72ee90388e8e20cee53c37c45f5ec5b36

SHA512
a55facaa6db5b9efc96f5873d1a4fcbea669e71f70c7f4998f9d6be72fa4f5a61d8f9cc9331977032fef4373def2d246eaac9c4b2778cb49a3110030042a7fca

Download Submit
C:\ProgramData\unsecapp.exe

Filesize
1.7MB

MD5
c2533d9f6f8bf476c8ea276d2f01f57e

SHA1
f79169d42fa212c56cbbcd2ea9ff251db16ef96a

SHA256
1b21bd1def16d87f446b835dd4afcaf5fed26b715adb64ba21e323f5820f3351

SHA512
e59d3cd612690572d06a6d5ff3586867d5c23fd5ed48efb6a79797d580e387359e09c30a51994deaa1d4de782959a7eb030dd4b6a0bb5129677e288a209c44f5

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.7MB

MD5
e3cc52960f1b9554e388b9ae9fcd8ea1

SHA1
a3c9e13ef62a12ce073767c5afc21fc02c97fedf

SHA256
8bdb5a0145c7c3d9d8746ed6167376e1d391af43279c9ab1db15cd2040e614bd

SHA512
fe53d5c5f0999c20fc9b9a3fb86d52db66d3b309b03e38828e3585db9035d700560cd4212b76f44f6d5573bd46fa4fabb82e6b4de470a5f2d01892b0e46d6a6b

Download Submit
C:\Recovery\WindowsRE\RCXBF50.tmp

Filesize
1.7MB

MD5
d898b121de3ea3a6feebf56344b8ed93

SHA1
f8c75b34578e738c6d1c959c185fdfa3dd3c915b

SHA256
069eb419198a0ec15af27309f6c04f3ce271fe965f62600301fa073bf23ab781

SHA512
aa9934579a967ef2184b67a79c18c59ff0efa4f612bac0d88d6750876614ee9e2921ede352723e2b2fa1f04aeab599387804066fb77c8d3721754b8c23a22224

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.7MB

MD5
c01c4e70934d2b2b7440adecfc977850

SHA1
5b92804b274708363318bebc52332455d33960bf

SHA256
a286a5eee6f3f90b60f2dae8b4646e0f698bb4d60a4069e0ff6c28f2aeff0979

SHA512
9cd1be93d0c1847a401c5a85e0e0be48ccc2a51083c99f0f8cdbd81594da55230b4e318455c77fb0988866edd7da0662eccd14e29e9886cb6884a206e1b163c8

Download Submit
C:\Recovery\WindowsRE\spoolsv.exe

Filesize
1.7MB

MD5
9c9f667755228a71dfa3a01557768ec8

SHA1
c6e0a94e9aff6428a253b20ebc888b8337baadf2

SHA256
daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d

SHA512
744754a61e279983e9186924c3ff02ec345e2d87e53bf63bc10b042f54ba18f4a23124a6a67b9bb5c3c40af431ad53160d766426311e217e6f523293bae3732a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\174fc4ea-db7c-4236-b797-9563326301f3.vbs

Filesize
710B

MD5
e3f709d399b37e82b9c052ab047d0997

SHA1
f2ed4252bf166e60fbf71de2f4ed575d19f88831

SHA256
746e469e64ae12af5e0fa7c16be879aeb804958465ce513f10e5f4e7d9aa5e3b

SHA512
51c0cecc6a8710c9c25b92aae0106135b98df6937bfc4055ebb7d7ec9d79727fd066b75a4a7a44043d1f7d642cbad4e83b7386e223ab42ce8d9aca40eba62ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\323e5bb8-e355-4384-a81f-f2a7d310823e.vbs

Filesize
710B

MD5
abba02e0e72cbf46f407b9242746d060

SHA1
764e4c2053a8d441cde80c92448dea70ad481cde

SHA256
aed76d49f1f1bcf1559fd377c43a75b5c403aec03afd05741d8915555d6bcdfe

SHA512
f3ac9cad82526450ea4a8fc59a9c31786d6b6fcea3794300634cfe28b85a84815e7ad10f79ecba4fe72614fd5fe8047b0e8eb91c212f8c963589c9dbeb96c24a

Download Submit
C:\Users\Admin\AppData\Local\Temp\90858d47-60e6-42aa-9e85-0894523d7618.vbs

Filesize
710B

MD5
df68a1068b10f951dd41ea5211fa2b62

SHA1
e0bd865114872fcb9d555de06364a97a0c4d2881

SHA256
9c64250e3bc35cb462deedb036adde6956c64da451a333e459d5921210ab232f

SHA512
ef2c770a072766e3022039844277c060fc233d6b11ad623160092dd69f00a1a9047d1ab495ddfb02fac8c7b03d6e2217c7c4905ab07c360cd92b5c6acfc554bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h0pli2n1.z0e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac6812a5-d0cc-4d00-a6c2-6a99a2770806.vbs

Filesize
486B

MD5
cd5aecbb3ca4137d09bb6591818db4cb

SHA1
b59b40c2f60b33fdffa2e2e8730812fed68daca6

SHA256
f562e63eeb0320068384de30138284a9a90a5209e9700ee3e3bc86629de27a7e

SHA512
0c843d5bcfd981eeb6a1fda1760b9b9a9178a3b7331e877c0856504fb4da24a2295a650172e3206a91507df7acfa4a5f44237be5ad7665e2409a256e0939c80e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae9ee9d4-0488-43ae-a95d-e26f455b1f14.vbs

Filesize
710B

MD5
a10859bcf69ef97993b7f2384812e73e

SHA1
2eb1376f5ff280f3686fe4331d6e920f4513aaf4

SHA256
845a8ee4ea97a357143f047b4cc03c190bf3645946470eb0cf247610ebff86d4

SHA512
3b32c82533bed0b6d163fad05c48ca0f93582ca05d74f7fb88479665973e327b7a5c58c54cc9e4f0d6548af5563a7d7945c7a9c805e5c8443966c6f73f9b593b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc9aa19b-bb57-428a-b9a7-01e47bd9c79d.vbs

Filesize
710B

MD5
79a38247bd10b93bf969506233ff97ba

SHA1
f785ad36a058d1dcf4d52535bcf4efe147455d77

SHA256
734a5a4357504af0bb452014d75179c3aa7b88c52c921b7dcf0f4a1959c01933

SHA512
44509c2fad9827a5b398cf3099024b102c3ee150f748998dab68e2c12b1ce817e0ba04ebcf666027492ad662f5422bc063e93e94dfaef06196049562fce7f516

Download Submit
C:\Users\Admin\AppData\Local\Temp\d712c417-eb57-4ec7-baa3-b8156212e061.vbs

Filesize
710B

MD5
8e31e578d772009177c586e266e85ac7

SHA1
6c29ce2c5ea2ccaa5b459e3e2e13271926807d78

SHA256
b86290be7c38b434a9df7a3b838ef23a8ddbab27b668cc9d8fd732b998d79255

SHA512
50b2aeb5e08f25f54d41ea2d368d0bdb642bfbefe47c00e64c023873bd844070c1795af980d9e203653660254e7cf7844d299999e15e7582341f89565d5a5d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\f76d0c6a-ff56-4557-a713-9862a6e3344d.vbs

Filesize
709B

MD5
4628020eb14dd2d0c19ffd55feeb4fe1

SHA1
372ac4a0e8cd3a704549aad199132cdf2943d89f

SHA256
d81cf178a43223ddc3d755a6ffc04bbc50bde4c1b96a1fb58ff3c1558305d665

SHA512
01da30aa20f3a976e4a8bb7dd290b9950faacb226a10697d215a814bdcca34dea4ba76488556f5c0152964664842504641bfdba4c3edb0293cebeeefe7229464

Download Submit
C:\Users\Public\RuntimeBroker.exe

Filesize
1.7MB

MD5
2daba852f5d9b1b6b286aac7be896181

SHA1
c6232d103e67a36951dceb83e9deb46eade13449

SHA256
6bb14b1fc1ca04d9572aee9fe9aa62f623f02bdf1a6e49270438fa736a379caf

SHA512
c072eb4b2fe45efaaebf3f81267da3e31705effad844e0aaa3555f66ea6c35c6322387329e2429a9d3216c5f30fb854350335e9f66cf5e0020b045bef368ce2d

Download Submit
C:\Windows\PLA\System\unsecapp.exe

Filesize
1.7MB

MD5
8f73aa26e4dedec274bfd5a92649c99c

SHA1
59b20140e5efcf99cbc40ce12158931a337184e8

SHA256
c2a039b9898f12907d7b9949af2803b1a6092a0a909a53aecedd8b335a6d9cd0

SHA512
0677f001003580b716d186824a4d8526caea308720e38c88a96ddf46b9e7b5a7ca2072073229313b0d0c19e1fddd2466cd629c0d7d4daaa1046a0cff8c185573

Download Submit
memory/1316-454-0x000000001B740000-0x000000001B752000-memory.dmp

Filesize
72KB

Download
memory/1464-442-0x000000001B2E0000-0x000000001B2F2000-memory.dmp

Filesize
72KB

Download
memory/3136-430-0x000000001BC20000-0x000000001BC32000-memory.dmp

Filesize
72KB

Download
memory/3860-297-0x0000027DAF520000-0x0000027DAF542000-memory.dmp

Filesize
136KB

Download
memory/5032-393-0x0000000000F10000-0x00000000010D0000-memory.dmp

Filesize
1.8MB

Download
memory/5040-14-0x000000001AFD0000-0x000000001AFDC000-memory.dmp

Filesize
48KB

Download
memory/5040-10-0x000000001AF60000-0x000000001AF68000-memory.dmp

Filesize
32KB

Download
memory/5040-20-0x00007FFDEED10000-0x00007FFDEF7D1000-memory.dmp

Filesize
10.8MB

Download
memory/5040-15-0x000000001B710000-0x000000001B71A000-memory.dmp

Filesize
40KB

Download
memory/5040-184-0x00007FFDEED10000-0x00007FFDEF7D1000-memory.dmp

Filesize
10.8MB

Download
memory/5040-394-0x00007FFDEED10000-0x00007FFDEF7D1000-memory.dmp

Filesize
10.8MB

Download
memory/5040-16-0x000000001B720000-0x000000001B72E000-memory.dmp

Filesize
56KB

Download
memory/5040-17-0x000000001B730000-0x000000001B738000-memory.dmp

Filesize
32KB

Download
memory/5040-19-0x000000001B890000-0x000000001B89C000-memory.dmp

Filesize
48KB

Download
memory/5040-18-0x000000001B840000-0x000000001B84C000-memory.dmp

Filesize
48KB

Download
memory/5040-23-0x00007FFDEED10000-0x00007FFDEF7D1000-memory.dmp

Filesize
10.8MB

Download
memory/5040-13-0x000000001BB40000-0x000000001C068000-memory.dmp

Filesize
5.2MB

Download
memory/5040-12-0x000000001AFC0000-0x000000001AFD2000-memory.dmp

Filesize
72KB

Download
memory/5040-208-0x00007FFDEED10000-0x00007FFDEF7D1000-memory.dmp

Filesize
10.8MB

Download
memory/5040-9-0x000000001AF50000-0x000000001AF5C000-memory.dmp

Filesize
48KB

Download
memory/5040-8-0x000000001AF40000-0x000000001AF50000-memory.dmp

Filesize
64KB

Download
memory/5040-7-0x000000001AF20000-0x000000001AF36000-memory.dmp

Filesize
88KB

Download
memory/5040-172-0x00007FFDEED10000-0x00007FFDEF7D1000-memory.dmp

Filesize
10.8MB

Download
memory/5040-5-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

Filesize
32KB

Download
memory/5040-0-0x00007FFDEED13000-0x00007FFDEED15000-memory.dmp

Filesize
8KB

Download
memory/5040-6-0x0000000002510000-0x0000000002520000-memory.dmp

Filesize
64KB

Download
memory/5040-149-0x00007FFDEED13000-0x00007FFDEED15000-memory.dmp

Filesize
8KB

Download
memory/5040-4-0x000000001AF70000-0x000000001AFC0000-memory.dmp

Filesize
320KB

Download
memory/5040-3-0x000000001AF00000-0x000000001AF1C000-memory.dmp

Filesize
112KB

Download
memory/5040-2-0x00007FFDEED10000-0x00007FFDEF7D1000-memory.dmp

Filesize
10.8MB

Download
memory/5040-1-0x0000000000120000-0x00000000002E0000-memory.dmp

Filesize
1.8MB

Download