dcrat | 5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
Size

1.7MB
MD5

75ce4f3a70e6599ce055bca35feed7f0
SHA1

6520f50d5d1c3b26e42cf761d1df884e1ce7b1bb
SHA256

5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925
SHA512

78ef4b4a59b0a21c7daacc3711e4bd323b5f318d90d7f106f46238ed55c40f92267c8a0edf68084fbe5daa30287e59f01f9a9d502524c678bc68051fa2b0abdb
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3904	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2016	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2016	schtasks.exe	83

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1184-1-0x0000000000750000-0x0000000000910000-memory.dmp	dcrat
behavioral2/files/0x0008000000023c14-30.dat	dcrat
behavioral2/files/0x0012000000023c11-198.dat	dcrat
behavioral2/files/0x0009000000023c59-211.dat	dcrat
behavioral2/files/0x000a000000023c62-258.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3460	powershell.exe
2180	powershell.exe
4812	powershell.exe
1444	powershell.exe
1248	powershell.exe
2604	powershell.exe
4920	powershell.exe
2940	powershell.exe
1400	powershell.exe
3436	powershell.exe
840	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sysmon.exe

Executes dropped EXE 7 IoCs

pid	Process
3632	sysmon.exe
4536	sysmon.exe
3756	sysmon.exe
1904	sysmon.exe
2908	sysmon.exe
1236	sysmon.exe
876	sysmon.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft.NET\sppsvc.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files\VideoLAN\RuntimeBroker.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files\Windows Media Player\RCXA9C2.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files\Windows Mail\dllhost.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\ad1a47d736186a	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Program Files\VideoLAN\9e8d7a4ca61bd9	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Program Files\Windows Media Player\wininit.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RCX97CF.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files\Windows Mail\RCXB844.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Program Files (x86)\Microsoft.NET\sppsvc.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Program Files\VideoLAN\RuntimeBroker.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Program Files\Windows Media Player\56085415360792	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Program Files\Windows Photo Viewer\e1ef82546f0b02	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXA0FF.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files\Windows Mail\RCXB845.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files\VideoLAN\RCXA597.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Program Files\Windows Mail\121e5b5079f7c0	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Program Files\Windows Mail\dllhost.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Program Files\Windows Photo Viewer\SppExtComObj.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Program Files\Windows Mail\5940a34987c991	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RCX97E0.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files\Windows Mail\RCX9C09.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files\Windows Mail\RCX9C0A.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files\Windows Mail\sysmon.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXA100.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files\VideoLAN\RCXA598.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Program Files\Windows Mail\sysmon.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RCXBB45.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Program Files (x86)\Microsoft.NET\0a1fd5f707cd16	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files\Windows Media Player\RCXA9C1.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files\Windows Media Player\wininit.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RCXBAC7.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\SppExtComObj.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\121e5b5079f7c0	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCXA382.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCXA383.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File created	C:\Windows\Offline Web Pages\Registry.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Windows\Provisioning\RCX99E4.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Windows\Provisioning\spoolsv.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Windows\Fonts\SearchApp.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Windows\Fonts\38384e6a620884	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Windows\Provisioning\RCX9A05.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Windows\Offline Web Pages\RCXB62F.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Windows\Offline Web Pages\Registry.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Windows\Provisioning\f3b6ecef712a24	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Windows\Fonts\RCX9EEB.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Windows\Fonts\SearchApp.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Windows\Offline Web Pages\RCXB630.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Windows\WaaS\services\RuntimeBroker.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Windows\Provisioning\spoolsv.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Windows\Fonts\RCX9ECA.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Windows\Offline Web Pages\ee2ad38f3d4382	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	sysmon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1604	schtasks.exe
4036	schtasks.exe
32	schtasks.exe
3664	schtasks.exe
1044	schtasks.exe
1728	schtasks.exe
1348	schtasks.exe
4704	schtasks.exe
548	schtasks.exe
2360	schtasks.exe
656	schtasks.exe
3928	schtasks.exe
3412	schtasks.exe
4620	schtasks.exe
3904	schtasks.exe
4624	schtasks.exe
2720	schtasks.exe
844	schtasks.exe
4760	schtasks.exe
3980	schtasks.exe
1100	schtasks.exe
1572	schtasks.exe
836	schtasks.exe
1248	schtasks.exe
1492	schtasks.exe
4884	schtasks.exe
2356	schtasks.exe
1936	schtasks.exe
3944	schtasks.exe
700	schtasks.exe
1944	schtasks.exe
4976	schtasks.exe
4872	schtasks.exe
3684	schtasks.exe
2496	schtasks.exe
3268	schtasks.exe
2884	schtasks.exe
456	schtasks.exe
3548	schtasks.exe
3096	schtasks.exe
1312	schtasks.exe
1912	schtasks.exe
2152	schtasks.exe
1840	schtasks.exe
2372	schtasks.exe
2616	schtasks.exe
1060	schtasks.exe
640	schtasks.exe
2624	schtasks.exe
1724	schtasks.exe
5080	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2180	powershell.exe
1444	powershell.exe
1444	powershell.exe
2180	powershell.exe
1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
4812	powershell.exe
4812	powershell.exe
3460	powershell.exe
3460	powershell.exe
1400	powershell.exe
1400	powershell.exe
840	powershell.exe
840	powershell.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	4920	powershell.exe
Token: SeDebugPrivilege	3632	sysmon.exe
Token: SeDebugPrivilege	4536	sysmon.exe
Token: SeDebugPrivilege	3756	sysmon.exe
Token: SeDebugPrivilege	1904	sysmon.exe
Token: SeDebugPrivilege	2908	sysmon.exe
Token: SeDebugPrivilege	1236	sysmon.exe
Token: SeDebugPrivilege	876	sysmon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 2940	1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	135
PID 1184 wrote to memory of 2940	1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	135
PID 1184 wrote to memory of 3460	1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	136
PID 1184 wrote to memory of 3460	1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	136
PID 1184 wrote to memory of 2180	1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	137
PID 1184 wrote to memory of 2180	1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	137
PID 1184 wrote to memory of 4812	1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	138
PID 1184 wrote to memory of 4812	1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	138
PID 1184 wrote to memory of 1444	1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	139
PID 1184 wrote to memory of 1444	1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	139
PID 1184 wrote to memory of 1400	1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	140
PID 1184 wrote to memory of 1400	1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	140
PID 1184 wrote to memory of 4920	1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	141
PID 1184 wrote to memory of 4920	1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	141
PID 1184 wrote to memory of 2604	1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	142
PID 1184 wrote to memory of 2604	1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	142
PID 1184 wrote to memory of 1248	1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	143
PID 1184 wrote to memory of 1248	1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	143
PID 1184 wrote to memory of 840	1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	144
PID 1184 wrote to memory of 840	1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	144
PID 1184 wrote to memory of 3436	1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	150
PID 1184 wrote to memory of 3436	1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	150
PID 1184 wrote to memory of 3632	1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	157
PID 1184 wrote to memory of 3632	1184	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	157
PID 3632 wrote to memory of 1236	3632	sysmon.exe	159
PID 3632 wrote to memory of 1236	3632	sysmon.exe	159
PID 3632 wrote to memory of 2312	3632	sysmon.exe	160
PID 3632 wrote to memory of 2312	3632	sysmon.exe	160
PID 1236 wrote to memory of 4536	1236	WScript.exe	163
PID 1236 wrote to memory of 4536	1236	WScript.exe	163
PID 4536 wrote to memory of 100	4536	sysmon.exe	165
PID 4536 wrote to memory of 100	4536	sysmon.exe	165
PID 4536 wrote to memory of 5112	4536	sysmon.exe	166
PID 4536 wrote to memory of 5112	4536	sysmon.exe	166
PID 100 wrote to memory of 3756	100	WScript.exe	167
PID 100 wrote to memory of 3756	100	WScript.exe	167
PID 3756 wrote to memory of 2640	3756	sysmon.exe	169
PID 3756 wrote to memory of 2640	3756	sysmon.exe	169
PID 3756 wrote to memory of 4076	3756	sysmon.exe	170
PID 3756 wrote to memory of 4076	3756	sysmon.exe	170
PID 2640 wrote to memory of 1904	2640	WScript.exe	171
PID 2640 wrote to memory of 1904	2640	WScript.exe	171
PID 1904 wrote to memory of 2588	1904	sysmon.exe	173
PID 1904 wrote to memory of 2588	1904	sysmon.exe	173
PID 1904 wrote to memory of 2096	1904	sysmon.exe	174
PID 1904 wrote to memory of 2096	1904	sysmon.exe	174
PID 2588 wrote to memory of 2908	2588	WScript.exe	179
PID 2588 wrote to memory of 2908	2588	WScript.exe	179
PID 2908 wrote to memory of 4264	2908	sysmon.exe	183
PID 2908 wrote to memory of 4264	2908	sysmon.exe	183
PID 2908 wrote to memory of 4384	2908	sysmon.exe	184
PID 2908 wrote to memory of 4384	2908	sysmon.exe	184
PID 4264 wrote to memory of 1236	4264	WScript.exe	189
PID 4264 wrote to memory of 1236	4264	WScript.exe	189
PID 1236 wrote to memory of 4032	1236	sysmon.exe	191
PID 1236 wrote to memory of 4032	1236	sysmon.exe	191
PID 1236 wrote to memory of 3352	1236	sysmon.exe	192
PID 1236 wrote to memory of 3352	1236	sysmon.exe	192
PID 4032 wrote to memory of 876	4032	WScript.exe	194
PID 4032 wrote to memory of 876	4032	WScript.exe	194
PID 876 wrote to memory of 2672	876	sysmon.exe	196
PID 876 wrote to memory of 2672	876	sysmon.exe	196
PID 876 wrote to memory of 4188	876	sysmon.exe	197
PID 876 wrote to memory of 4188	876	sysmon.exe	197

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
"C:\Users\Admin\AppData\Local\Temp\5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3436
- C:\Program Files\Windows Mail\sysmon.exe
  "C:\Program Files\Windows Mail\sysmon.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12a2aef2-38d9-4c73-aa50-cd14a8789fd7.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Program Files\Windows Mail\sysmon.exe
      "C:\Program Files\Windows Mail\sysmon.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4536
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d0922ca-29bd-4809-bc18-601ff6f22c8f.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:100
      - C:\Program Files\Windows Mail\sysmon.exe
        
        "C:\Program Files\Windows Mail\sysmon.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75be6996-ee86-4169-bddd-48c65b0e665a.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Program Files\Windows Mail\sysmon.exe
        
        "C:\Program Files\Windows Mail\sysmon.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39d049a6-6954-4c2f-836d-5abe59d75f49.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Program Files\Windows Mail\sysmon.exe
        
        "C:\Program Files\Windows Mail\sysmon.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ddc47f0-c575-4d50-a763-4f995da77861.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Program Files\Windows Mail\sysmon.exe
        
        "C:\Program Files\Windows Mail\sysmon.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e607e99-a49f-44f8-8c56-060e07aace76.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Program Files\Windows Mail\sysmon.exe
        
        "C:\Program Files\Windows Mail\sysmon.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cbd961b-1fff-42e1-9e84-c8a36887846e.vbs"
        15⤵
        
        PID:2672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc246cb6-68a5-486e-a1c7-4bc19f09aa0a.vbs"
        15⤵
        
        PID:4188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bce24b32-605b-4800-bc05-36ce48bfe1a5.vbs"
        13⤵
        
        PID:3352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a6a017a-687a-48ed-a413-5099cfe0d4ad.vbs"
        11⤵
        
        PID:4384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\895f1619-1f9a-4538-8d3f-e3f4a2687e12.vbs"
        9⤵
        
        PID:2096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eea78ef8-c1bd-4c59-9ecf-6c3401aacc91.vbs"
        7⤵
        
        PID:4076
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39128aa8-ca33-4bff-af56-fa5e02fa12ff.vbs"
        5⤵
        
        PID:5112
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14ea6489-9a33-4e37-8fcf-4b486b8972a6.vbs"
    3⤵
    PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Provisioning\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Provisioning\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Provisioning\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Fonts\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N5" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N5" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Photo Viewer\SppExtComObj.exe

Filesize
1.7MB

MD5
c0f710ba764123564b1e28664cd36525

SHA1
aa22b5c0aa3464de01095e8c44bd0d7d9c9e1d42

SHA256
c6c99c18da0c8079d953656817e67c97ad323efe1fcae655f178f31c0b0ebe9f

SHA512
543362e65657ae6a9528cb34a5cbd147e757abbaa65b44185f0627fd93b5771a0287dd6fdc5c4d0c0195e476ec017ff604938a94ea2154e30dda7b063705aad8

Download Submit
C:\Recovery\WindowsRE\StartMenuExperienceHost.exe

Filesize
1.7MB

MD5
d87afc68be8c738bbf41a9c619cf95e6

SHA1
f6a1b3ae901f8aa85ccfc5fe967667010dbeeca1

SHA256
e52b680ec73a32bb2e960bba6efae56013f259ed837d7f87f2a1a9630ca02ed6

SHA512
7326c688088c3835fef6d2f3b1b7fcd86db26788a085deaad01ecccd129d84216a29920d6cbd4279a8b897c682889e13b5fccadf3b4e5e58e936a1de6fecb30f

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
1.7MB

MD5
f3930f1c88830f36daf99cfda4168e95

SHA1
233f4d03d37add9eba09fa7b30abce333e0f6a34

SHA256
0f36aa557e3c6fa458175a0cca757ce2a46b61ec4d67564c9116ee22fb1b7dba

SHA512
3e8b13b841cd4268d61ec7a2bf0c47f6087aabd7824197591a63024f7596ae13150e01eb3f53f8273a3118ae4256a9dcf78b673f45f53492071ac479d81a67e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d0922ca-29bd-4809-bc18-601ff6f22c8f.vbs

Filesize
716B

MD5
c72f33dfe5903ebf611afcb49cbd8137

SHA1
1f84f88a78d41730a9d3aae2155debefcfbd95d5

SHA256
966eb2f6bc6cc1b09b1d33fc8ce3dc8d0e87f6dac3b7062ae75e7970609ee686

SHA512
e3b863968024f8b8d19ad4c3572b0981b53bb5dc7f7df3c116de4c4ce3965b433159b33afba5130eae1c1a2269629b35c01b86cda2983a7f9b62b83855e60300

Download Submit
C:\Users\Admin\AppData\Local\Temp\12a2aef2-38d9-4c73-aa50-cd14a8789fd7.vbs

Filesize
716B

MD5
0e419c8f069b97e519344ee9c11d4493

SHA1
f6806fe83394ddbe4148f43ad3425f8d76d31016

SHA256
169222f539021571588aa183726ae9ca9a9706721648a1a99e50df67c6a0a4aa

SHA512
0d6735fea0a73810f42c42436ad311f24c97f33cdfb6ecd9ac75fa876ef97bf035fbea5c64fba0065d9b0b2dd4607e9e657d49a7dcbc1e1bff93cc7ad335ca00

Download Submit
C:\Users\Admin\AppData\Local\Temp\14ea6489-9a33-4e37-8fcf-4b486b8972a6.vbs

Filesize
492B

MD5
141e95b15307cf6c9edbcc1781a6c8d0

SHA1
b86f37a7e6ac9613a03bba2e4e41a28d8cd86483

SHA256
95ab496faf48f40ea9e4646d316b6de23c9e284d8666b940a5f79ea55a5204ea

SHA512
deba4fb6d34a6edb889e2530b6971176bacc69cf5f69eebcc664a7371807cbd308b5acb2e160b3a2d0b8c89b5621caa0763384891830508a2ed2ba4c412d59c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\39d049a6-6954-4c2f-836d-5abe59d75f49.vbs

Filesize
716B

MD5
43fd373a3bd32d178d44811640b6e22b

SHA1
4706998cf447e8bc9a7dad3362fd33fb4c79813a

SHA256
0b967011d05b145b7506cd8aeaa2cba2939c9352e080c5e849a50a5724524e92

SHA512
8ec88d992cc05bd45ea7166b44909d9cab856ab368f8707c845eff16aa5d4d47863ab38c44dac18a610afdabdc8ce1f8806dc879ae9f671797a0eb1d2c2c857e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3cbd961b-1fff-42e1-9e84-c8a36887846e.vbs

Filesize
715B

MD5
ff8c8cdc17532ac7842a9b7ab4b0ca21

SHA1
5edd722ad36c5000af33948bbb1fd2f010b9868e

SHA256
160e1955b06e81ad016acffdac8202bb43962b3b8357ffac10ac5fd4dbc425bd

SHA512
18eaa4e562f0485f07f0e260ddf50a8ba43a70d6fb8d5b9b2760c1da5105c05c4e373530ac16e02904f82ed34eb80936b2d430f39c6e2f4e6596e9294d23d071

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ddc47f0-c575-4d50-a763-4f995da77861.vbs

Filesize
716B

MD5
fa29f624e910dce73a7ecbb7dde5a355

SHA1
951714acac9b79f992cbbabb801df1c457d57314

SHA256
158c605a673c66c52ba738a2ef7c17f463594789e621d4e3f6143e5a5ea7ec55

SHA512
4107e0741cc2a703539e163e6554b875523c4a99685909e84471c50019b85b79789cb67d47ca8ce469fd08c32b02bbd5eeacfa8bde5285f4794f567c78b08e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e607e99-a49f-44f8-8c56-060e07aace76.vbs

Filesize
716B

MD5
07e957851621b052f6ba47fa646b906b

SHA1
5b2c77706543de1d3704b6e484f5f75602ef68c0

SHA256
a9d9f2ba7fcb1f8fa2d6a493e8bbb12436db006584d7cdb03605f1f233734913

SHA512
96c71893c0917a5388394d24dbef83132d9f256811c4d6a43d7d09798e928bf610a58528700978175c37edb08fec34399bbe5fa71cc2568f9633f12da789e867

Download Submit
C:\Users\Admin\AppData\Local\Temp\75be6996-ee86-4169-bddd-48c65b0e665a.vbs

Filesize
716B

MD5
48af7c600b58c480c28393db0bfeeb00

SHA1
09a4ddae128683495b62384d720644ac1a55f7f3

SHA256
b9970b81535dbfaf2d1772aaa88cc28ac8b112838df154ebb18e3839ca1aa4e3

SHA512
411aa154251ec6073361d7630ac0f7e5654a88756f59b204c08812ea8ff4a9d7ba610e95e7aa4d60079a72c0efeffaccbc2c1caf9b70efd1eaf83d345a969995

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jmhev0pa.g2r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Fonts\SearchApp.exe

Filesize
1.7MB

MD5
75ce4f3a70e6599ce055bca35feed7f0

SHA1
6520f50d5d1c3b26e42cf761d1df884e1ce7b1bb

SHA256
5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925

SHA512
78ef4b4a59b0a21c7daacc3711e4bd323b5f318d90d7f106f46238ed55c40f92267c8a0edf68084fbe5daa30287e59f01f9a9d502524c678bc68051fa2b0abdb

Download Submit
memory/840-310-0x00000192696C0000-0x00000192696E2000-memory.dmp

Filesize
136KB

Download
memory/1184-23-0x00007FF98C820000-0x00007FF98D2E1000-memory.dmp

Filesize
10.8MB

Download
memory/1184-13-0x000000001C160000-0x000000001C688000-memory.dmp

Filesize
5.2MB

Download
memory/1184-0-0x00007FF98C823000-0x00007FF98C825000-memory.dmp

Filesize
8KB

Download
memory/1184-16-0x000000001BE50000-0x000000001BE5E000-memory.dmp

Filesize
56KB

Download
memory/1184-155-0x00007FF98C823000-0x00007FF98C825000-memory.dmp

Filesize
8KB

Download
memory/1184-180-0x00007FF98C820000-0x00007FF98D2E1000-memory.dmp

Filesize
10.8MB

Download
memory/1184-17-0x000000001BE60000-0x000000001BE68000-memory.dmp

Filesize
32KB

Download
memory/1184-19-0x000000001BE80000-0x000000001BE8C000-memory.dmp

Filesize
48KB

Download
memory/1184-214-0x00007FF98C820000-0x00007FF98D2E1000-memory.dmp

Filesize
10.8MB

Download
memory/1184-18-0x000000001BE70000-0x000000001BE7C000-memory.dmp

Filesize
48KB

Download
memory/1184-15-0x000000001BE40000-0x000000001BE4A000-memory.dmp

Filesize
40KB

Download
memory/1184-14-0x000000001BC30000-0x000000001BC3C000-memory.dmp

Filesize
48KB

Download
memory/1184-421-0x00007FF98C820000-0x00007FF98D2E1000-memory.dmp

Filesize
10.8MB

Download
memory/1184-22-0x00007FF98C820000-0x00007FF98D2E1000-memory.dmp

Filesize
10.8MB

Download
memory/1184-12-0x000000001B6A0000-0x000000001B6B2000-memory.dmp

Filesize
72KB

Download
memory/1184-10-0x000000001B680000-0x000000001B688000-memory.dmp

Filesize
32KB

Download
memory/1184-9-0x000000001B690000-0x000000001B69C000-memory.dmp

Filesize
48KB

Download
memory/1184-5-0x0000000001260000-0x0000000001268000-memory.dmp

Filesize
32KB

Download
memory/1184-7-0x000000001B500000-0x000000001B516000-memory.dmp

Filesize
88KB

Download
memory/1184-8-0x000000001B520000-0x000000001B530000-memory.dmp

Filesize
64KB

Download
memory/1184-6-0x0000000001270000-0x0000000001280000-memory.dmp

Filesize
64KB

Download
memory/1184-4-0x000000001B6D0000-0x000000001B720000-memory.dmp

Filesize
320KB

Download
memory/1184-3-0x00000000010E0000-0x00000000010FC000-memory.dmp

Filesize
112KB

Download
memory/1184-2-0x00007FF98C820000-0x00007FF98D2E1000-memory.dmp

Filesize
10.8MB

Download
memory/1184-1-0x0000000000750000-0x0000000000910000-memory.dmp

Filesize
1.8MB

Download