dcrat | ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17ace

Analysis

max time kernel
120s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
Size

1.7MB
MD5

8f1577b59c8f8b144134030e7f0952d0
SHA1

6614cc712104223277965fdd29e5a47568fcaf56
SHA256

ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17ace
SHA512

2471c441cd26577427799248823851f93604a771911ba302a7c6757c5602f9007d2c68364a69f0ba2accd7c48b7e8626c5cb19338a2cec1e31d2d844e4abc06f
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3932	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3812	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	184	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	1632	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	1632	schtasks.exe	82

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/840-1-0x0000000000010000-0x00000000001D0000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cbc-30.dat	dcrat
behavioral2/files/0x0009000000023ce4-71.dat	dcrat
behavioral2/files/0x000e000000023ca4-105.dat	dcrat
behavioral2/files/0x000a000000023cbc-139.dat	dcrat
behavioral2/files/0x0008000000023ce7-224.dat	dcrat
behavioral2/memory/2456-422-0x0000000000300000-0x00000000004C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5048	powershell.exe
404	powershell.exe
1940	powershell.exe
228	powershell.exe
4180	powershell.exe
4048	powershell.exe
3200	powershell.exe
4508	powershell.exe
680	powershell.exe
4364	powershell.exe
3152	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe

Executes dropped EXE 8 IoCs

pid	Process
2456	TextInputHost.exe
1476	TextInputHost.exe
5060	TextInputHost.exe
4176	TextInputHost.exe
2176	TextInputHost.exe
1552	TextInputHost.exe
4048	TextInputHost.exe
4124	TextInputHost.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\upfc.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\RCXD692.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\RCXF2FA.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\smss.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Program Files\Windows Portable Devices\lsass.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCXE729.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXF56E.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\886983d96e3d3e	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Program Files\Windows Portable Devices\6203df4a6bafc7	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\ea1d8f6d871115	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\SearchApp.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Program Files (x86)\Windows Defender\69ddcba757bf72	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\5940a34987c991	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\csrss.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXE4D5.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\csrss.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCXE6EA.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\RCXF368.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXF56D.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files\Windows Portable Devices\lsass.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\RCXD700.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXE4D4.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\upfc.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Program Files (x86)\Windows Defender\smss.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Web\upfc.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Windows\Web\ea1d8f6d871115	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Windows\Web\RCXEE43.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Windows\Web\RCXEE53.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Windows\Web\upfc.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3012	schtasks.exe
3668	schtasks.exe
4140	schtasks.exe
1276	schtasks.exe
3256	schtasks.exe
3448	schtasks.exe
1892	schtasks.exe
1060	schtasks.exe
1828	schtasks.exe
4504	schtasks.exe
184	schtasks.exe
1696	schtasks.exe
996	schtasks.exe
5020	schtasks.exe
3152	schtasks.exe
4464	schtasks.exe
3912	schtasks.exe
5052	schtasks.exe
4084	schtasks.exe
3080	schtasks.exe
1268	schtasks.exe
1076	schtasks.exe
3788	schtasks.exe
2996	schtasks.exe
4940	schtasks.exe
3932	schtasks.exe
4564	schtasks.exe
968	schtasks.exe
4836	schtasks.exe
1140	schtasks.exe
4724	schtasks.exe
3864	schtasks.exe
2376	schtasks.exe
3812	schtasks.exe
3968	schtasks.exe
3164	schtasks.exe
1552	schtasks.exe
3580	schtasks.exe
4024	schtasks.exe
3980	schtasks.exe
4700	schtasks.exe
3940	schtasks.exe
2280	schtasks.exe
4924	schtasks.exe
5056	schtasks.exe
4324	schtasks.exe
4828	schtasks.exe
3740	schtasks.exe
3444	schtasks.exe
904	schtasks.exe
2404	schtasks.exe
4956	schtasks.exe
2112	schtasks.exe
5004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	4180	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	2456	TextInputHost.exe
Token: SeDebugPrivilege	1476	TextInputHost.exe
Token: SeDebugPrivilege	5060	TextInputHost.exe
Token: SeDebugPrivilege	4176	TextInputHost.exe
Token: SeDebugPrivilege	2176	TextInputHost.exe
Token: SeDebugPrivilege	1552	TextInputHost.exe
Token: SeDebugPrivilege	4048	TextInputHost.exe
Token: SeDebugPrivilege	4124	TextInputHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 3200	840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	141
PID 840 wrote to memory of 3200	840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	141
PID 840 wrote to memory of 4508	840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	142
PID 840 wrote to memory of 4508	840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	142
PID 840 wrote to memory of 5048	840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	143
PID 840 wrote to memory of 5048	840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	143
PID 840 wrote to memory of 680	840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	144
PID 840 wrote to memory of 680	840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	144
PID 840 wrote to memory of 4364	840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	145
PID 840 wrote to memory of 4364	840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	145
PID 840 wrote to memory of 3152	840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	146
PID 840 wrote to memory of 3152	840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	146
PID 840 wrote to memory of 228	840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	147
PID 840 wrote to memory of 228	840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	147
PID 840 wrote to memory of 4180	840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	148
PID 840 wrote to memory of 4180	840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	148
PID 840 wrote to memory of 404	840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	149
PID 840 wrote to memory of 404	840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	149
PID 840 wrote to memory of 4048	840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	150
PID 840 wrote to memory of 4048	840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	150
PID 840 wrote to memory of 1940	840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	151
PID 840 wrote to memory of 1940	840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	151
PID 840 wrote to memory of 2456	840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	165
PID 840 wrote to memory of 2456	840	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	165
PID 2456 wrote to memory of 3680	2456	TextInputHost.exe	166
PID 2456 wrote to memory of 3680	2456	TextInputHost.exe	166
PID 2456 wrote to memory of 840	2456	TextInputHost.exe	167
PID 2456 wrote to memory of 840	2456	TextInputHost.exe	167
PID 3680 wrote to memory of 1476	3680	WScript.exe	168
PID 3680 wrote to memory of 1476	3680	WScript.exe	168
PID 1476 wrote to memory of 4864	1476	TextInputHost.exe	170
PID 1476 wrote to memory of 4864	1476	TextInputHost.exe	170
PID 1476 wrote to memory of 3940	1476	TextInputHost.exe	171
PID 1476 wrote to memory of 3940	1476	TextInputHost.exe	171
PID 4864 wrote to memory of 5060	4864	WScript.exe	173
PID 4864 wrote to memory of 5060	4864	WScript.exe	173
PID 5060 wrote to memory of 4984	5060	TextInputHost.exe	174
PID 5060 wrote to memory of 4984	5060	TextInputHost.exe	174
PID 5060 wrote to memory of 2000	5060	TextInputHost.exe	175
PID 5060 wrote to memory of 2000	5060	TextInputHost.exe	175
PID 4984 wrote to memory of 4176	4984	WScript.exe	176
PID 4984 wrote to memory of 4176	4984	WScript.exe	176
PID 4176 wrote to memory of 4140	4176	TextInputHost.exe	177
PID 4176 wrote to memory of 4140	4176	TextInputHost.exe	177
PID 4176 wrote to memory of 3228	4176	TextInputHost.exe	178
PID 4176 wrote to memory of 3228	4176	TextInputHost.exe	178
PID 4140 wrote to memory of 2176	4140	WScript.exe	179
PID 4140 wrote to memory of 2176	4140	WScript.exe	179
PID 2176 wrote to memory of 4800	2176	TextInputHost.exe	180
PID 2176 wrote to memory of 4800	2176	TextInputHost.exe	180
PID 2176 wrote to memory of 4136	2176	TextInputHost.exe	181
PID 2176 wrote to memory of 4136	2176	TextInputHost.exe	181
PID 4800 wrote to memory of 1552	4800	WScript.exe	182
PID 4800 wrote to memory of 1552	4800	WScript.exe	182
PID 1552 wrote to memory of 2224	1552	TextInputHost.exe	183
PID 1552 wrote to memory of 2224	1552	TextInputHost.exe	183
PID 1552 wrote to memory of 3536	1552	TextInputHost.exe	184
PID 1552 wrote to memory of 3536	1552	TextInputHost.exe	184
PID 2224 wrote to memory of 4048	2224	WScript.exe	185
PID 2224 wrote to memory of 4048	2224	WScript.exe	185
PID 4048 wrote to memory of 524	4048	TextInputHost.exe	186
PID 4048 wrote to memory of 524	4048	TextInputHost.exe	186
PID 4048 wrote to memory of 2876	4048	TextInputHost.exe	187
PID 4048 wrote to memory of 2876	4048	TextInputHost.exe	187

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
"C:\Users\Admin\AppData\Local\Temp\ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Recovery\WindowsRE\TextInputHost.exe
  "C:\Recovery\WindowsRE\TextInputHost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c840f4c3-672e-4a95-83cb-2a35549d2a70.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Recovery\WindowsRE\TextInputHost.exe
      C:\Recovery\WindowsRE\TextInputHost.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73af7bbc-f305-4cd1-a975-9b824f2b0a60.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4864
      - C:\Recovery\WindowsRE\TextInputHost.exe
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59de710b-8de7-40bc-af98-831e42769af6.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\528a7194-2e12-4225-bb49-aa24ac5a181e.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2a134db-30cf-4f41-91a1-903bace570f4.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30c065ef-45cf-4602-9945-9cf1d1d43d78.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0997422a-5b5a-4252-aabb-3404fbc4ec5f.vbs"
        15⤵
        
        PID:524
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        
        C:\Recovery\WindowsRE\TextInputHost.exe
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c0854ac-34e0-4529-98df-d39b190ca549.vbs"
        15⤵
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b1b901a-a9b0-40fb-a006-14247eb5da0d.vbs"
        13⤵
        
        PID:3536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b6d8c80-01fb-42a1-8a21-b8d7c0618a69.vbs"
        11⤵
        
        PID:4136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a924f7f7-bb3b-4fc5-8c5c-6f176243693a.vbs"
        9⤵
        
        PID:3228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50dffe08-de25-46b7-bab9-eab9f01d249f.vbs"
        7⤵
        
        PID:2000
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c37e029-b588-430c-b8c0-d25c4b36fc2f.vbs"
        5⤵
        
        PID:3940
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\124b63f9-8fab-40d5-a107-44dd43f169ad.vbs"
    3⤵
    PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\Public\AccountPictures\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Users\Public\AccountPictures\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Web\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Media Player\en-US\csrss.exe

Filesize
1.7MB

MD5
1aa0b5d5ab22955833a94579617cd240

SHA1
b39f194665721b68c8b904204548ee552ed7567f

SHA256
051d4d8bfd691b99592203e64aef117326ea28e7b214c3900846832691794854

SHA512
5109319f41cdcc3af36875718fcea7fc5cf8a0071552d4ca4ee8a7649ab80b6f98866a3feb48d792619c315ef244b0987a89c65e2e36b07c9c9ff5080dc506e2

Download Submit
C:\Recovery\WindowsRE\TextInputHost.exe

Filesize
1.7MB

MD5
4277073745e9c2d9cd5e7ae333de374a

SHA1
081fe72c2694ecfa0b286d2ea3b4c21ae57c99a6

SHA256
7d5daa989830d651a1b4a54ec2257308cc74365ce20c33e06bed3e45a96168ea

SHA512
d94a3ff9000c6ac7664a5027375e0947e63450f8c137d6da63932d5822bff808a5959e139ec5d280ecd00959672604128976abfb0baed18e6b75ba8e7850576a

Download Submit
C:\Recovery\WindowsRE\sppsvc.exe

Filesize
1.7MB

MD5
7b04a4b9e77e053fe2caf7f6de15d8de

SHA1
73287b69b023f1b32b72d8a4b4a8866dd332b9ae

SHA256
0cd060887989c664050b51e98852c605f4b277f0426a7015b8e6878e79a12a0b

SHA512
60732358830f1fc4626ff6255bf041616e92d0f93d03dfb79c5a656ab10c94a6286c9699268255aca31ba7a0d522de76bb61a222ab71f02ebc27ceb59615e516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TextInputHost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\0997422a-5b5a-4252-aabb-3404fbc4ec5f.vbs

Filesize
715B

MD5
7487529f96ac47640074beda4a9c10f0

SHA1
35f2cc2e8060f32d21b176cf9a9f544d28cf7766

SHA256
772d31ebc993e51997c9944f0105020930b8876947621abb874b092283fcd256

SHA512
2695547d1867a904cee420e28f7c678ef15710b5f096dc0e065a4397393d47ab6f7b40057cdf0c6f679f561a408405d87ac65835590abc5eaeb8922c6ed3b114

Download Submit
C:\Users\Admin\AppData\Local\Temp\124b63f9-8fab-40d5-a107-44dd43f169ad.vbs

Filesize
491B

MD5
b1259654aeb72ea7cbc8df8546531a6d

SHA1
bb66962169fd367150a79062332e59fbe706fc4c

SHA256
66e6546f1bcfa7d11217cbe8808d3c04c80de8d47eeefaaa429ca613f2346145

SHA512
df9b1576261d0a2bf1b722f2ae0a10ea7b7f6d6889464c4cb69755e6a2bc646827384c5663588ed2a3d4b75a4a5d055c19ea7ec5748779a3aded06138dd704dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\30c065ef-45cf-4602-9945-9cf1d1d43d78.vbs

Filesize
715B

MD5
2d66fa9e9f834c9f9d9be34757397315

SHA1
72cf60db5ca238642b3ce5470e68ac2f22805b6b

SHA256
071ba038b9f8c545601696c2701eb7b44591b9e90fd9e5e54ef73c62db77e1de

SHA512
f7da341c71b09579bab7bc6097875d60af875d890ee39f05488cc3af8150b70851c756cc3a7ad4fb1d2db4dbf3c2dc707075cd33fe87d6476c4a61181be205ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\528a7194-2e12-4225-bb49-aa24ac5a181e.vbs

Filesize
715B

MD5
811278562fa877c50681aa26769c7148

SHA1
ecc91553ec09b5dc17e85e216e1109ff8ae61dd6

SHA256
fd1fec2c75044828e521a669ac304823a29fa1f8cacd61a36797c5ac10a893f0

SHA512
a2e462d2e3e581c4c0635267dcc5b2882387cab8da8946f59efaa8806bc884aa7013765595dc41605011d98a484c147b4fc4ce54678b6bedbbbe738fc5515bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\59de710b-8de7-40bc-af98-831e42769af6.vbs

Filesize
715B

MD5
54dd1fcadfecfc0f2bdbf7be65db30ab

SHA1
2e9f4bf76ebbe13e30d55ca861a41c401f76a5bc

SHA256
0d2986f3894b2f599d87dc4b46c5eb829e3a36e28982bb4f0077ff4a54d9cfa8

SHA512
0de08a44253f6d73dcfa04fafefb1892d744d64a10699574e7edd8ae0ef8e94fea435cc80272011ffa97ae2c1056f7e3c36f5c1a0a1b3f2f9d0a818765f29a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\73af7bbc-f305-4cd1-a975-9b824f2b0a60.vbs

Filesize
715B

MD5
a9f75dcb5654f5c72be7ee3f543dc1ec

SHA1
1c249a598aa62b591e131bbe8da20dced6d1d842

SHA256
5fc0a24a9dd7c077b4d843ce54121d81bc21108656f375d017c8cb52942ab587

SHA512
3d3fdb6e8957dee1ce1d946cb579619beff920e2fce216af403d4d7fa14c4125746fa04b5bc386ea6937334dfa17a3f3a88f0ff7e6e617f8d88e7e64a8659b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3h2rbrso.3f3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c840f4c3-672e-4a95-83cb-2a35549d2a70.vbs

Filesize
715B

MD5
2a51201b0b7e248e85d452f16fcd607b

SHA1
83818cdfce3415cda54e4b30c67440c8125a0014

SHA256
04f1eccc5aa5c9ee42938d58c04093f8ffa720978850689ac6022a6f8b7b9637

SHA512
4aad52cccfe8e5f49c5036bdc0103be5676e2a9380fb55153a4df34130c67310faa5a06ca332e51d04888d030f0d31257548c03af19d6bff5ada71597dea29e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2a134db-30cf-4f41-91a1-903bace570f4.vbs

Filesize
715B

MD5
f49da8106577e71409dad7ab7153a58f

SHA1
e8e13144a70759b26e890022361ecc281ceb3b02

SHA256
a49be2a8a52365362cfcf565b37d22b061cc4bf83c8ef8048a0f996cf5a903bd

SHA512
130038e5e0836110bb81739a8a015c5871f5bbf38a8d66c0eb2d5b1ba8ce12a0a7a74bbf5e7e824f6d0f0494065a55dcae530247823229df3df95dd67fdb7ad5

Download Submit
C:\Users\Default\StartMenuExperienceHost.exe

Filesize
1.7MB

MD5
bfc7cddecf120ae6d52ee16a9db28cac

SHA1
231dc3dd2d77514698a12d40c4c3a0053577114d

SHA256
8de3298e25363054e5b563b1f9d00e6eab005b70d2414f50b2b69900ad22404e

SHA512
031b6cad393ade8017f2c1a8cf3507c084d67a6b5ff72ccd1807a1eafd9eea784dd9566673ef96eb9e540782beaa68b7a45de5b242e0bb328dfa0ff1eb30e201

Download Submit
C:\Users\Public\AccountPictures\OfficeClickToRun.exe

Filesize
1.7MB

MD5
8f1577b59c8f8b144134030e7f0952d0

SHA1
6614cc712104223277965fdd29e5a47568fcaf56

SHA256
ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17ace

SHA512
2471c441cd26577427799248823851f93604a771911ba302a7c6757c5602f9007d2c68364a69f0ba2accd7c48b7e8626c5cb19338a2cec1e31d2d844e4abc06f

Download Submit
memory/840-16-0x000000001B610000-0x000000001B61E000-memory.dmp

Filesize
56KB

Download
memory/840-2-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/840-5-0x00000000023D0000-0x00000000023D8000-memory.dmp

Filesize
32KB

Download
memory/840-6-0x000000001AE00000-0x000000001AE10000-memory.dmp

Filesize
64KB

Download
memory/840-144-0x00007FFC04313000-0x00007FFC04315000-memory.dmp

Filesize
8KB

Download
memory/840-168-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/840-203-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/840-4-0x000000001B470000-0x000000001B4C0000-memory.dmp

Filesize
320KB

Download
memory/840-22-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/840-8-0x000000001B440000-0x000000001B450000-memory.dmp

Filesize
64KB

Download
memory/840-9-0x000000001B450000-0x000000001B45C000-memory.dmp

Filesize
48KB

Download
memory/840-423-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/840-3-0x00000000023A0000-0x00000000023BC000-memory.dmp

Filesize
112KB

Download
memory/840-23-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/840-15-0x000000001B600000-0x000000001B60A000-memory.dmp

Filesize
40KB

Download
memory/840-0-0x00007FFC04313000-0x00007FFC04315000-memory.dmp

Filesize
8KB

Download
memory/840-7-0x000000001B420000-0x000000001B436000-memory.dmp

Filesize
88KB

Download
memory/840-17-0x000000001B620000-0x000000001B628000-memory.dmp

Filesize
32KB

Download
memory/840-18-0x000000001B770000-0x000000001B77C000-memory.dmp

Filesize
48KB

Download
memory/840-19-0x000000001B780000-0x000000001B78C000-memory.dmp

Filesize
48KB

Download
memory/840-1-0x0000000000010000-0x00000000001D0000-memory.dmp

Filesize
1.8MB

Download
memory/840-14-0x000000001B4F0000-0x000000001B4FC000-memory.dmp

Filesize
48KB

Download
memory/840-13-0x000000001BA20000-0x000000001BF48000-memory.dmp

Filesize
5.2MB

Download
memory/840-12-0x000000001B4C0000-0x000000001B4D2000-memory.dmp

Filesize
72KB

Download
memory/840-10-0x000000001B460000-0x000000001B468000-memory.dmp

Filesize
32KB

Download
memory/2456-422-0x0000000000300000-0x00000000004C0000-memory.dmp

Filesize
1.8MB

Download
memory/4048-512-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/4048-328-0x000001E8C5BA0000-0x000001E8C5BC2000-memory.dmp

Filesize
136KB

Download