dcrat | 434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
Size

1.7MB
MD5

88bc360785b47c484011f5eaf67735a2
SHA1

1e868cecddcd99d570efa98d7966a5284d36b2c7
SHA256

434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa
SHA512

c52eae6960c1e499d569a35c961676897738ee844fb557bb46aa6e94f301b3b9305093d5389f3a1d70191c69e4591ce1a12a3e7581f5fe0813b388ca2d5d3509
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3160	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3840	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3484	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	5008	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	5008	schtasks.exe	82

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3756-1-0x0000000000900000-0x0000000000AC0000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b98-30.dat	dcrat
behavioral2/files/0x000c000000023c00-69.dat	dcrat
behavioral2/files/0x000d000000023b8d-91.dat	dcrat
behavioral2/files/0x000c000000023b90-102.dat	dcrat
behavioral2/files/0x000c000000023b94-115.dat	dcrat
behavioral2/files/0x000c000000023b98-126.dat	dcrat
behavioral2/files/0x000c000000023ba4-138.dat	dcrat
behavioral2/files/0x000a000000023bb4-149.dat	dcrat
behavioral2/files/0x0010000000023bbf-162.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
704	powershell.exe
5044	powershell.exe
1908	powershell.exe
1476	powershell.exe
384	powershell.exe
4616	powershell.exe
4368	powershell.exe
3144	powershell.exe
4516	powershell.exe
2616	powershell.exe
1308	powershell.exe
4208	powershell.exe
3716	powershell.exe
2640	powershell.exe
3548	powershell.exe
2640	powershell.exe
8	powershell.exe
3116	powershell.exe
1892	powershell.exe
1436	powershell.exe
1136	powershell.exe
2876	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe

Executes dropped EXE 9 IoCs

pid	Process
2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
4672	powershell.exe
2748	powershell.exe
3216	powershell.exe
4052	powershell.exe
4664	powershell.exe
456	powershell.exe
548	powershell.exe
888	powershell.exe

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\ee2ad38f3d4382	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\conhost.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXAE9B.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Windows Mail\dllhost.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Registry.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\dllhost.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Registry.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RCXAA64.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Registry.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\9e8d7a4ca61bd9	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\RuntimeBroker.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\088424020bedd6	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files\VideoLAN\VLC\088424020bedd6	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\powershell.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\088424020bedd6	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\088424020bedd6	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Registry.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RuntimeBroker.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ee2ad38f3d4382	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\d912fd6b598b97	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\e978f868350d50	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\conhost.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\conhost.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Windows Mail\5940a34987c991	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Windows Mail\9e8d7a4ca61bd9	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\powershell.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files\WindowsApps\OfficeClickToRun.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXAF19.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\RuntimeBroker.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files\VideoLAN\VLC\conhost.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RCXA9E6.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\ModemLogs\6ccacd8608530f	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Windows\LiveKernelReports\csrss.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Windows\ModemLogs\RCXA744.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Windows\ModemLogs\RCXA7C2.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Windows\ModemLogs\Idle.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Windows\ServiceState\EventLog\powershell.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Windows\LiveKernelReports\csrss.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Windows\LiveKernelReports\886983d96e3d3e	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Windows\LanguageOverlayCache\services.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Windows\ModemLogs\Idle.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXA1D2.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXA29E.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4192	schtasks.exe
3484	schtasks.exe
1916	schtasks.exe
3976	schtasks.exe
3404	schtasks.exe
208	schtasks.exe
2900	schtasks.exe
1196	schtasks.exe
2076	schtasks.exe
2344	schtasks.exe
396	schtasks.exe
4192	schtasks.exe
3332	schtasks.exe
1144	schtasks.exe
380	schtasks.exe
4548	schtasks.exe
4152	schtasks.exe
1668	schtasks.exe
3384	schtasks.exe
2104	schtasks.exe
400	schtasks.exe
556	schtasks.exe
1180	schtasks.exe
4956	schtasks.exe
208	schtasks.exe
4636	schtasks.exe
3160	schtasks.exe
3840	schtasks.exe
1352	schtasks.exe
3764	schtasks.exe
2900	schtasks.exe
3960	schtasks.exe
1936	schtasks.exe
2292	schtasks.exe
4140	schtasks.exe
1384	schtasks.exe
1576	schtasks.exe
1044	schtasks.exe
3980	schtasks.exe
4788	schtasks.exe
2500	schtasks.exe
864	schtasks.exe
5048	schtasks.exe
4328	schtasks.exe
1836	schtasks.exe
2908	schtasks.exe
456	schtasks.exe
1424	schtasks.exe
1792	schtasks.exe
1120	schtasks.exe
4232	schtasks.exe
4780	schtasks.exe
3968	schtasks.exe
916	schtasks.exe
3292	schtasks.exe
4940	schtasks.exe
2104	schtasks.exe
2060	schtasks.exe
2696	schtasks.exe
3428	schtasks.exe
3644	schtasks.exe
4928	schtasks.exe
3540	schtasks.exe
4752	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
1908	powershell.exe
1476	powershell.exe
1476	powershell.exe
2640	powershell.exe
2640	powershell.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
1436	powershell.exe
1436	powershell.exe
3548	powershell.exe
3548	powershell.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	704	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	3116	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	384	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 5044	3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	116
PID 3756 wrote to memory of 5044	3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	116
PID 3756 wrote to memory of 2616	3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	117
PID 3756 wrote to memory of 2616	3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	117
PID 3756 wrote to memory of 3548	3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	118
PID 3756 wrote to memory of 3548	3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	118
PID 3756 wrote to memory of 1436	3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	119
PID 3756 wrote to memory of 1436	3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	119
PID 3756 wrote to memory of 1908	3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	120
PID 3756 wrote to memory of 1908	3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	120
PID 3756 wrote to memory of 1308	3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	121
PID 3756 wrote to memory of 1308	3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	121
PID 3756 wrote to memory of 2640	3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	122
PID 3756 wrote to memory of 2640	3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	122
PID 3756 wrote to memory of 4208	3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	123
PID 3756 wrote to memory of 4208	3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	123
PID 3756 wrote to memory of 3716	3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	124
PID 3756 wrote to memory of 3716	3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	124
PID 3756 wrote to memory of 1476	3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	125
PID 3756 wrote to memory of 1476	3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	125
PID 3756 wrote to memory of 1136	3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	126
PID 3756 wrote to memory of 1136	3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	126
PID 3756 wrote to memory of 2944	3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	138
PID 3756 wrote to memory of 2944	3756	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	138
PID 2944 wrote to memory of 384	2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	199
PID 2944 wrote to memory of 384	2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	199
PID 2944 wrote to memory of 2640	2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	200
PID 2944 wrote to memory of 2640	2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	200
PID 2944 wrote to memory of 4616	2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	201
PID 2944 wrote to memory of 4616	2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	201
PID 2944 wrote to memory of 704	2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	202
PID 2944 wrote to memory of 704	2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	202
PID 2944 wrote to memory of 2876	2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	203
PID 2944 wrote to memory of 2876	2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	203
PID 2944 wrote to memory of 4368	2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	204
PID 2944 wrote to memory of 4368	2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	204
PID 2944 wrote to memory of 8	2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	205
PID 2944 wrote to memory of 8	2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	205
PID 2944 wrote to memory of 3144	2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	206
PID 2944 wrote to memory of 3144	2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	206
PID 2944 wrote to memory of 4516	2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	207
PID 2944 wrote to memory of 4516	2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	207
PID 2944 wrote to memory of 3116	2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	208
PID 2944 wrote to memory of 3116	2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	208
PID 2944 wrote to memory of 1892	2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	209
PID 2944 wrote to memory of 1892	2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	209
PID 2944 wrote to memory of 2320	2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	221
PID 2944 wrote to memory of 2320	2944	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	221
PID 2320 wrote to memory of 3508	2320	cmd.exe	223
PID 2320 wrote to memory of 3508	2320	cmd.exe	223
PID 2320 wrote to memory of 4672	2320	cmd.exe	224
PID 2320 wrote to memory of 4672	2320	cmd.exe	224
PID 4672 wrote to memory of 2116	4672	powershell.exe	226
PID 4672 wrote to memory of 2116	4672	powershell.exe	226
PID 4672 wrote to memory of 4000	4672	powershell.exe	227
PID 4672 wrote to memory of 4000	4672	powershell.exe	227
PID 2116 wrote to memory of 2748	2116	WScript.exe	229
PID 2116 wrote to memory of 2748	2116	WScript.exe	229
PID 2748 wrote to memory of 3220	2748	powershell.exe	230
PID 2748 wrote to memory of 3220	2748	powershell.exe	230
PID 2748 wrote to memory of 3556	2748	powershell.exe	231
PID 2748 wrote to memory of 3556	2748	powershell.exe	231
PID 3220 wrote to memory of 3216	3220	WScript.exe	232
PID 3220 wrote to memory of 3216	3220	WScript.exe	232

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
"C:\Users\Admin\AppData\Local\Temp\434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1136
- C:\Users\Admin\AppData\Local\Temp\434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
  "C:\Users\Admin\AppData\Local\Temp\434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:8
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1892
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ptmvG0MAvf.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:3508
  - - C:\Recovery\WindowsRE\powershell.exe
      "C:\Recovery\WindowsRE\powershell.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4672
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8704a14-a16e-470a-9346-d99b053c8bcc.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2116
      - C:\Recovery\WindowsRE\powershell.exe
        
        C:\Recovery\WindowsRE\powershell.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7d42154-1664-4088-95c7-355f6d888314.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Recovery\WindowsRE\powershell.exe
        
        C:\Recovery\WindowsRE\powershell.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fb390f8-10d1-4e93-80d8-208be61e2580.vbs"
        9⤵
        
        PID:4756
        
        C:\Recovery\WindowsRE\powershell.exe
        
        C:\Recovery\WindowsRE\powershell.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\badcd256-08c0-4a9a-a008-2e1f4873171b.vbs"
        11⤵
        
        PID:3016
        
        C:\Recovery\WindowsRE\powershell.exe
        
        C:\Recovery\WindowsRE\powershell.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27645af7-cf42-4099-91fd-69554b2f4433.vbs"
        13⤵
        
        PID:1808
        
        C:\Recovery\WindowsRE\powershell.exe
        
        C:\Recovery\WindowsRE\powershell.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88d0cca9-5f60-4ebb-be4a-bd9982215016.vbs"
        15⤵
        
        PID:3724
        
        C:\Recovery\WindowsRE\powershell.exe
        
        C:\Recovery\WindowsRE\powershell.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16888ec3-cfe8-4a22-931d-9c3e809163ed.vbs"
        17⤵
        
        PID:4192
        
        C:\Recovery\WindowsRE\powershell.exe
        
        C:\Recovery\WindowsRE\powershell.exe
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c008a7e7-2100-47c0-b297-4265ebf558dc.vbs"
        17⤵
        
        PID:2640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11ffb627-4741-4c89-93ff-e3dac9dc34b1.vbs"
        15⤵
        
        PID:3300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdd7b33f-a162-4bb3-93b4-2c9232ce6ed1.vbs"
        13⤵
        
        PID:3192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8efbfdf-8312-48e5-8c0b-9f8ad4a586fd.vbs"
        11⤵
        
        PID:3468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef54d022-d839-4237-aa80-3cc387145cd7.vbs"
        9⤵
        
        PID:2264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fbcc5d1-6d91-4dca-9151-02586c5755fa.vbs"
        7⤵
        
        PID:3556
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ca6b1d4-7890-4b4d-b913-807dfabd6fdf.vbs"
        5⤵
        
        PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\LiveKernelReports\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\LiveKernelReports\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ModemLogs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\ModemLogs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa4" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa4" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default\smss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Links\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\Links\conhost.exe'" /rl HIGHEST /f
1⤵
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Links\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\RuntimeBroker.exe'" /f
1⤵
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Adobe\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\explorer.exe'" /rl HIGHEST /f
1⤵
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\conhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\conhost.exe'" /rl HIGHEST /f
1⤵
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Mail\dllhost.exe

Filesize
1.7MB

MD5
8c3c37bdfffe044a6b13c4532a89ecdb

SHA1
32dba4874b4d5600d22e7f0b71eb0be74b750e3b

SHA256
0ffbc0deb4740db2439d6efd52bc7042ece254da161a67c2ee04738ce8893cb5

SHA512
b87c33f741c8925bfc2a1fc515130dda5d6b544263e3a4b6ca6128305642e7271f7a38a42087e2f5a20d794e824ed0c6b5f336e0b2298c27f717ebaee9d60dd7

Download Submit
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Registry.exe

Filesize
1.7MB

MD5
88bc360785b47c484011f5eaf67735a2

SHA1
1e868cecddcd99d570efa98d7966a5284d36b2c7

SHA256
434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa

SHA512
c52eae6960c1e499d569a35c961676897738ee844fb557bb46aa6e94f301b3b9305093d5389f3a1d70191c69e4591ce1a12a3e7581f5fe0813b388ca2d5d3509

Download Submit
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Registry.exe

Filesize
1.7MB

MD5
22bd5e4b50b0991148eb1053d1d718f6

SHA1
abe048819e12082d83392152cdf2e71b4ac2fdba

SHA256
9eed0c64adc553bceed6021b1a3c0420737590d6b70c025d53f8baf8da018fb4

SHA512
378ed37799288a0358e8ecc68d69a8e5dde88bd5c032b00ea9bece11850bfe2be020df14998cee1ce73588b10638c4f6f6c6bec132ea35307073691926514708

Download Submit
C:\Recovery\WindowsRE\sppsvc.exe

Filesize
1.7MB

MD5
e0917cafae0e4acacc58223beb3a71dd

SHA1
3938e13367fa158f0b33c7009e04befeb1aa2025

SHA256
7713766fcd17c0eeefda9bf25ac8f5818a79d1b0b682dbe014bae93202e5afe9

SHA512
f0faf00edbb994a4786302dc1474f3ae8a9d76db046b0cff34d5a12bb0bc06bab1c6736bd14922297ccfeb84ed52881fd144c6a25453c846ae5ccf4a744efe7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
71fa55c67a762ba70e40011153e19b3c

SHA1
a36d2bb4802a8ec7db1a68de5f0c3d6007987492

SHA256
b8be6896ca89d3ebe9ee8a94e3407483f4750badaf7fa33526817cfc926dc291

SHA512
32760af7c05e20fec8cbddf56c2df544a69335f930f1d313cd1fdceaa90ed2afe81e54ac1b6770097d6f5ca5f30955f95970171a453579aa19239a17aaefe47f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6423aa2084e634f104c6a4f925702328

SHA1
edf1317c86e3876c529373cbdb00f64991091b99

SHA256
786df1a0c9baac5afb82e413be3a3d1ae8ff49ff046771bfcfc38de5762b1f64

SHA512
9defac2360c2a3330275b52fb888a34a39bee27847d4591f042bdc367fefe3ae15552f84438eec852289e554040ab2d73a85a3e8c9d38bc38690f1eb6396bfe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4c557aa00dc4a6ff86db4be1735e9d30

SHA1
7c155ad08e280926832bdad0aa948843de2ce5a2

SHA256
aad198f453bdcef5e479c7e622c005782f94d0b391798245284aad9506fa7e48

SHA512
2c311b272941308197e3f2fe9d961dda9682dfd514cc48bc63b156afb0d18cace8635f0d080b9f77ed43e67b551232a6fb5b86e88c2414f8bd2f32cbe5521ae2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
085e0a3b869f290afea5688a8ac4e7c5

SHA1
0fedef5057708908bcca9e7572be8f46cef4f3ca

SHA256
1fed2c9bc05b3fcb93f493124dbf1680c6445f67e3d49680257183132514509c

SHA512
bbac0555a05dbe83154a90caa44a653c8a05c87594a211548b165c5b1d231e3818830e754c0b6de3e5cb64dba3a5ad18bebae05cb9157e1dd46bce2a86d18ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c625954a51c4bbd8141206b00f6fc0a

SHA1
4128cb2f9d2984844e303e2e330e448334e5c273

SHA256
952515feb4929cfad2435c679a5fad19242e938e8a7c97afebb1f3d996bd3ec4

SHA512
3f7c4ea0551de5b6237ca13419413e6e73e85632e9bb09b5354d6310b5969f9c3a2dc27142e75e8572c2c65b2bc7615269fad27dcea2f91c389b6758e2630517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6019bc03fe1dc3367a67c76d08b55399

SHA1
3d0b6d4d99b6b8e49829a3992072c3d9df7ad672

SHA256
7f88db7b83b11cd8ea233efc3a1498635b68771482658255750df564a065f7d0

SHA512
6b5409780a23e977b0bbe463e351f1d474539100aeaa01b0b7fe72aa6dbfb3c0fec64fe9db65b63d188a279b65eae7f31ef0b6880c67ada9ab175da419f595eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b801d886e417a9bf405b2f0092e04fe1

SHA1
fa99fefa2f49af240141692f78c8c28f04205389

SHA256
57b1c29eef54567fcfdaa28d2923485cb6f77bb76dc54235965fb34f02a42636

SHA512
b2c8bf95b4c25d7fff388b5f3e04212c43af9588f7aed8a7cb251330ee18c89789eb1d294b8449ec2afeb9b5373d7a6dce8f4369b84cbfb6a7c7813341fa07ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\16888ec3-cfe8-4a22-931d-9c3e809163ed.vbs

Filesize
711B

MD5
085310012a9660fa59ddbf7d01bed205

SHA1
0b0ffdfaae590ae292fe685cc6f40978c3199f63

SHA256
2495b2bf8fc5510f5d97380c13a196dc6b05ac6ded71d215c8397fbc59bb9194

SHA512
a5ebfc0801b066bc1085e12803996fd8eb3614161e513c891ba035a72783bacf472b86a9a49b9d38b5e8c4e05eef74aea7fa2ea10335837c2641981765a3a348

Download Submit
C:\Users\Admin\AppData\Local\Temp\27645af7-cf42-4099-91fd-69554b2f4433.vbs

Filesize
712B

MD5
17b05c77d6de6615455603d256370953

SHA1
f852e360a75b34c1ad4b7125586ccb1749c9b8e7

SHA256
e188bda66652f12456e6a9b2ea1db3ce92ab6677dbfa5d5ca415d6cebb55f0a0

SHA512
a0a17b2db0639777f546f42f22edeedfa929ebde868584023c9d51a4c6a8f60f2a5fceda94d79ddbc1b469e8699a2d58c3abe2f4cdaf1973cd5c3aafff389ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fb390f8-10d1-4e93-80d8-208be61e2580.vbs

Filesize
712B

MD5
3bfea2a6f230f0d5f6eff49e9aa65ba5

SHA1
88eb03895a8d41b620fcdc86f64885da2e01c375

SHA256
d626d894cc287eb31bb98a07dd3d3d3f36f1bebccc4cc987f9bcfb48396bf0f1

SHA512
1b7ea283e8c5c8b936325a6571bcea03ea59fce1a5b485fadd1d8302e0d881ea04465a6c36714db3832f997648c0fa3c232242c402a7d88347693923df6fb34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ca6b1d4-7890-4b4d-b913-807dfabd6fdf.vbs

Filesize
488B

MD5
d6baad819a34441c10ccf02234782f2b

SHA1
10c815552cfcbec7611017f73e2c8681cc841f31

SHA256
793fcec36bbfa8976d79d91929470629d8d76d0a51813ebb5da70542e0a6fb81

SHA512
56b9d456da69c4b576709e11a675eb316beda627244d178112676becc7b70fcd1a89a1e0f13829d50cf38367d4b7736ae32c0de685c49f8c68dd1deb36a9f358

Download Submit
C:\Users\Admin\AppData\Local\Temp\88d0cca9-5f60-4ebb-be4a-bd9982215016.vbs

Filesize
711B

MD5
aa1f14a5754194457ba2b27542b76d53

SHA1
d01e4c61f6251619087e3d25f144be672975c0ee

SHA256
eb281fb1cfae6e94fa1707b9f172341b43620509cea4af1f1d5d7596b61ed19d

SHA512
8372a2c547814f3fd1ad11d4817dc9b920dd6fbd6250b58f23675cba587310d1e93f637898c10552560aaaec75c2946518bfcfb1e1fba638162f3ac32f3c8ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e1tmgrrj.u0m.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\badcd256-08c0-4a9a-a008-2e1f4873171b.vbs

Filesize
712B

MD5
0fa04ab8fae87c3285414f70b7b91575

SHA1
c5ff8310a101cefb317b144736c7e5af89fd533c

SHA256
a81f161642585644ecd2980a12b209848d98f22f3c765d9149bb9d251713ffa7

SHA512
97556d7f8fef4caa3df2f9975eecad1b38e81187a7a6079dd70731f5f49f69c56e2efb489e403e7789a70e1c15df9ef34ad795d17ca10b5255580af9675565bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7d42154-1664-4088-95c7-355f6d888314.vbs

Filesize
712B

MD5
b3290a4cf0f4b3c855a4cafc0b7da3d8

SHA1
3a411cf1d73e0bc4255280ae80e0444ed1cd3b6a

SHA256
81d358e1e717012c98b08fe527fc43f259ca528daaf4594e7b114f0721ac2c8d

SHA512
f2c63d717b14d37af0d09957b0996bd39b1e902adc3247093b9852ecaf0e1944b5e605d81923948e3453ee9c1beb0de5866b51b50513a7dc97d1cd6e955e6506

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8704a14-a16e-470a-9346-d99b053c8bcc.vbs

Filesize
712B

MD5
bed0a35de78e2d5c20ac2ac86ff9be3b

SHA1
0b445153df5b39997bd4b040e8809a5ef07e4752

SHA256
a8a44d575512c9bc6ef18baf166a61d419702e75fc4f71ed931761dd0f1374d7

SHA512
1575bfcf64e9975314c38ddb30b300e42416f07bc204e7731806dcce2157074fb9e8277431cee05657739962dfd556ac5f9cd18f2c38ce51c4fc67e307a54202

Download Submit
C:\Users\Admin\AppData\Local\Temp\ptmvG0MAvf.bat

Filesize
201B

MD5
f9c6e73d7a014cbc05e8dd50119261cc

SHA1
bf77ec035364dfa6a56b23bddb40d8ec2f0f0a87

SHA256
06f61b51d4f97c99d1f2caa0e0c9b5a148643ea353cba64a599f2c8485ffa136

SHA512
9409ce88210dd55341e6b33a8bb10765a4a23aebc88fd164da93347d4329fbed4f40f24e41521c6aed652f3c5b3fc5b044f0f3c7b0f7bcb802f51fa55b589732

Download Submit
C:\Users\Public\Documents\csrss.exe

Filesize
1.7MB

MD5
d187a54bcbf6be7fe8d5877ab13bdd59

SHA1
a6908a316cb63200efd984fa0eedc4d33d994463

SHA256
e7c8c401fece668b0af5dfb9ae94356d7707d8e0a760354d020e2eed7a34eb1e

SHA512
0325b761b74b1bd2fb6f46fc6c91d385c7ba496e32a7f2213015e4f2ec711ef2bd04be697683fdda18c852cdbe03f96b259ea36b6f77272a8b76e1c5ae28e5a0

Download Submit
C:\Users\Public\SearchApp.exe

Filesize
1.7MB

MD5
0f63381790fe99416697a62bad5e1325

SHA1
c55aa4004de442a0e63142d3e78a4a43179803d4

SHA256
3e173b5122af8c0d1ff6ae02153f917e89d2606292816625f49ec61fd5839356

SHA512
c74abcb9f96aa1e5f9579e137f735076d261bab828bb04f048d0e73bf7d6ae6c8434775559d7a6d599b2dfe6f0eff6866382ce99f902d8a013f77ff569ddc806

Download Submit
C:\Users\Public\services.exe

Filesize
1.7MB

MD5
db762240164383e80b02cf503c51a1a3

SHA1
39a07f849843a93209ca51aceb234733cab6b147

SHA256
851488e921771c5c642aae01148b64205683c9c79ba8500e0daab8afeed9c16d

SHA512
22502ffd84b443a26de3edb91ce1d1bd4818e9a1c0c367bc698838287264e237b2eccb9ae92c1fa7504a7ed2fe9ef67736185dc9135ff2dcfd1c316a94aae412

Download Submit
C:\Windows\LiveKernelReports\csrss.exe

Filesize
1.7MB

MD5
6fec5c8078fc996750ce38f9434b7e3b

SHA1
fa16de4c55d50dc4fa8f6c6a327f6fd1750f60af

SHA256
17545de7214ede07f720e7c1e9c4d2325acfcae64294d11436893c8aab51e8d0

SHA512
98ac7549b860e8480c0e9f7442efeefbb60d4109726b10a0e373a7c9ece703202e7c1d825ef053aceb5f4bae0d40c84af559d41051d41cea64b7da06a760686c

Download Submit
C:\Windows\ModemLogs\Idle.exe

Filesize
1.7MB

MD5
6f2b20a13d089565f84c9ac2e8485ef4

SHA1
b5ca192bd627637fb3de8e9b544eb03aded193c1

SHA256
83db74e9cbf7c3e6db3525e11996305e0cdb19733c94e177ded6d8391a21828c

SHA512
b61ab3b1763c04a3286eb1488c5bf4feb48274a53bb534b88ac2262b7849aa8e7f4b6bf61dcb7ad377f87f8c0cb0cfe98e38cb30feba36ff3d3fc7c3001c942c

Download Submit
memory/548-559-0x0000000002F10000-0x0000000002F22000-memory.dmp

Filesize
72KB

Download
memory/1476-180-0x000001BC4DDE0000-0x000001BC4DE02000-memory.dmp

Filesize
136KB

Download
memory/3756-17-0x000000001B8F0000-0x000000001B8F8000-memory.dmp

Filesize
32KB

Download
memory/3756-14-0x000000001B790000-0x000000001B79C000-memory.dmp

Filesize
48KB

Download
memory/3756-269-0x00007FF828240000-0x00007FF828D01000-memory.dmp

Filesize
10.8MB

Download
memory/3756-268-0x00007FF828240000-0x00007FF828D01000-memory.dmp

Filesize
10.8MB

Download
memory/3756-152-0x00007FF828240000-0x00007FF828D01000-memory.dmp

Filesize
10.8MB

Download
memory/3756-129-0x00007FF828243000-0x00007FF828245000-memory.dmp

Filesize
8KB

Download
memory/3756-23-0x00007FF828240000-0x00007FF828D01000-memory.dmp

Filesize
10.8MB

Download
memory/3756-22-0x00007FF828240000-0x00007FF828D01000-memory.dmp

Filesize
10.8MB

Download
memory/3756-15-0x000000001B8D0000-0x000000001B8DA000-memory.dmp

Filesize
40KB

Download
memory/3756-19-0x000000001B910000-0x000000001B91C000-memory.dmp

Filesize
48KB

Download
memory/3756-16-0x000000001B8E0000-0x000000001B8EE000-memory.dmp

Filesize
56KB

Download
memory/3756-0-0x00007FF828243000-0x00007FF828245000-memory.dmp

Filesize
8KB

Download
memory/3756-18-0x000000001B900000-0x000000001B90C000-memory.dmp

Filesize
48KB

Download
memory/3756-153-0x00007FF828240000-0x00007FF828D01000-memory.dmp

Filesize
10.8MB

Download
memory/3756-13-0x000000001C380000-0x000000001C8A8000-memory.dmp

Filesize
5.2MB

Download
memory/3756-12-0x000000001B780000-0x000000001B792000-memory.dmp

Filesize
72KB

Download
memory/3756-10-0x000000001B770000-0x000000001B778000-memory.dmp

Filesize
32KB

Download
memory/3756-9-0x0000000002D30000-0x0000000002D3C000-memory.dmp

Filesize
48KB

Download
memory/3756-5-0x0000000002CE0000-0x0000000002CE8000-memory.dmp

Filesize
32KB

Download
memory/3756-8-0x0000000002D20000-0x0000000002D30000-memory.dmp

Filesize
64KB

Download
memory/3756-7-0x0000000002D00000-0x0000000002D16000-memory.dmp

Filesize
88KB

Download
memory/3756-6-0x0000000002CF0000-0x0000000002D00000-memory.dmp

Filesize
64KB

Download
memory/3756-1-0x0000000000900000-0x0000000000AC0000-memory.dmp

Filesize
1.8MB

Download
memory/3756-4-0x000000001B720000-0x000000001B770000-memory.dmp

Filesize
320KB

Download
memory/3756-3-0x0000000002CC0000-0x0000000002CDC000-memory.dmp

Filesize
112KB

Download
memory/3756-2-0x00007FF828240000-0x00007FF828D01000-memory.dmp

Filesize
10.8MB

Download
memory/4664-536-0x000000001B410000-0x000000001B422000-memory.dmp

Filesize
72KB

Download