dcrat | 448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5eca

Analysis

max time kernel
120s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
Size

1.7MB
MD5

b09d4f8b9be1ca3790fafb6c5faf66a0
SHA1

d17af72bde97583329a50fef411c3e3567b2578a
SHA256

448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5eca
SHA512

8036dcf63d62b6e9af455087c8009b6e429c86283a5fa8459ba0cee600808802029d2e1ea9e2cd47d53eac290f99189b6c8c5a9b1b97eb20b99586985fbe4470
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:OTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3768	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3924	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3216	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	2452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	2452	schtasks.exe	83

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3844-1-0x0000000000280000-0x0000000000440000-memory.dmp	dcrat
behavioral2/files/0x0007000000023ce3-30.dat	dcrat
behavioral2/files/0x000f000000023d0c-151.dat	dcrat
behavioral2/files/0x0011000000023d0d-221.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3216	powershell.exe
844	powershell.exe
3240	powershell.exe
1636	powershell.exe
3652	powershell.exe
1508	powershell.exe
2496	powershell.exe
4040	powershell.exe
4444	powershell.exe
3076	powershell.exe
4496	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 8 IoCs

pid	Process
224	fontdrvhost.exe
4112	fontdrvhost.exe
2884	fontdrvhost.exe
4832	fontdrvhost.exe
2876	fontdrvhost.exe
3572	fontdrvhost.exe
3972	fontdrvhost.exe
2560	fontdrvhost.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\e6c9b481da804f	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files\Internet Explorer\uk-UA\RCXAFE6.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCXBF94.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXB259.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCXBF16.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\ea1d8f6d871115	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files (x86)\Internet Explorer\22eafd247d37c3	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXB1EB.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files\Crashpad\attachments\lsass.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\TextInputHost.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files\Internet Explorer\uk-UA\aa97147c4c782d	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files\Crashpad\attachments\lsass.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files\Crashpad\attachments\6203df4a6bafc7	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXA5BA.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXA5BB.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCXC1C8.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files\7-Zip\Lang\winlogon.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files\Internet Explorer\uk-UA\RCXAFE5.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCXBD11.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files\7-Zip\Lang\winlogon.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files (x86)\Internet Explorer\TextInputHost.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCXBD12.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCXC1C9.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files\7-Zip\Lang\cc11b995f2a76d	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\upfc.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files\Internet Explorer\uk-UA\MusNotification.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\upfc.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Program Files\Internet Explorer\uk-UA\MusNotification.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Registration\CRMLog\RCXA7BF.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Windows\bcastdvr\dllhost.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Windows\Registration\CRMLog\66fc9ff0ee96c2	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Windows\LiveKernelReports\Idle.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXB907.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Windows\Fonts\RCXC3CF.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Windows\Fonts\SearchApp.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Windows\bcastdvr\5940a34987c991	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Windows\Speech\Engines\TTS\en-US\RCXB47D.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Windows\bcastdvr\RCXABDA.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Windows\Speech\Engines\TTS\en-US\fontdrvhost.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Windows\Speech\Engines\TTS\en-US\fontdrvhost.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Windows\Fonts\SearchApp.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Windows\Speech\Engines\TTS\en-US\5b884080fd4f94	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Windows\LiveKernelReports\6ccacd8608530f	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Windows\Fonts\38384e6a620884	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCXA7C0.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Windows\Registration\CRMLog\sihost.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Windows\bcastdvr\RCXABDB.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Windows\Registration\CRMLog\sihost.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File created	C:\Windows\bcastdvr\dllhost.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Windows\LiveKernelReports\Idle.exe	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Windows\Fonts\RCXC3CE.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Windows\Speech\Engines\TTS\en-US\RCXB47E.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXB906.tmp	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	fontdrvhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4104	schtasks.exe
1748	schtasks.exe
1488	schtasks.exe
1584	schtasks.exe
712	schtasks.exe
1972	schtasks.exe
4700	schtasks.exe
3360	schtasks.exe
4608	schtasks.exe
3952	schtasks.exe
544	schtasks.exe
3796	schtasks.exe
2216	schtasks.exe
4948	schtasks.exe
2168	schtasks.exe
1636	schtasks.exe
592	schtasks.exe
2876	schtasks.exe
2052	schtasks.exe
4224	schtasks.exe
3528	schtasks.exe
4696	schtasks.exe
1808	schtasks.exe
3652	schtasks.exe
4044	schtasks.exe
3436	schtasks.exe
2356	schtasks.exe
688	schtasks.exe
4148	schtasks.exe
2736	schtasks.exe
4808	schtasks.exe
984	schtasks.exe
1452	schtasks.exe
1424	schtasks.exe
3416	schtasks.exe
3216	schtasks.exe
868	schtasks.exe
1468	schtasks.exe
2940	schtasks.exe
3768	schtasks.exe
2444	schtasks.exe
3924	schtasks.exe
5000	schtasks.exe
2136	schtasks.exe
5012	schtasks.exe
2340	schtasks.exe
1052	schtasks.exe
3556	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
3076	powershell.exe
3076	powershell.exe
4444	powershell.exe
4444	powershell.exe
3216	powershell.exe
3216	powershell.exe
3652	powershell.exe
3652	powershell.exe
3240	powershell.exe
3240	powershell.exe
4496	powershell.exe
4496	powershell.exe
1508	powershell.exe
1508	powershell.exe
1636	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
Token: SeDebugPrivilege	3076	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeDebugPrivilege	224	fontdrvhost.exe
Token: SeDebugPrivilege	4112	fontdrvhost.exe
Token: SeDebugPrivilege	2884	fontdrvhost.exe
Token: SeDebugPrivilege	4832	fontdrvhost.exe
Token: SeDebugPrivilege	2876	fontdrvhost.exe
Token: SeDebugPrivilege	3572	fontdrvhost.exe
Token: SeDebugPrivilege	3972	fontdrvhost.exe
Token: SeDebugPrivilege	2560	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 3652	3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	136
PID 3844 wrote to memory of 3652	3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	136
PID 3844 wrote to memory of 4496	3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	137
PID 3844 wrote to memory of 4496	3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	137
PID 3844 wrote to memory of 3076	3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	138
PID 3844 wrote to memory of 3076	3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	138
PID 3844 wrote to memory of 4444	3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	139
PID 3844 wrote to memory of 4444	3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	139
PID 3844 wrote to memory of 1636	3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	140
PID 3844 wrote to memory of 1636	3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	140
PID 3844 wrote to memory of 1508	3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	141
PID 3844 wrote to memory of 1508	3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	141
PID 3844 wrote to memory of 3240	3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	142
PID 3844 wrote to memory of 3240	3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	142
PID 3844 wrote to memory of 4040	3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	143
PID 3844 wrote to memory of 4040	3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	143
PID 3844 wrote to memory of 844	3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	144
PID 3844 wrote to memory of 844	3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	144
PID 3844 wrote to memory of 2496	3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	145
PID 3844 wrote to memory of 2496	3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	145
PID 3844 wrote to memory of 3216	3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	146
PID 3844 wrote to memory of 3216	3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	146
PID 3844 wrote to memory of 2344	3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	158
PID 3844 wrote to memory of 2344	3844	448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe	158
PID 2344 wrote to memory of 4356	2344	cmd.exe	161
PID 2344 wrote to memory of 4356	2344	cmd.exe	161
PID 2344 wrote to memory of 224	2344	cmd.exe	167
PID 2344 wrote to memory of 224	2344	cmd.exe	167
PID 224 wrote to memory of 4424	224	fontdrvhost.exe	170
PID 224 wrote to memory of 4424	224	fontdrvhost.exe	170
PID 224 wrote to memory of 1624	224	fontdrvhost.exe	171
PID 224 wrote to memory of 1624	224	fontdrvhost.exe	171
PID 4424 wrote to memory of 4112	4424	WScript.exe	172
PID 4424 wrote to memory of 4112	4424	WScript.exe	172
PID 4112 wrote to memory of 3020	4112	fontdrvhost.exe	176
PID 4112 wrote to memory of 3020	4112	fontdrvhost.exe	176
PID 4112 wrote to memory of 1824	4112	fontdrvhost.exe	177
PID 4112 wrote to memory of 1824	4112	fontdrvhost.exe	177
PID 3020 wrote to memory of 2884	3020	WScript.exe	180
PID 3020 wrote to memory of 2884	3020	WScript.exe	180
PID 2884 wrote to memory of 3432	2884	fontdrvhost.exe	182
PID 2884 wrote to memory of 3432	2884	fontdrvhost.exe	182
PID 2884 wrote to memory of 4912	2884	fontdrvhost.exe	183
PID 2884 wrote to memory of 4912	2884	fontdrvhost.exe	183
PID 3432 wrote to memory of 4832	3432	WScript.exe	185
PID 3432 wrote to memory of 4832	3432	WScript.exe	185
PID 4832 wrote to memory of 5024	4832	fontdrvhost.exe	187
PID 4832 wrote to memory of 5024	4832	fontdrvhost.exe	187
PID 4832 wrote to memory of 5076	4832	fontdrvhost.exe	188
PID 4832 wrote to memory of 5076	4832	fontdrvhost.exe	188
PID 5024 wrote to memory of 2876	5024	WScript.exe	191
PID 5024 wrote to memory of 2876	5024	WScript.exe	191
PID 2876 wrote to memory of 748	2876	fontdrvhost.exe	193
PID 2876 wrote to memory of 748	2876	fontdrvhost.exe	193
PID 2876 wrote to memory of 1592	2876	fontdrvhost.exe	194
PID 2876 wrote to memory of 1592	2876	fontdrvhost.exe	194
PID 748 wrote to memory of 3572	748	WScript.exe	195
PID 748 wrote to memory of 3572	748	WScript.exe	195
PID 3572 wrote to memory of 4344	3572	fontdrvhost.exe	197
PID 3572 wrote to memory of 4344	3572	fontdrvhost.exe	197
PID 3572 wrote to memory of 4336	3572	fontdrvhost.exe	198
PID 3572 wrote to memory of 4336	3572	fontdrvhost.exe	198
PID 4344 wrote to memory of 3972	4344	WScript.exe	199
PID 4344 wrote to memory of 3972	4344	WScript.exe	199

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe
"C:\Users\Admin\AppData\Local\Temp\448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5ecaN.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pwx3tkRMTj.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4356
- - C:\Windows\Speech\Engines\TTS\en-US\fontdrvhost.exe
    "C:\Windows\Speech\Engines\TTS\en-US\fontdrvhost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1e1e7c1-dc73-4bff-8fb8-50e473c103f4.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4424
    - - C:\Windows\Speech\Engines\TTS\en-US\fontdrvhost.exe
        
        C:\Windows\Speech\Engines\TTS\en-US\fontdrvhost.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4112
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a44c0ba-a93a-47d9-a285-e8296f843955.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\Speech\Engines\TTS\en-US\fontdrvhost.exe
        
        C:\Windows\Speech\Engines\TTS\en-US\fontdrvhost.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a9995c2-f602-4394-b902-f1f18220c432.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\Speech\Engines\TTS\en-US\fontdrvhost.exe
        
        C:\Windows\Speech\Engines\TTS\en-US\fontdrvhost.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca344754-1509-4a72-bcec-e586f6a00151.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\Speech\Engines\TTS\en-US\fontdrvhost.exe
        
        C:\Windows\Speech\Engines\TTS\en-US\fontdrvhost.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6a5831c-0a7d-4f5b-9c8d-eb63d89b99f2.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\Speech\Engines\TTS\en-US\fontdrvhost.exe
        
        C:\Windows\Speech\Engines\TTS\en-US\fontdrvhost.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ef1fa8a-0fb0-4e09-9fd0-c04417431643.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\Speech\Engines\TTS\en-US\fontdrvhost.exe
        
        C:\Windows\Speech\Engines\TTS\en-US\fontdrvhost.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3d399ac-cdf2-4e85-98e9-8d43edc83ca1.vbs"
        16⤵
        
        PID:2232
        
        C:\Windows\Speech\Engines\TTS\en-US\fontdrvhost.exe
        
        C:\Windows\Speech\Engines\TTS\en-US\fontdrvhost.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c428b61-463c-484b-9772-7a68f15c2a1f.vbs"
        18⤵
        
        PID:3656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c762b0d-daeb-4b61-8fea-7b97465a0940.vbs"
        18⤵
        
        PID:1808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64168511-72be-4aab-bc5f-d5d2af52a7e1.vbs"
        16⤵
        
        PID:2216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\febda0ba-92ea-418b-84a6-b42d1de01c6f.vbs"
        14⤵
        
        PID:4336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05c22867-4665-40ab-95d9-7e1e5852f221.vbs"
        12⤵
        
        PID:1592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\798c764f-935c-4f5d-8748-16f0e0d6e280.vbs"
        10⤵
        
        PID:5076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fc240a8-dbf4-4fb0-aed9-7f4e2eb730e5.vbs"
        8⤵
        
        PID:4912
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c683ce4f-0b13-4531-9ba6-a6597bb3e2d9.vbs"
        6⤵
        
        PID:1824
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e3dc48b-d2a9-4ce4-8341-99c27e3ec6a7.vbs"
      4⤵
      PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\CRMLog\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\bcastdvr\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\bcastdvr\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\uk-UA\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\uk-UA\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\uk-UA\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\Speech\Engines\TTS\en-US\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\TTS\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech\Engines\TTS\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Package Cache\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\LiveKernelReports\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Crashpad\attachments\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Crashpad\attachments\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\Fonts\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Fonts\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\Fonts\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\upfc.exe

Filesize
1.7MB

MD5
221b87e498d91f321de41441d4014ea1

SHA1
305bc23f25fe2e8eb34773e795efe0320aaea0f4

SHA256
c9e63c1cf95cd6053a7f203b5fdf3ba1f5aa9b1892c1676b83d00a693f8a841b

SHA512
66fa440914944c1da4094d566f636f72b33c77b04b68fbbc87b643c474d8b6f61a1e933707f530bb6f82640e616d95a84533795bd4ec297687d3a443d1914908

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe

Filesize
1.7MB

MD5
1f1f62ef9ed3bb428dc7cb070e4e58d5

SHA1
f344cf9d0e3d1f9fd44c469263c94afa23a6a2c9

SHA256
c23b3e5104513110011ec0839ff384ea01f7c61367b90154d8bc1c85a57d5c8a

SHA512
d58f0fedb7be77fc8c5abb5ad086e9339bfe9426fe5f3c67aa2c4ff7efb89d17c418ec2d697ef731e27a467c7bf17fc070aeb218dbd0069d0bf4c2d6e476f44f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a9995c2-f602-4394-b902-f1f18220c432.vbs

Filesize
727B

MD5
539b2c8317140e4bba16fc35d1809383

SHA1
f490d58362a9260809ad69df7f748e19db030c17

SHA256
7d8825e4dd6b3d8ecc857bb7e67baf89cc57152fbe12110f5a288a2f9ef6b93c

SHA512
1cb884d09622dd17b81fb6a49c6d00d4b1f0557ac87e46b8b7c131e3ea9f137cac694b2aa5c62d5b41bda703146003450badc20bdf7cade21c0e2c506981f6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ef1fa8a-0fb0-4e09-9fd0-c04417431643.vbs

Filesize
727B

MD5
326289b750b54e36e7b1d62482518901

SHA1
f2357072d70011f861dbe6698f4937e01c11faec

SHA256
405b164284d37349bd4ad2672df089ca657efd04a82f6f102bba5bbe3df6e39d

SHA512
1558a8bca046beb1fb1254917e13996f53b88c366695743ecf7d1cfe227a711e7022d9d5c4f528b5ba68a54d7ff75a68756355e666275bfe25b11744eea4eec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a44c0ba-a93a-47d9-a285-e8296f843955.vbs

Filesize
727B

MD5
0e2869a5ec0ac4458cc790c98e52250e

SHA1
606f0a60ecdfac490af964eafa45f07367dee504

SHA256
08097392615cc0636c5dea8dc06bda1b4beb31ffe40c9c67fc11e49042d5ca33

SHA512
07f15efc45ef9201b7c0c7cffaf4a664758dd8103341cfe9b882a7508d68bd928c9a8e59c3b733756b089bcba1845edcd805b058f1886ece5f5021b3880b967f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e3dc48b-d2a9-4ce4-8341-99c27e3ec6a7.vbs

Filesize
503B

MD5
a65ff9ac3907d55390a70c8b07b8cbf8

SHA1
59d45124bb3b920e2a04ac15b213668a66d31563

SHA256
1a6e88645ad8059c840847995bba22d85f2d2d1d970c6c7bb786d6ae0ee596ac

SHA512
824527b06ad55f2ccfda9256a5c04fe1a67dc61715355ac35a445bf4d5ae91e912024b73b7592870410318edb28d9a9b7d46830c0b617e6b2355287ebebf1ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c428b61-463c-484b-9772-7a68f15c2a1f.vbs

Filesize
727B

MD5
34c50709fc22ab1de36a1f3fa7438e6e

SHA1
536faaa755c906bd6006c2a2ce2536f6f4e4318b

SHA256
ce0140cbacb685650c655679fe451f66e3e4ba3f48f64d6cb953f6e84ba7107f

SHA512
8a3d6dd1fc901643f029019c781134787a8ee81e6d0bf3738ffa67e3df31dac3126ff5251999ca8a1a048aae07e87dc75cbff99686734c325bb2e07605359195

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0fdbtyym.0rf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1e1e7c1-dc73-4bff-8fb8-50e473c103f4.vbs

Filesize
726B

MD5
1e3ca8cafa866abe6949607923d6074b

SHA1
90845badcc3152ec26b7fa6a16c9457e44692e65

SHA256
3dd150cce87a3ea37cd84201d98da58f0a8be0d2da3ccaa2032709ee3c0bc71a

SHA512
87db0986f76bdc1f9aafc4efcd1b47f5bf920726452bbcd8d33bc2207f2235e22804ffdce088d7839f6f38bcb8e20de378a58bc1129731d7587a2cbb6733c6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3d399ac-cdf2-4e85-98e9-8d43edc83ca1.vbs

Filesize
727B

MD5
2aa4a572bcc377096d2dd04ffec6581d

SHA1
d0b3eaae0636747add931c27fa5d3fffe2b5ba00

SHA256
89c389ff4701d7172dc00fc40216faf979a333a78f196da3d368c2a0087248ed

SHA512
9e93748026330d17a92c8efd34d3e7b5ce27cd56410c5faa68bdf3f1d63e170054a1540485b24f096faf8a4a55e1eeb8245e36cc56cbdf602416aec83d43db48

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca344754-1509-4a72-bcec-e586f6a00151.vbs

Filesize
727B

MD5
300572cf738a134135fdf34cc03de557

SHA1
22536d763f3875503c726643bece852fa1b64f29

SHA256
649b11824c6c435355c51d622a043369590b4e205d873cf12bb195217fa894f7

SHA512
642db4bf457dd3fc14bf2b633601e290637bd8047f615d10f1342853e079063547c2451cb8c58928770ba009e63c611ca6f303fd9ae63ef1b5ddc368106da9d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6a5831c-0a7d-4f5b-9c8d-eb63d89b99f2.vbs

Filesize
727B

MD5
8dd2d642ce4b86ec8e1a632bc6093e24

SHA1
eab148d187ee32e2cd2acf67831f8ead3a19d3db

SHA256
d77ca2a7398b86ef47d870013a72dae091d51a1be23a5afde4249bdf4e4eb6e4

SHA512
c6f2c0c9af3cf6023d60f1be835b3b1c3edd127e27f7c12810ccacb988a944981cc472ff9ee5edf2f33f74e25a1715815fb6e725a4ecacfe77f66276b6cb7153

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwx3tkRMTj.bat

Filesize
216B

MD5
b124da142c313404a07800ce8d04b35f

SHA1
0c7e9dbb09421177d13cd79c268401f8b97ae4f3

SHA256
3463fbca1532c10bf5531f316a6422d58e73297fbcaf728bfefbb64bb7ec7e33

SHA512
50e93428e622504886e242f85e740054c56e68c2ada023834350b69a4dd9f44ca040e45cdbee56bea008f271f4d1c2bc51e85714c2a71080d945a7cbaad157f6

Download Submit
C:\Windows\bcastdvr\dllhost.exe

Filesize
1.7MB

MD5
b09d4f8b9be1ca3790fafb6c5faf66a0

SHA1
d17af72bde97583329a50fef411c3e3567b2578a

SHA256
448a30dbc1268d9564c96a74ca16bec832f6c11cc870b7daf3d024947e7e5eca

SHA512
8036dcf63d62b6e9af455087c8009b6e429c86283a5fa8459ba0cee600808802029d2e1ea9e2cd47d53eac290f99189b6c8c5a9b1b97eb20b99586985fbe4470

Download Submit
memory/224-397-0x000000001B600000-0x000000001B612000-memory.dmp

Filesize
72KB

Download
memory/844-378-0x00000259696C0000-0x000002596980E000-memory.dmp

Filesize
1.3MB

Download
memory/1508-384-0x000002C661D80000-0x000002C661ECE000-memory.dmp

Filesize
1.3MB

Download
memory/1636-369-0x0000025EB2CA0000-0x0000025EB2DEE000-memory.dmp

Filesize
1.3MB

Download
memory/2496-393-0x000001CDC6AE0000-0x000001CDC6C2E000-memory.dmp

Filesize
1.3MB

Download
memory/3076-375-0x0000026FB8C40000-0x0000026FB8D8E000-memory.dmp

Filesize
1.3MB

Download
memory/3076-276-0x0000026FB8C10000-0x0000026FB8C32000-memory.dmp

Filesize
136KB

Download
memory/3216-381-0x000002CAF95E0000-0x000002CAF972E000-memory.dmp

Filesize
1.3MB

Download
memory/3240-390-0x000001AEF9080000-0x000001AEF91CE000-memory.dmp

Filesize
1.3MB

Download
memory/3652-389-0x000001DB57910000-0x000001DB57A5E000-memory.dmp

Filesize
1.3MB

Download
memory/3844-9-0x000000001B0B0000-0x000000001B0BC000-memory.dmp

Filesize
48KB

Download
memory/3844-17-0x000000001B890000-0x000000001B898000-memory.dmp

Filesize
32KB

Download
memory/3844-23-0x00007FFECECA0000-0x00007FFECF761000-memory.dmp

Filesize
10.8MB

Download
memory/3844-22-0x00007FFECECA0000-0x00007FFECF761000-memory.dmp

Filesize
10.8MB

Download
memory/3844-1-0x0000000000280000-0x0000000000440000-memory.dmp

Filesize
1.8MB

Download
memory/3844-3-0x0000000000C60000-0x0000000000C7C000-memory.dmp

Filesize
112KB

Download
memory/3844-19-0x000000001B9F0000-0x000000001B9FC000-memory.dmp

Filesize
48KB

Download
memory/3844-15-0x000000001B870000-0x000000001B87A000-memory.dmp

Filesize
40KB

Download
memory/3844-16-0x000000001B880000-0x000000001B88E000-memory.dmp

Filesize
56KB

Download
memory/3844-202-0x00007FFECECA0000-0x00007FFECF761000-memory.dmp

Filesize
10.8MB

Download
memory/3844-258-0x00007FFECECA0000-0x00007FFECF761000-memory.dmp

Filesize
10.8MB

Download
memory/3844-18-0x000000001B9A0000-0x000000001B9AC000-memory.dmp

Filesize
48KB

Download
memory/3844-251-0x00007FFECECA0000-0x00007FFECF761000-memory.dmp

Filesize
10.8MB

Download
memory/3844-4-0x000000001B0E0000-0x000000001B130000-memory.dmp

Filesize
320KB

Download
memory/3844-0-0x00007FFECECA3000-0x00007FFECECA5000-memory.dmp

Filesize
8KB

Download
memory/3844-2-0x00007FFECECA0000-0x00007FFECF761000-memory.dmp

Filesize
10.8MB

Download
memory/3844-14-0x000000001B760000-0x000000001B76C000-memory.dmp

Filesize
48KB

Download
memory/3844-13-0x000000001BC90000-0x000000001C1B8000-memory.dmp

Filesize
5.2MB

Download
memory/3844-12-0x000000001B0D0000-0x000000001B0E2000-memory.dmp

Filesize
72KB

Download
memory/3844-10-0x000000001B0C0000-0x000000001B0C8000-memory.dmp

Filesize
32KB

Download
memory/3844-226-0x00007FFECECA0000-0x00007FFECF761000-memory.dmp

Filesize
10.8MB

Download
memory/3844-8-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/3844-177-0x00007FFECECA3000-0x00007FFECECA5000-memory.dmp

Filesize
8KB

Download
memory/3844-7-0x000000001B090000-0x000000001B0A6000-memory.dmp

Filesize
88KB

Download
memory/3844-5-0x0000000000C80000-0x0000000000C88000-memory.dmp

Filesize
32KB

Download
memory/3844-6-0x0000000002680000-0x0000000002690000-memory.dmp

Filesize
64KB

Download
memory/3972-466-0x0000000003260000-0x0000000003272000-memory.dmp

Filesize
72KB

Download
memory/4040-366-0x00000205C9ED0000-0x00000205CA01E000-memory.dmp

Filesize
1.3MB

Download
memory/4112-410-0x000000001BE30000-0x000000001BE42000-memory.dmp

Filesize
72KB

Download
memory/4444-372-0x00000142F4460000-0x00000142F45AE000-memory.dmp

Filesize
1.3MB

Download
memory/4496-362-0x000002E318550000-0x000002E31869E000-memory.dmp

Filesize
1.3MB

Download