dcrat | abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
Size

1.7MB
MD5

92f20cf5b97297600b5272178b6534c7
SHA1

3d7b513aea13d6a7c7e66d0a74d0af11b8d7f625
SHA256

abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b
SHA512

81f0c12d78f958d1a1d74bd13ed015c878bef5a51040ab9346713a47626a58e163f6568b9f97803b18b49a583b5622c61fd065d9fe957af8763ce80edd3135c4
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	4200	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	4200	schtasks.exe	82

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4348-1-0x0000000000B50000-0x0000000000D10000-memory.dmp	dcrat
behavioral2/files/0x0007000000023ca9-30.dat	dcrat
behavioral2/files/0x0008000000023ca0-100.dat	dcrat
behavioral2/files/0x0009000000023ca5-111.dat	dcrat
behavioral2/files/0x000c000000023ca9-156.dat	dcrat
behavioral2/files/0x0007000000023cd0-203.dat	dcrat
behavioral2/memory/1048-353-0x0000000000D70000-0x0000000000F30000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cd7-436.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2668	powershell.exe
4552	powershell.exe
4896	powershell.exe
3512	powershell.exe
4332	powershell.exe
4736	powershell.exe
4216	powershell.exe
1488	powershell.exe
1208	powershell.exe
4928	powershell.exe
2744	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winlogon.exe

Executes dropped EXE 9 IoCs

pid	Process
1048	winlogon.exe
5076	winlogon.exe
2012	winlogon.exe
4996	winlogon.exe
2316	winlogon.exe
2756	winlogon.exe
1372	winlogon.exe
4192	winlogon.exe
1052	winlogon.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\22eafd247d37c3	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\explorer.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\7a0fd90576e088	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\TextInputHost.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\RCXC07A.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files (x86)\Common Files\ee2ad38f3d4382	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RCXB7C8.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\Common Files\RCXC80F.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\Common Files\RCXC810.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Registry.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\TextInputHost.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RCXB7C7.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\RCXC0E8.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\explorer.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files (x86)\Common Files\Registry.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Help\Windows\IndexStore\smss.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Windows\Help\Windows\IndexStore\69ddcba757bf72	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Windows\Speech\Engines\aa97147c4c782d	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\Help\Windows\IndexStore\RCXAB2B.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\Speech\Engines\RCXBC60.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\Speech\Engines\MusNotification.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Windows\Speech\Engines\MusNotification.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\Help\Windows\IndexStore\RCXAB2A.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\Help\Windows\IndexStore\smss.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\Speech\Engines\RCXBC5F.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	winlogon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3116	schtasks.exe
4112	schtasks.exe
4872	schtasks.exe
4740	schtasks.exe
4996	schtasks.exe
4724	schtasks.exe
1072	schtasks.exe
1372	schtasks.exe
3228	schtasks.exe
3712	schtasks.exe
1484	schtasks.exe
4164	schtasks.exe
2624	schtasks.exe
2960	schtasks.exe
4888	schtasks.exe
1068	schtasks.exe
1056	schtasks.exe
4752	schtasks.exe
4852	schtasks.exe
2488	schtasks.exe
4160	schtasks.exe
2192	schtasks.exe
4144	schtasks.exe
4956	schtasks.exe
1496	schtasks.exe
1280	schtasks.exe
1060	schtasks.exe
1976	schtasks.exe
1232	schtasks.exe
1140	schtasks.exe
2728	schtasks.exe
3988	schtasks.exe
4152	schtasks.exe
4692	schtasks.exe
2052	schtasks.exe
2340	schtasks.exe
1868	schtasks.exe
2756	schtasks.exe
4576	schtasks.exe
1076	schtasks.exe
1964	schtasks.exe
3464	schtasks.exe
3032	schtasks.exe
760	schtasks.exe
4652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
4332	powershell.exe
4332	powershell.exe
4896	powershell.exe
4896	powershell.exe
4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	1048	winlogon.exe
Token: SeDebugPrivilege	5076	winlogon.exe
Token: SeDebugPrivilege	2012	winlogon.exe
Token: SeDebugPrivilege	4996	winlogon.exe
Token: SeDebugPrivilege	2316	winlogon.exe
Token: SeDebugPrivilege	2756	winlogon.exe
Token: SeDebugPrivilege	1372	winlogon.exe
Token: SeDebugPrivilege	4192	winlogon.exe
Token: SeDebugPrivilege	1052	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 3512	4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	131
PID 4348 wrote to memory of 3512	4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	131
PID 4348 wrote to memory of 2744	4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	132
PID 4348 wrote to memory of 2744	4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	132
PID 4348 wrote to memory of 4332	4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	133
PID 4348 wrote to memory of 4332	4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	133
PID 4348 wrote to memory of 4736	4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	134
PID 4348 wrote to memory of 4736	4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	134
PID 4348 wrote to memory of 4896	4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	135
PID 4348 wrote to memory of 4896	4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	135
PID 4348 wrote to memory of 4928	4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	138
PID 4348 wrote to memory of 4928	4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	138
PID 4348 wrote to memory of 4216	4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	141
PID 4348 wrote to memory of 4216	4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	141
PID 4348 wrote to memory of 1488	4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	143
PID 4348 wrote to memory of 1488	4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	143
PID 4348 wrote to memory of 4552	4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	144
PID 4348 wrote to memory of 4552	4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	144
PID 4348 wrote to memory of 2668	4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	146
PID 4348 wrote to memory of 2668	4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	146
PID 4348 wrote to memory of 1208	4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	148
PID 4348 wrote to memory of 1208	4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	148
PID 4348 wrote to memory of 2672	4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	153
PID 4348 wrote to memory of 2672	4348	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	153
PID 2672 wrote to memory of 3704	2672	cmd.exe	155
PID 2672 wrote to memory of 3704	2672	cmd.exe	155
PID 2672 wrote to memory of 1048	2672	cmd.exe	157
PID 2672 wrote to memory of 1048	2672	cmd.exe	157
PID 1048 wrote to memory of 1872	1048	winlogon.exe	160
PID 1048 wrote to memory of 1872	1048	winlogon.exe	160
PID 1048 wrote to memory of 2804	1048	winlogon.exe	161
PID 1048 wrote to memory of 2804	1048	winlogon.exe	161
PID 1872 wrote to memory of 5076	1872	WScript.exe	164
PID 1872 wrote to memory of 5076	1872	WScript.exe	164
PID 5076 wrote to memory of 1868	5076	winlogon.exe	165
PID 5076 wrote to memory of 1868	5076	winlogon.exe	165
PID 5076 wrote to memory of 3300	5076	winlogon.exe	166
PID 5076 wrote to memory of 3300	5076	winlogon.exe	166
PID 1868 wrote to memory of 2012	1868	WScript.exe	167
PID 1868 wrote to memory of 2012	1868	WScript.exe	167
PID 2012 wrote to memory of 1324	2012	winlogon.exe	168
PID 2012 wrote to memory of 1324	2012	winlogon.exe	168
PID 2012 wrote to memory of 4216	2012	winlogon.exe	169
PID 2012 wrote to memory of 4216	2012	winlogon.exe	169
PID 1324 wrote to memory of 4996	1324	WScript.exe	170
PID 1324 wrote to memory of 4996	1324	WScript.exe	170
PID 4996 wrote to memory of 2572	4996	winlogon.exe	171
PID 4996 wrote to memory of 2572	4996	winlogon.exe	171
PID 4996 wrote to memory of 4416	4996	winlogon.exe	172
PID 4996 wrote to memory of 4416	4996	winlogon.exe	172
PID 2572 wrote to memory of 2316	2572	WScript.exe	173
PID 2572 wrote to memory of 2316	2572	WScript.exe	173
PID 2316 wrote to memory of 3172	2316	winlogon.exe	174
PID 2316 wrote to memory of 3172	2316	winlogon.exe	174
PID 2316 wrote to memory of 4964	2316	winlogon.exe	175
PID 2316 wrote to memory of 4964	2316	winlogon.exe	175
PID 3172 wrote to memory of 2756	3172	WScript.exe	176
PID 3172 wrote to memory of 2756	3172	WScript.exe	176
PID 2756 wrote to memory of 3216	2756	winlogon.exe	177
PID 2756 wrote to memory of 3216	2756	winlogon.exe	177
PID 2756 wrote to memory of 4056	2756	winlogon.exe	178
PID 2756 wrote to memory of 4056	2756	winlogon.exe	178
PID 3216 wrote to memory of 1372	3216	WScript.exe	179
PID 3216 wrote to memory of 1372	3216	WScript.exe	179

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
"C:\Users\Admin\AppData\Local\Temp\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KXOElKnCOE.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3704
- - C:\Recovery\WindowsRE\winlogon.exe
    "C:\Recovery\WindowsRE\winlogon.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5de70fe4-d518-4e9c-901b-13545761a0ab.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1872
    - - C:\Recovery\WindowsRE\winlogon.exe
        
        C:\Recovery\WindowsRE\winlogon.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5076
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\482a7edb-8257-47bb-b7bc-0adccf0424fa.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        C:\Recovery\WindowsRE\winlogon.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdb1df12-d4ac-4674-a0a4-e37e71d602bc.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        C:\Recovery\WindowsRE\winlogon.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b3a5298-7571-4ade-bc5e-4cdde5031677.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        C:\Recovery\WindowsRE\winlogon.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4eb17330-10b0-4f22-a624-857a2c9d9db0.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        C:\Recovery\WindowsRE\winlogon.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eccf4b3b-487e-40d5-955d-2353c607fb28.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        C:\Recovery\WindowsRE\winlogon.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0d3d885-3c1b-418e-a4df-40bc3fd5f979.vbs"
        16⤵
        
        PID:3220
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        C:\Recovery\WindowsRE\winlogon.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5233ad7c-ee29-4908-8c92-9433f9b64d04.vbs"
        18⤵
        
        PID:4480
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        C:\Recovery\WindowsRE\winlogon.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa7b5270-593d-4fa9-8d9b-d42781233ef8.vbs"
        20⤵
        
        PID:1524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d90e9cc2-40fc-4acd-a77a-16dc9d18cf0c.vbs"
        20⤵
        
        PID:4412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed6417c3-2019-45e5-a711-249ed728f40a.vbs"
        18⤵
        
        PID:2672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e709203-fb4d-40a5-81dd-05106bba422b.vbs"
        16⤵
        
        PID:2668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\032d9e06-436f-4d39-be25-f4d34644c1b7.vbs"
        14⤵
        
        PID:4056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b24209cc-8b88-4846-bbae-82e9275a8f11.vbs"
        12⤵
        
        PID:4964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac4f597a-74ae-4f02-b5c1-0fabcc3e1c34.vbs"
        10⤵
        
        PID:4416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb64a3a5-fe82-4d55-a01b-d5052284bce5.vbs"
        8⤵
        
        PID:4216
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e51821a-a3b5-4af4-8998-646faf2b618d.vbs"
        6⤵
        
        PID:3300
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bfec6df-ecf9-4603-b5fa-99c6163b38dd.vbs"
      4⤵
      PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Documents\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Documents\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\Help\Windows\IndexStore\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Help\Windows\IndexStore\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Help\Windows\IndexStore\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Users\Default User\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983ba" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b" /sc ONLOGON /tr "'C:\Users\Default User\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983ba" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech\Engines\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech\Engines\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\Default\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\Default\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Downloads\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Downloads\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.7MB

MD5
30fda4a9e6df2e09f4cf27c5aad84151

SHA1
e95660b2fc3838c22c4722a1199c6f940c4a7cf5

SHA256
3f9219f1fa59d9271d1bb8019e5f2461dd6c1057cb6e8bef625b1c7639f3641a

SHA512
86ee02da5ca3e157b4db5aeffb292f1ca1f64b9535a61ca19cde6a2a92ff3b806d6005b821eaa9d1ad005e8fa86f6d5917f58cfb6b076357ad51db67435640ce

Download Submit
C:\Recovery\WindowsRE\winlogon.exe

Filesize
1.7MB

MD5
347371196922e0039551ce6b680ef705

SHA1
157693d78f2ca932599e36fd010ac3ae45389bd2

SHA256
8b01c3106ffe7e7227737b8b51a741c58b9484deb4f0abc08a545da65bc64f26

SHA512
ade169f2d0a4a6beaa6bd3ac84e74c5b1b54ed57ff8c055c41cc8c6c24e18f0ecc65b5640280c311c08594686e46f16fb710008fa4b0e1ed153070e0ab93fad9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\482a7edb-8257-47bb-b7bc-0adccf0424fa.vbs

Filesize
710B

MD5
e2f05044a8b665ac91fc9e2c5780d61a

SHA1
e96ebdc34bbdc7e162ca6f65ab371c208652d349

SHA256
0faa46356e672cad2a47bd8ca455d4443d86924e3ef178f6b3a87b26de7813b4

SHA512
504aecf7da519e2d76dc694d4c895b43a6e7d928be2da728aef9b90d5f7268b047d415478d38dcfc85d06e143bd8ac09f1e302747595bfa39369f4a4e1c1c699

Download Submit
C:\Users\Admin\AppData\Local\Temp\4eb17330-10b0-4f22-a624-857a2c9d9db0.vbs

Filesize
710B

MD5
7dac5c1ee61432d2018839736d0f83ae

SHA1
057feca8ac5845e27d19967c2a9e10ec2e743a9d

SHA256
5f718b969310588922eb893600749287a0784ecbcf60797f67d0d43f64b74e2c

SHA512
506388c6142af308689d41754d4b5b213a500bd05ea8cc0136d9e9bb86d949ce7368883d992927786d2a21e9904e7f4b61cae2b19569aeca41aa1e14140897f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5233ad7c-ee29-4908-8c92-9433f9b64d04.vbs

Filesize
710B

MD5
3d1797ceb1da4d19d61eec8c87ccb32b

SHA1
345c8e85c07648c3d253f738a21960fcb8785a16

SHA256
6bdd20c6e4e3194d1b780736cc9b2f61d23f896ff0dbd4fea75a9a6f7d853b29

SHA512
b24d7b391690490b27c16a414b2a92307a7034a28b57df67b4d5f173a24a5f863848be6d247cbd58f940030723fe49ba9d1399a8abc39fd33ccf5bd0e842f851

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b3a5298-7571-4ade-bc5e-4cdde5031677.vbs

Filesize
710B

MD5
7983498f3a433de6dcdd74afd14a702d

SHA1
6dd0f2a1c004cc83effb7ef0d7b2de5df45c9890

SHA256
143fc39ddb369f9da41a078af6c379567717ed4ba93e417f5d0a871bcbd1c3d9

SHA512
008ce0784d6a3fb4fc43fdf8d07eadd29eea05cb25926e2ffd4694c4cbabd7123fc6b5d26370d8dcbb085097d68dd15700edf4f5e02583a8a8c357fba6dee743

Download Submit
C:\Users\Admin\AppData\Local\Temp\5de70fe4-d518-4e9c-901b-13545761a0ab.vbs

Filesize
710B

MD5
d2dec284c0bb7dc6f8b42494ce22cc18

SHA1
610b7eb19c382dc420d4af444d5ceb5039842a99

SHA256
7612a3262a5d43b74301cfc2d8ba43ed342f122a6ee22eaf68c079da69dbf04c

SHA512
6aafd8125281156142bec3b20900e0b57e18db8b580becd1af43d0f752c840ecff2337456fb5e09a497044512fb1010945315a5f371929e59b6dd7bc76c0a3ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bfec6df-ecf9-4603-b5fa-99c6163b38dd.vbs

Filesize
486B

MD5
5ef998ec0e515b2599bee1a1c6524ecb

SHA1
ae1506d766498244a0975d75191e377fe172f6bf

SHA256
478535983a97f51e22de3469656b4b6e7bfe4a5bde360caa95efe45ec111cb9c

SHA512
46a1c9dd22c91eef15ae280d8ae8d2b37f7582fc80c8112797fa6ccbb29b0260487e84e7d1150c193044b21da5f4eeeb8e11b0e9683b002ef0b82a12bdd04748

Download Submit
C:\Users\Admin\AppData\Local\Temp\KXOElKnCOE.bat

Filesize
199B

MD5
757029d5f8cd7f5dd75640a97a6c13ca

SHA1
4473ed86027cf51564b38b737ff90ac876046de4

SHA256
889c8f4ad0466fcea7f55688ddffe3f107d4f9b3abadf71a221e0dea3944eece

SHA512
a5e95d3ab2292c29016cb1a2af1ece2372520990efe5557e164c83c49f265daf0e0d2a99fbbfe7c88db4c8b67277a07e0c31929eb93d89e9fee87743f62fc975

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5sib5d3m.uwh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdb1df12-d4ac-4674-a0a4-e37e71d602bc.vbs

Filesize
710B

MD5
d875fb738252a15042f27db3ea2a1130

SHA1
a758d055b34acedbfffeffe21c29aef32cba26a8

SHA256
9db7cc2b09ac266db5571afe439886c548de6f12e52f9f46fa469e3d1f9b8159

SHA512
7f833b8a60c31ae5e38630512da1e1e91683aa869d65a18f06056229caebb318ed2d47928eadd394ac592fa3789b4ae2d92a3ca79410e7b6b16748ad00a02ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9c8d3c382e2ae4299856b445478bd45361a3078.exe

Filesize
1.7MB

MD5
88350c7bb8b62a2e7e2916b978b1297c

SHA1
1751710dac432f13248147708a82e94ee7e9d8fb

SHA256
b145990b5b419f16440308a597d616e7b8c5c425b554e767a8f6ee0dbacddc0c

SHA512
2c0877570416ec4197958a44e8aa3660a2a8bf659f392e02beaef2f12c1b41c379ba9e3182a7c8f103d5634a7f45960b66c779d685c94233392def77ff267b47

Download Submit
C:\Users\Admin\AppData\Local\Temp\eccf4b3b-487e-40d5-955d-2353c607fb28.vbs

Filesize
710B

MD5
230752153b67e99f39d8b7b31cd3bab5

SHA1
c9023154481d4462691606ccc79722b6542a7154

SHA256
427ba62ce1b6453f4ae78e9af24fb9c3472a24a7a6a4458c6f4b6badc4ed91e5

SHA512
78109984ddcd49c75dbb21a7ae035b6e404525464965827e23ba6dbd71457d396e43d2ad5fb1d340e1d2a94886335e9ab7a8b98d4551d727e547a9cfb7821913

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0d3d885-3c1b-418e-a4df-40bc3fd5f979.vbs

Filesize
710B

MD5
2e51e9e8e4b169c1fc88aa22d7580403

SHA1
37d7687c9cd12bfd23a494ed07b40630fda475c6

SHA256
800d0b9c041221d1df156d6bf70c7e621f709306b284c8e0084b51ec6e464a4f

SHA512
5694d857b75ea30cf666120606779ba6e8877cb02c3332cc735c9d7902d3c2d5fda014462cf43058f68798800b30e83f885e203ef5de261a6a6f11bd75e5eec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa7b5270-593d-4fa9-8d9b-d42781233ef8.vbs

Filesize
710B

MD5
2c999df88854a313771f5a72fe42e0ba

SHA1
9b3682a3f5ac6f6fbc3bb0e7b10f2d794c961524

SHA256
9386113d5db0f05574f50f5e926403501076f8fd06294d876d761a587c796197

SHA512
0de5e90551e86bfcac4ba511835034ca455c2a0a74585984cf3373ba3204d76653a73a22c4db7bee80a57ea7ccdf28a71651f043a6dc70b00bbb517a54654292

Download Submit
C:\Users\Admin\Downloads\wininit.exe

Filesize
1.7MB

MD5
14139bb960243ccf81fcb6e9918ff0ef

SHA1
fae4c016b101c2029aaa1e60499445ffa2cf2abf

SHA256
4724eaebab03fcbe7d5e57a9012651c838b0600224a120a318148c8a73c515e1

SHA512
6f16a2bf563b2effcd35aa754aa0a2ac3e9a5e2acc20b13e4410fcf71996826e19b35576d4023e41866cd47040a5dc13c4ccea8c01925ee027ba3c3d937c9bc9

Download Submit
C:\Users\Default\MusNotification.exe

Filesize
1.7MB

MD5
92f20cf5b97297600b5272178b6534c7

SHA1
3d7b513aea13d6a7c7e66d0a74d0af11b8d7f625

SHA256
abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b

SHA512
81f0c12d78f958d1a1d74bd13ed015c878bef5a51040ab9346713a47626a58e163f6568b9f97803b18b49a583b5622c61fd065d9fe957af8763ce80edd3135c4

Download Submit
C:\Users\Default\MusNotification.exe

Filesize
1.7MB

MD5
ccd78944e238a651905c4409e4631f8d

SHA1
94febbd7ea86b413c199224c500a3e06ad3d7af2

SHA256
fa4af241b42e1ec8b0de9f803ccaba752059c81c1b61371a690fe6825bcdd1a6

SHA512
65b6165b1d977bb0398869932089900bf49b33edc5045b8882603074ef91d727d229911e9ef9d948c24b942827f978b111941487ab6772013c39d3b2e06f9120

Download Submit
memory/1048-353-0x0000000000D70000-0x0000000000F30000-memory.dmp

Filesize
1.8MB

Download
memory/1048-354-0x000000001BAB0000-0x000000001BAC2000-memory.dmp

Filesize
72KB

Download
memory/4332-235-0x000001F635340000-0x000001F635362000-memory.dmp

Filesize
136KB

Download
memory/4348-14-0x000000001C030000-0x000000001C03C000-memory.dmp

Filesize
48KB

Download
memory/4348-208-0x00007FFA7C2A0000-0x00007FFA7CD61000-memory.dmp

Filesize
10.8MB

Download
memory/4348-291-0x00007FFA7C2A0000-0x00007FFA7CD61000-memory.dmp

Filesize
10.8MB

Download
memory/4348-184-0x00007FFA7C2A0000-0x00007FFA7CD61000-memory.dmp

Filesize
10.8MB

Download
memory/4348-159-0x00007FFA7C2A3000-0x00007FFA7C2A5000-memory.dmp

Filesize
8KB

Download
memory/4348-23-0x00007FFA7C2A0000-0x00007FFA7CD61000-memory.dmp

Filesize
10.8MB

Download
memory/4348-22-0x00007FFA7C2A0000-0x00007FFA7CD61000-memory.dmp

Filesize
10.8MB

Download
memory/4348-19-0x000000001C270000-0x000000001C27C000-memory.dmp

Filesize
48KB

Download
memory/4348-15-0x000000001C290000-0x000000001C29A000-memory.dmp

Filesize
40KB

Download
memory/4348-17-0x000000001C150000-0x000000001C158000-memory.dmp

Filesize
32KB

Download
memory/4348-18-0x000000001C260000-0x000000001C26C000-memory.dmp

Filesize
48KB

Download
memory/4348-16-0x000000001C140000-0x000000001C14E000-memory.dmp

Filesize
56KB

Download
memory/4348-0-0x00007FFA7C2A3000-0x00007FFA7C2A5000-memory.dmp

Filesize
8KB

Download
memory/4348-13-0x000000001C560000-0x000000001CA88000-memory.dmp

Filesize
5.2MB

Download
memory/4348-12-0x000000001C000000-0x000000001C012000-memory.dmp

Filesize
72KB

Download
memory/4348-10-0x000000001BFF0000-0x000000001BFF8000-memory.dmp

Filesize
32KB

Download
memory/4348-9-0x000000001BF90000-0x000000001BF9C000-memory.dmp

Filesize
48KB

Download
memory/4348-5-0x000000001B930000-0x000000001B938000-memory.dmp

Filesize
32KB

Download
memory/4348-7-0x000000001BF60000-0x000000001BF76000-memory.dmp

Filesize
88KB

Download
memory/4348-8-0x000000001BF80000-0x000000001BF90000-memory.dmp

Filesize
64KB

Download
memory/4348-4-0x000000001BFA0000-0x000000001BFF0000-memory.dmp

Filesize
320KB

Download
memory/4348-6-0x000000001BF50000-0x000000001BF60000-memory.dmp

Filesize
64KB

Download
memory/4348-3-0x000000001B800000-0x000000001B81C000-memory.dmp

Filesize
112KB

Download
memory/4348-2-0x00007FFA7C2A0000-0x00007FFA7CD61000-memory.dmp

Filesize
10.8MB

Download
memory/4348-1-0x0000000000B50000-0x0000000000D10000-memory.dmp

Filesize
1.8MB

Download