dcrat | d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885

Analysis

max time kernel
112s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
Size

2.5MB
MD5

dbb2561808f77df19c729393b7e2c004
SHA1

d06044c1eb2f286017e03b02e389cca516c55fc0
SHA256

d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885
SHA512

54e8959bfc848bad7c2f97eacc8635e0316b68befd0bfa769b07c0216f2e89b84e4d187df15deeda2abbec95266083199879ddf2b8c88985ff79b22c8948b06f
SSDEEP

49152:BTmiAznN8OLA03GMjKoZYz+WqE3GMAsH4wDnyBMzTvAaULscNpVQPUmXqO:0iAzSOLA0cooNrkSD6brVlU

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		5904	schtasks.exe
		1448	schtasks.exe
		4680	schtasks.exe
		1800	schtasks.exe
		1768	schtasks.exe
		4068	schtasks.exe
		372	schtasks.exe
		3232	schtasks.exe
		4232	schtasks.exe
		4904	schtasks.exe
		1108	schtasks.exe
		5068	schtasks.exe
		6032	schtasks.exe
		6004	schtasks.exe
		2508	schtasks.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\04c1e7795967e4		d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
		5916	schtasks.exe
		3516	schtasks.exe
		1760	schtasks.exe
		5096	schtasks.exe
		5072	schtasks.exe
File created	C:\Program Files\Google\Chrome\Application\9e8d7a4ca61bd9		d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
		6048	schtasks.exe
		5864	schtasks.exe
File created	C:\Program Files (x86)\Microsoft.NET\886983d96e3d3e		d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Program Files (x86)\Common Files\Services\e6c9b481da804f		d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
		4332	schtasks.exe
		3992	schtasks.exe
		2800	schtasks.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\1f93f77a7f4778		d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
		3252	schtasks.exe
		528	schtasks.exe
		4940	schtasks.exe
		4260	schtasks.exe
		5440	schtasks.exe
		2884	schtasks.exe
		1884	schtasks.exe
		3060	schtasks.exe
		4912	schtasks.exe
		2488	schtasks.exe
		4320	schtasks.exe
		4768	schtasks.exe
		1316	schtasks.exe
		6108	schtasks.exe
		2884	schtasks.exe
		1964	schtasks.exe
		440	schtasks.exe
		2456	schtasks.exe
		5624	schtasks.exe
		2624	schtasks.exe
		5848	schtasks.exe
		5900	schtasks.exe
		1056	schtasks.exe
		2060	schtasks.exe
		3404	schtasks.exe
		4848	schtasks.exe
		3080	schtasks.exe
		3944	schtasks.exe
		4988	schtasks.exe
		5868	schtasks.exe
		5684	schtasks.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\6ccacd8608530f		d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
		4948	schtasks.exe
		2184	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5396	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5804	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5592	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5624	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6048	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6032	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5916	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5848	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5900	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5868	2140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2140	schtasks.exe	85

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3172-13-0x0000000000400000-0x00000000005D8000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 30 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2004	powershell.exe
4904	powershell.exe
2164	powershell.exe
4516	powershell.exe
4548	powershell.exe
2788	powershell.exe
2564	powershell.exe
5508	powershell.exe
2556	powershell.exe
1416	powershell.exe
4164	powershell.exe
4916	powershell.exe
5068	powershell.exe
948	powershell.exe
2928	powershell.exe
664	powershell.exe
5436	powershell.exe
1108	powershell.exe
4444	powershell.exe
1260	powershell.exe
4988	powershell.exe
5936	powershell.exe
4116	powershell.exe
1652	powershell.exe
3852	powershell.exe
2340	powershell.exe
2228	powershell.exe
3336	powershell.exe
5044	powershell.exe
1540	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe

Executes dropped EXE 2 IoCs

pid	Process
5696	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
5208	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 216 set thread context of 3172	216	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	91
PID 5696 set thread context of 5208	5696	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	184

Drops file in Program Files directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCX54B0.tmp	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX611F.tmp	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCX4C1D.tmp	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\MoUsoCoreWorker.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RCX63A1.tmp	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Program Files\Windows NT\Accessories\5b884080fd4f94	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\fontdrvhost.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\5b884080fd4f94	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\microsoft.system.package.metadata\spoolsv.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\MoUsoCoreWorker.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCX4CF9.tmp	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fontdrvhost.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCX5ADF.tmp	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RCX641F.tmp	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\9e8d7a4ca61bd9	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Program Files\VideoLAN\VLC\locale\5b884080fd4f94	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fontdrvhost.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Program Files\Google\Chrome\Application\RuntimeBroker.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\04c1e7795967e4	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX619D.tmp	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\csrss.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Program Files (x86)\Microsoft.NET\csrss.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCX5AE0.tmp	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\csrss.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\fontdrvhost.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\1f93f77a7f4778	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RuntimeBroker.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\csrss.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\OfficeClickToRun.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Program Files\Windows NT\Accessories\fontdrvhost.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Program Files (x86)\Common Files\Services\OfficeClickToRun.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCX51AF.tmp	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCX522D.tmp	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCX5432.tmp	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\TrustedInstaller.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\886983d96e3d3e	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fontdrvhost.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Program Files (x86)\Common Files\Services\e6c9b481da804f	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Program Files\Google\Chrome\Application\9e8d7a4ca61bd9	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\TrustedInstaller.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\6ccacd8608530f	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Program Files (x86)\Microsoft.NET\886983d96e3d3e	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\es-ES\dllhost.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Windows\Media\Cityscape\SearchApp.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Windows\Media\Cityscape\38384e6a620884	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Windows\ServiceProfiles\LocalService\Saved Games\csrss.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Windows\ServiceProfiles\LocalService\Saved Games\886983d96e3d3e	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Windows\es-ES\dllhost.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Windows\es-ES\5940a34987c991	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Windows\es-ES\RCX68D7.tmp	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Saved Games\csrss.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-rascmdial_31bf3856ad364e35_10.0.19041.1_none_93ecd32229175e66\winlogon.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Windows\es-ES\RCX6859.tmp	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
File opened for modification	C:\Windows\Media\Cityscape\SearchApp.exe	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4948	schtasks.exe
3060	schtasks.exe
5096	schtasks.exe
5396	schtasks.exe
6004	schtasks.exe
1316	schtasks.exe
2184	schtasks.exe
2884	schtasks.exe
3772	schtasks.exe
3944	schtasks.exe
2624	schtasks.exe
6032	schtasks.exe
4104	schtasks.exe
1416	schtasks.exe
4068	schtasks.exe
4848	schtasks.exe
5804	schtasks.exe
680	schtasks.exe
2564	schtasks.exe
1108	schtasks.exe
2488	schtasks.exe
4872	schtasks.exe
3512	schtasks.exe
2060	schtasks.exe
1760	schtasks.exe
2456	schtasks.exe
824	schtasks.exe
3740	schtasks.exe
3404	schtasks.exe
1184	schtasks.exe
4768	schtasks.exe
2796	schtasks.exe
5900	schtasks.exe
2884	schtasks.exe
4940	schtasks.exe
372	schtasks.exe
2544	schtasks.exe
1124	schtasks.exe
5440	schtasks.exe
4912	schtasks.exe
4852	schtasks.exe
4280	schtasks.exe
440	schtasks.exe
5684	schtasks.exe
4904	schtasks.exe
1800	schtasks.exe
5848	schtasks.exe
3516	schtasks.exe
3992	schtasks.exe
5068	schtasks.exe
4232	schtasks.exe
5916	schtasks.exe
5904	schtasks.exe
1272	schtasks.exe
4988	schtasks.exe
5072	schtasks.exe
4680	schtasks.exe
5592	schtasks.exe
6108	schtasks.exe
5732	schtasks.exe
2800	schtasks.exe
1884	schtasks.exe
2824	schtasks.exe
1592	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
4904	powershell.exe
4904	powershell.exe
948	powershell.exe
948	powershell.exe
3336	powershell.exe
3336	powershell.exe
1540	powershell.exe
1540	powershell.exe
4988	powershell.exe
4988	powershell.exe
4444	powershell.exe
4444	powershell.exe
2340	powershell.exe
2340	powershell.exe
3852	powershell.exe
3852	powershell.exe
1416	powershell.exe
1416	powershell.exe
5044	powershell.exe
5044	powershell.exe
2004	powershell.exe
2004	powershell.exe
2928	powershell.exe
2928	powershell.exe
4548	powershell.exe
4548	powershell.exe
5068	powershell.exe
5068	powershell.exe
2228	powershell.exe
2228	powershell.exe
2564	powershell.exe
2564	powershell.exe
1260	powershell.exe
1260	powershell.exe
2788	powershell.exe
2788	powershell.exe
4904	powershell.exe
3336	powershell.exe
3336	powershell.exe
1540	powershell.exe
1540	powershell.exe
3852	powershell.exe
4988	powershell.exe
4988	powershell.exe
4444	powershell.exe
948	powershell.exe
948	powershell.exe
2340	powershell.exe
1416	powershell.exe
5068	powershell.exe
2564	powershell.exe
1260	powershell.exe
2228	powershell.exe
2928	powershell.exe
2788	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	3336	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	4988	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	3852	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	5208	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 3172	216	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	91
PID 216 wrote to memory of 3172	216	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	91
PID 216 wrote to memory of 3172	216	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	91
PID 216 wrote to memory of 3172	216	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	91
PID 216 wrote to memory of 3172	216	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	91
PID 216 wrote to memory of 3172	216	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	91
PID 216 wrote to memory of 3172	216	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	91
PID 216 wrote to memory of 3172	216	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	91
PID 3172 wrote to memory of 2928	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	143
PID 3172 wrote to memory of 2928	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	143
PID 3172 wrote to memory of 2928	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	143
PID 3172 wrote to memory of 3852	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	144
PID 3172 wrote to memory of 3852	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	144
PID 3172 wrote to memory of 3852	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	144
PID 3172 wrote to memory of 1416	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	145
PID 3172 wrote to memory of 1416	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	145
PID 3172 wrote to memory of 1416	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	145
PID 3172 wrote to memory of 2340	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	146
PID 3172 wrote to memory of 2340	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	146
PID 3172 wrote to memory of 2340	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	146
PID 3172 wrote to memory of 4988	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	147
PID 3172 wrote to memory of 4988	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	147
PID 3172 wrote to memory of 4988	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	147
PID 3172 wrote to memory of 3336	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	148
PID 3172 wrote to memory of 3336	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	148
PID 3172 wrote to memory of 3336	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	148
PID 3172 wrote to memory of 4904	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	149
PID 3172 wrote to memory of 4904	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	149
PID 3172 wrote to memory of 4904	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	149
PID 3172 wrote to memory of 2564	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	151
PID 3172 wrote to memory of 2564	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	151
PID 3172 wrote to memory of 2564	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	151
PID 3172 wrote to memory of 1260	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	152
PID 3172 wrote to memory of 1260	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	152
PID 3172 wrote to memory of 1260	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	152
PID 3172 wrote to memory of 948	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	153
PID 3172 wrote to memory of 948	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	153
PID 3172 wrote to memory of 948	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	153
PID 3172 wrote to memory of 1540	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	154
PID 3172 wrote to memory of 1540	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	154
PID 3172 wrote to memory of 1540	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	154
PID 3172 wrote to memory of 2788	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	156
PID 3172 wrote to memory of 2788	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	156
PID 3172 wrote to memory of 2788	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	156
PID 3172 wrote to memory of 4444	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	157
PID 3172 wrote to memory of 4444	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	157
PID 3172 wrote to memory of 4444	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	157
PID 3172 wrote to memory of 2228	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	158
PID 3172 wrote to memory of 2228	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	158
PID 3172 wrote to memory of 2228	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	158
PID 3172 wrote to memory of 2004	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	160
PID 3172 wrote to memory of 2004	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	160
PID 3172 wrote to memory of 2004	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	160
PID 3172 wrote to memory of 4548	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	161
PID 3172 wrote to memory of 4548	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	161
PID 3172 wrote to memory of 4548	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	161
PID 3172 wrote to memory of 5044	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	163
PID 3172 wrote to memory of 5044	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	163
PID 3172 wrote to memory of 5044	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	163
PID 3172 wrote to memory of 5068	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	165
PID 3172 wrote to memory of 5068	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	165
PID 3172 wrote to memory of 5068	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	165
PID 3172 wrote to memory of 2520	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	179
PID 3172 wrote to memory of 2520	3172	d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe	179

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
"C:\Users\Admin\AppData\Local\Temp\d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:216
- C:\Users\Admin\AppData\Local\Temp\d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
  "C:\Users\Admin\AppData\Local\Temp\d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe"
  2⤵
  - DcRat
  - Checks computer location settings
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3852
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\TextInputHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1416
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\Idle.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4988
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\MoUsoCoreWorker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3336
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4904
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\fontdrvhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\taskhostw.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1260
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\OfficeClickToRun.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:948
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1540
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\fontdrvhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2788
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4444
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\TrustedInstaller.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2228
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4548
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\spoolsv.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5044
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gkLFIn4v3n.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2520
  - - C:\Windows\SysWOW64\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5316
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:5352
  - - C:\Users\Admin\AppData\Local\Temp\d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
      "C:\Users\Admin\AppData\Local\Temp\d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:5696
    - - C:\Users\Admin\AppData\Local\Temp\d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5208
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5508
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:664
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2556
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Cityscape\SearchApp.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1652
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\fontdrvhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1108
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4916
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\fontdrvhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4164
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\LocalService\Saved Games\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5436
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2164
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4116
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4516
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\locale\fontdrvhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5936
      - C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe"
        6⤵
        
        PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\TextInputHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\MoUsoCoreWorker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\Libraries\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Services\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Services\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Cookies\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Cookies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885d" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885" /sc ONLOGON /tr "'C:\Users\Default User\d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885d" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Cityscape\SearchApp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:6048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Media\Cityscape\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Windows\Media\Cityscape\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Gadgets\fontdrvhost.exe'" /f
1⤵
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:5864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\ServiceProfiles\LocalService\Saved Games\csrss.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Saved Games\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\LocalService\Saved Games\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- DcRat
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- DcRat
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\locale\fontdrvhost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\locale\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe

Filesize
2.5MB

MD5
361a831dc07fa9b4759128fe89fc7ebc

SHA1
7579d170afb7c6d517d5e42690d5543e22710176

SHA256
c7e03b50b57fc9077b51c7d49b7fe0c28fa6cf1905ab8b350ae8f65e034fc9f0

SHA512
914efffc22df11d1c47cdf3daa3930acefcd3f0215670ca1cbcc1ec4e8c68e0c42aa6329e278223a248e5a313ff31635ac7661e59825e28e7154f9034e173bc2

Download Submit
C:\Program Files (x86)\Microsoft.NET\csrss.exe

Filesize
2.5MB

MD5
0852be27f1450c7c31b4e9a7d4e7f56b

SHA1
b6047de88c5b15be946a7226b39de6e862a8d6fc

SHA256
d4a76c5f8ea0299221c501c7e32063fb291491ca18cb0a4130c33550f5712f2b

SHA512
5892fb716e6d67b7136f37c0baef7114d60725b66f2876518256b055337722d633d3a15d4fa917d5b8a0664e22ec44a1aac719f8287c6863a3ba3f75e8de5f0d

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\TrustedInstaller.exe

Filesize
2.5MB

MD5
3b2feef262dbefeb460f9d25e34a2fb6

SHA1
cfdac67d2186073e618319c545b816511bf7e76b

SHA256
57b2c3112f526a067eef8caa664b8d040a421bd4c96e5d5226add64b1a42f050

SHA512
9eab0c643d1cc247b77637532bfc5fff818867364ef9094c1b847a18b64689869f4f10cdb1989ae6f0fd6eeb66c9dd29565b02a9b311260a38a55676a7b6c998

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\en-US\MoUsoCoreWorker.exe

Filesize
2.5MB

MD5
dbb2561808f77df19c729393b7e2c004

SHA1
d06044c1eb2f286017e03b02e389cca516c55fc0

SHA256
d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885

SHA512
54e8959bfc848bad7c2f97eacc8635e0316b68befd0bfa769b07c0216f2e89b84e4d187df15deeda2abbec95266083199879ddf2b8c88985ff79b22c8948b06f

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\en-US\MoUsoCoreWorker.exe

Filesize
2.5MB

MD5
7ec57b8774c6a20864bca0a6dd09c6ba

SHA1
b4cf322dddc1d2f38149247df02f894df420ea6b

SHA256
a4a63693faecb61477e985e8bbf0986d44a070ea3c6972240ae415b5c6883e9c

SHA512
59bc6f5f2d716482b159aa8d2d7ab79512e519c930627cd698873911799732a32403c3ebf3f5fd526654c8021d58991634e023e2f5e5f3d5bdf956169d8b03bf

Download Submit
C:\Program Files\Google\Chrome\Application\RuntimeBroker.exe

Filesize
2.5MB

MD5
6ecf90abb203b988136ad2bebb8cfb72

SHA1
f1326c5ad0196d5c6a7c86ff9c499598aefb64c8

SHA256
ae7a60794d664c072a211ccb3acebcb7b30e1e11039fb4c91e6907c92de88b1b

SHA512
e8e0f73770f76f6e4bd142265a58068e68e89fb251319077434598db3a7e2ec234a36bea79b26a5f69a61458aaf753eb220ff92e25a341c1e02eb6f0659891f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d34707502943b1fcb2eaf5f3b85a6a5d4809458680101aca4ad6a355c4925885.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
32ed5c62c59ee495f7d0b7e46a3af955

SHA1
fe9eacc61f0c965c566440315de77ff4943eebd5

SHA256
d0c870eb7a04e39dc11241073311bf689138dfe5675c244f982af8b79324670d

SHA512
8e6f9fbb670aa117d51813292774f8c7ec8592a65947a571a1d003fb4ad1b89082631ef914e3c9ecd5a2d5bda15cff5fd955a1cc1f4ac06d10a8f74fc1e4526d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f660a25756ed1d92cacc8699696476eb

SHA1
ad8006a33a84fe18bffb85a3ff4b687386c073d8

SHA256
598118e2e4732ff080309b6364ba8204948d88355162edcd9dfc902ff08b0962

SHA512
3e852a875989934cfa411a9b5e49f4ea2697024e0fe2420be900c5642240f2a64e993ac552a839f5c62e60d4713f00dc33393ba89aa68177119afb35b4cf7e3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
691e1ed71915d10f5f28ead6cb2c801a

SHA1
6245c57ac21aa00f097fb2254e1c4905a2f31fdd

SHA256
11299b7aea4b332ed02c00954e8c088d4e3b1169beff261a90a4db08cbe6c708

SHA512
4fe9631905977f949d43a1c911267b4de35e85b714f89e08bf6027dcb32f85be9c32d3f64fabc22d8e6eb06c3f77ee0af584d7cd5d4e06a6359800ceca1eabd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5a5062f4641d74ddbf063d4ccc8aa9d2

SHA1
352029904b28b4df75f03324f2bf33afa8775b93

SHA256
63df8d980d20804bc8d3d8f2a03689ce0e5e00bbf841537b0fa0b10d519ebdb3

SHA512
ab7031ae7f7f3315df137526c6b91dadcaab8d22a910eea20c3d40d89c73fb1c0eeb441cf67a2b6eacd82dd53c47228ba09cc885c1f74de9d05b4a0fcff1e00d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4559a6f6e93b02ad3b57e6247cafc047

SHA1
ba41cafe08c75a5d8d1da0fedf3130bec75a2d43

SHA256
186cac39f681051cd2909ab23931adb0d67404daa8d7ecc625089bd8c779bb25

SHA512
bab4f9ce5a181471187bb0f50b196d3073c3b45af80a3a4bd78bc6c1701a815d3a445cf94c31b06783689c070c05987686cec60a66bcd79643d9ab5fa9ee42d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e478fc0971e61935b384069fc9f95373

SHA1
2f3afecd277236990d84aef6e1c964a11bd9fb6d

SHA256
4546c3a1543fa3b6641613e8c5228547b94cc89aada0b1dbc73a3f587d358f3b

SHA512
189cd07f50f3b2c864123ef60d977952dbf01b2a790218e509f83903287fb31b146c1b27179d6eba5731c5501dbdc86140a42398e63d4c027ca55ccd58bf85cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
81dc9563ebfb181093cea12e90b29eed

SHA1
7e2b13fb88041f456cb8a4bcf3ac588f37fb0bf7

SHA256
19246f2d616bff1415c556bee307f9f281169e9712896d32e857ae4b2fefde59

SHA512
62d0dd1cc93b28b2850eb26088f756820c6d49fed32306ccb39a32aec5bd68afe108e95342fa5d574b185759cadacc851165f2a28896522c3d7514299a01d9b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0f51112fd723b74717dc512870c0453d

SHA1
bc03280973d06f02f4de623e0359a4b11e3054e0

SHA256
1615fe9a28e694c8dea4eaed370af31df29a9a3a924a15b14b1277cb25673bcb

SHA512
8e734f562a7a3d6c3edcba7292f6f2e0e15e001bc6100e61c310af43ffdbec375966a355d0bd596535ff7cb8e66fff29f5127f4c388db175bf1e0b635ca37a78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
244B

MD5
160831267d5f90bddbb785bc52d93af9

SHA1
5bc54209ecf4f6717bf86b13fa4039f5ced7aede

SHA256
2dafb19d4f9d7d25667f39cd83458a5791def6f7f7ddb8839533e3bb4cc140ec

SHA512
44134d0c72289aeccf094d6737dd04830a8073ffda65c336325c7eca3b9c37950da3922546182b75d586220d1ddeb4f797bf72fdab0bc6a89c087ff5fe935980

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6f822c9a6acd05fbec3c115ba8131b65

SHA1
4f5b5c2bbe64248ea0cf688d9ee1eea154897c6d

SHA256
cf2c1a318b03f5c6df001b3d81338ecaf11c713ecb9019e431a09ad63b0c6937

SHA512
44dce5de65e251765f646cb06be5421d36ce3ba2ec8a311faf3f41c24623bdc9b1bb213830f4ffce22823d5fa528668a5751539c0f1de66e580664f59721a01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5hdljaz5.yyc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkLFIn4v3n.bat

Filesize
267B

MD5
80c44778b999923adfe2c4e93ef8f66c

SHA1
4f45538c3214eec66bf47082e1fc9bcd74d43362

SHA256
4e3a5983ce6152112018671cf01f7f8779c4a030050234681a0558964ac82601

SHA512
3d4c35050d4685618613139ac83beda46478a496dd878ac9beb3afeec37e3caa18cb0a8f9659c15b16933a3001b4494198c6355bdcbe5d30dde060f73c26d01b

Download Submit
C:\Users\Default\spoolsv.exe

Filesize
2.5MB

MD5
a90011faa4df21cae0ee47bf4402645e

SHA1
633b2e93ab5bb5910c730a879df507555cfb8501

SHA256
bc78d189c6a258e4bf7673dc9b859e96f4bf9562fe4ba0165c8afa37233b7445

SHA512
1a4fe7dd7eb2857bfe7e7c727eb880cc53235f270412dac11bc1706dba36c36bfdcfe1709eca2810be07cd6cb56a7a0d304d9d711313087cf49761e7c9e7974d

Download Submit
C:\Windows\es-ES\dllhost.exe

Filesize
2.5MB

MD5
e1523195bcb5a157058403963224b949

SHA1
e57f0e61b09efd04048dcf0db1f6d6fae92eb485

SHA256
56c3c6ba31746a4a3586479885af7c1b7a08707a79c31e82dd737702b96921f3

SHA512
88315dcfdd02af4a974e5675ebd21043c2efe1c4a646c61c3e417bba6114d662d38f95a856d7e60e86260aa2c6d3c3b7e27c9e0afa6fa5ca671c0dd966afa1a6

Download Submit
memory/216-6-0x0000000005480000-0x000000000549A000-memory.dmp

Filesize
104KB

Download
memory/216-4-0x0000000002E70000-0x0000000002E7A000-memory.dmp

Filesize
40KB

Download
memory/216-1-0x0000000000650000-0x00000000008D0000-memory.dmp

Filesize
2.5MB

Download
memory/216-0-0x00000000749CE000-0x00000000749CF000-memory.dmp

Filesize
4KB

Download
memory/216-2-0x0000000005AD0000-0x0000000006074000-memory.dmp

Filesize
5.6MB

Download
memory/216-11-0x000000000AFF0000-0x000000000B08C000-memory.dmp

Filesize
624KB

Download
memory/216-10-0x000000000AD10000-0x000000000AF40000-memory.dmp

Filesize
2.2MB

Download
memory/216-9-0x00000000054F0000-0x00000000054FE000-memory.dmp

Filesize
56KB

Download
memory/216-8-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/216-3-0x0000000005320000-0x00000000053B2000-memory.dmp

Filesize
584KB

Download
memory/216-7-0x00000000749CE000-0x00000000749CF000-memory.dmp

Filesize
4KB

Download
memory/216-12-0x000000000C3D0000-0x000000000C5F6000-memory.dmp

Filesize
2.1MB

Download
memory/216-5-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/216-17-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/664-906-0x0000000070D40000-0x0000000070D8C000-memory.dmp

Filesize
304KB

Download
memory/948-474-0x00000000711C0000-0x000000007120C000-memory.dmp

Filesize
304KB

Download
memory/948-583-0x00000000078E0000-0x0000000007F5A000-memory.dmp

Filesize
6.5MB

Download
memory/1108-996-0x0000000070D40000-0x0000000070D8C000-memory.dmp

Filesize
304KB

Download
memory/1260-563-0x00000000711C0000-0x000000007120C000-memory.dmp

Filesize
304KB

Download
memory/1416-553-0x00000000711C0000-0x000000007120C000-memory.dmp

Filesize
304KB

Download
memory/1540-503-0x00000000711C0000-0x000000007120C000-memory.dmp

Filesize
304KB

Download
memory/1652-926-0x0000000070D40000-0x0000000070D8C000-memory.dmp

Filesize
304KB

Download
memory/1652-1006-0x0000000007090000-0x00000000070A1000-memory.dmp

Filesize
68KB

Download
memory/2004-564-0x00000000711C0000-0x000000007120C000-memory.dmp

Filesize
304KB

Download
memory/2164-896-0x0000000070D40000-0x0000000070D8C000-memory.dmp

Filesize
304KB

Download
memory/2228-592-0x00000000711C0000-0x000000007120C000-memory.dmp

Filesize
304KB

Download
memory/2340-515-0x00000000711C0000-0x000000007120C000-memory.dmp

Filesize
304KB

Download
memory/2556-907-0x0000000070D40000-0x0000000070D8C000-memory.dmp

Filesize
304KB

Download
memory/2564-504-0x00000000711C0000-0x000000007120C000-memory.dmp

Filesize
304KB

Download
memory/2788-543-0x00000000711C0000-0x000000007120C000-memory.dmp

Filesize
304KB

Download
memory/2928-533-0x00000000711C0000-0x000000007120C000-memory.dmp

Filesize
304KB

Download
memory/3172-23-0x00000000012C0000-0x00000000012D6000-memory.dmp

Filesize
88KB

Download
memory/3172-29-0x0000000006690000-0x00000000066F6000-memory.dmp

Filesize
408KB

Download
memory/3172-13-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/3172-16-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3172-183-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3172-24-0x0000000006400000-0x0000000006456000-memory.dmp

Filesize
344KB

Download
memory/3172-26-0x0000000006450000-0x000000000645C000-memory.dmp

Filesize
48KB

Download
memory/3172-25-0x0000000005E30000-0x0000000005E3E000-memory.dmp

Filesize
56KB

Download
memory/3172-158-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3172-18-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3172-20-0x0000000001270000-0x000000000128C000-memory.dmp

Filesize
112KB

Download
memory/3172-22-0x00000000012A0000-0x00000000012B0000-memory.dmp

Filesize
64KB

Download
memory/3172-21-0x0000000005C70000-0x0000000005CC0000-memory.dmp

Filesize
320KB

Download
memory/3172-19-0x0000000001260000-0x0000000001268000-memory.dmp

Filesize
32KB

Download
memory/3172-279-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3336-452-0x0000000006460000-0x000000000647E000-memory.dmp

Filesize
120KB

Download
memory/3336-440-0x0000000007030000-0x0000000007062000-memory.dmp

Filesize
200KB

Download
memory/3336-441-0x00000000711C0000-0x000000007120C000-memory.dmp

Filesize
304KB

Download
memory/3336-627-0x0000000007430000-0x00000000074C6000-memory.dmp

Filesize
600KB

Download
memory/3336-628-0x00000000073C0000-0x00000000073D1000-memory.dmp

Filesize
68KB

Download
memory/3336-268-0x00000000028A0000-0x00000000028D6000-memory.dmp

Filesize
216KB

Download
memory/3852-442-0x00000000711C0000-0x000000007120C000-memory.dmp

Filesize
304KB

Download
memory/3852-269-0x00000000058C0000-0x0000000005EE8000-memory.dmp

Filesize
6.2MB

Download
memory/3852-463-0x00000000079A0000-0x0000000007A43000-memory.dmp

Filesize
652KB

Download
memory/4116-966-0x0000000070D40000-0x0000000070D8C000-memory.dmp

Filesize
304KB

Download
memory/4164-773-0x0000000006320000-0x0000000006674000-memory.dmp

Filesize
3.3MB

Download
memory/4164-884-0x0000000006D40000-0x0000000006D8C000-memory.dmp

Filesize
304KB

Download
memory/4164-885-0x0000000070D40000-0x0000000070D8C000-memory.dmp

Filesize
304KB

Download
memory/4164-895-0x0000000007800000-0x00000000078A3000-memory.dmp

Filesize
652KB

Download
memory/4444-591-0x0000000006FA0000-0x0000000006FBA000-memory.dmp

Filesize
104KB

Download
memory/4444-489-0x00000000711C0000-0x000000007120C000-memory.dmp

Filesize
304KB

Download
memory/4444-632-0x00000000072E0000-0x00000000072E8000-memory.dmp

Filesize
32KB

Download
memory/4444-631-0x00000000072F0000-0x000000000730A000-memory.dmp

Filesize
104KB

Download
memory/4444-630-0x0000000007200000-0x0000000007214000-memory.dmp

Filesize
80KB

Download
memory/4444-629-0x00000000071F0000-0x00000000071FE000-memory.dmp

Filesize
56KB

Download
memory/4444-626-0x0000000007010000-0x000000000701A000-memory.dmp

Filesize
40KB

Download
memory/4516-956-0x0000000070D40000-0x0000000070D8C000-memory.dmp

Filesize
304KB

Download
memory/4548-584-0x00000000711C0000-0x000000007120C000-memory.dmp

Filesize
304KB

Download
memory/4904-292-0x00000000061D0000-0x0000000006524000-memory.dmp

Filesize
3.3MB

Download
memory/4904-274-0x0000000005F40000-0x0000000005FA6000-memory.dmp

Filesize
408KB

Download
memory/4904-438-0x00000000066B0000-0x00000000066CE000-memory.dmp

Filesize
120KB

Download
memory/4904-439-0x0000000006C50000-0x0000000006C9C000-memory.dmp

Filesize
304KB

Download
memory/4904-453-0x00000000711C0000-0x000000007120C000-memory.dmp

Filesize
304KB

Download
memory/4904-271-0x00000000056E0000-0x0000000005702000-memory.dmp

Filesize
136KB

Download
memory/4916-986-0x0000000070D40000-0x0000000070D8C000-memory.dmp

Filesize
304KB

Download
memory/4988-464-0x00000000711C0000-0x000000007120C000-memory.dmp

Filesize
304KB

Download
memory/5044-615-0x00000000711C0000-0x000000007120C000-memory.dmp

Filesize
304KB

Download
memory/5068-585-0x00000000711C0000-0x000000007120C000-memory.dmp

Filesize
304KB

Download
memory/5436-946-0x0000000070D40000-0x0000000070D8C000-memory.dmp

Filesize
304KB

Download
memory/5508-936-0x0000000070D40000-0x0000000070D8C000-memory.dmp

Filesize
304KB

Download
memory/5936-976-0x0000000070D40000-0x0000000070D8C000-memory.dmp

Filesize
304KB

Download