dcrat | 6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a

Analysis

max time kernel
98s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
Size

1.2MB
MD5

377293496a9862cb5482dbfc78db25be
SHA1

286fe8ad63b881ed9d06698a370c0392548fa113
SHA256

6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a
SHA512

da08f1618701ed5de26a7f1d283c373d0668293ac6cdd3db93096956ae2569c3a3770d4bff109f72fef4e5f3e6cfdd7fff88f16b6223a83fe34240a730415870
SSDEEP

24576:lxU376C0skFgqIyXFnbCDQgZ8e7FRsWC9ZRHInh4j1Cf6liXwkOmpdT+:APkVXFGDQoP7FRCZRonh4hfewhmpdC

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	4760	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	4760	schtasks.exe	85

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3292-12-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4244	powershell.exe
3936	powershell.exe
2836	powershell.exe
1336	powershell.exe
2108	powershell.exe
940	powershell.exe
4544	powershell.exe
4452	powershell.exe
3112	powershell.exe
3084	powershell.exe
1828	powershell.exe
5008	powershell.exe
4720	powershell.exe
4640	powershell.exe
1180	powershell.exe
868	powershell.exe
3472	powershell.exe
4660	powershell.exe
3412	powershell.exe
4648	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe

Executes dropped EXE 3 IoCs

pid	Process
6020	SppExtComObj.exe
2996	SppExtComObj.exe
3156	SppExtComObj.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sysprep\en-US\RCX6037.tmp	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File opened for modification	C:\Windows\SysWOW64\sysprep\en-US\unsecapp.exe	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File created	C:\Windows\SysWOW64\sysprep\en-US\unsecapp.exe	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File created	C:\Windows\SysWOW64\sysprep\en-US\29c1c3cc0f7685	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File opened for modification	C:\Windows\SysWOW64\sysprep\en-US\RCX5FC9.tmp	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 632 set thread context of 3292	632	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	90
PID 6020 set thread context of 2996	6020	SppExtComObj.exe	195

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\explorer.exe	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File created	C:\Program Files (x86)\Windows NT\upfc.exe	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Registration\RCX53E8.tmp	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Registration\explorer.exe	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCX6DBF.tmp	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File opened for modification	C:\Program Files (x86)\Windows NT\upfc.exe	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\spoolsv.exe	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\7a0fd90576e088	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\f3b6ecef712a24	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File created	C:\Program Files (x86)\Windows NT\ea1d8f6d871115	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\RCX4B95.tmp	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCX6DBE.tmp	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\RCX4C13.tmp	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\spoolsv.exe	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Registration\RCX53E9.tmp	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\System\6cb0b6c459d5d3	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File opened for modification	C:\Windows\es-ES\StartMenuExperienceHost.exe	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File opened for modification	C:\Windows\System\RCX5A95.tmp	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File created	C:\Windows\es-ES\StartMenuExperienceHost.exe	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File opened for modification	C:\Windows\Provisioning\MoUsoCoreWorker.exe	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File created	C:\Windows\es-ES\55b276f4edf653	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File created	C:\Windows\System\dwm.exe	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File opened for modification	C:\Windows\Provisioning\RCX4256.tmp	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File opened for modification	C:\Windows\es-ES\RCX448A.tmp	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File opened for modification	C:\Windows\System\RCX5B13.tmp	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File created	C:\Windows\Provisioning\MoUsoCoreWorker.exe	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File created	C:\Windows\Provisioning\1f93f77a7f4778	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File opened for modification	C:\Windows\Provisioning\RCX41C9.tmp	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File opened for modification	C:\Windows\es-ES\RCX449B.tmp	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
File opened for modification	C:\Windows\System\dwm.exe	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SppExtComObj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SppExtComObj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SppExtComObj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SppExtComObj.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1256	schtasks.exe
4880	schtasks.exe
1836	schtasks.exe
4640	schtasks.exe
1860	schtasks.exe
1972	schtasks.exe
4712	schtasks.exe
964	schtasks.exe
1764	schtasks.exe
4580	schtasks.exe
1652	schtasks.exe
1296	schtasks.exe
2576	schtasks.exe
3152	schtasks.exe
3112	schtasks.exe
692	schtasks.exe
3268	schtasks.exe
4668	schtasks.exe
1104	schtasks.exe
3716	schtasks.exe
868	schtasks.exe
3392	schtasks.exe
2880	schtasks.exe
4644	schtasks.exe
4340	schtasks.exe
1500	schtasks.exe
216	schtasks.exe
2356	schtasks.exe
2864	schtasks.exe
4956	schtasks.exe
4020	schtasks.exe
940	schtasks.exe
4888	schtasks.exe
4548	schtasks.exe
5112	schtasks.exe
1844	schtasks.exe
4380	schtasks.exe
3052	schtasks.exe
1528	schtasks.exe
32	schtasks.exe
4392	schtasks.exe
3744	schtasks.exe
4720	schtasks.exe
4928	schtasks.exe
4172	schtasks.exe
3120	schtasks.exe
1568	schtasks.exe
4560	schtasks.exe
2948	schtasks.exe
2836	schtasks.exe
3528	schtasks.exe
3412	schtasks.exe
3760	schtasks.exe
3008	schtasks.exe
5024	schtasks.exe
2364	schtasks.exe
4648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
632	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
632	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
5008	powershell.exe
5008	powershell.exe
2836	powershell.exe
2836	powershell.exe
940	powershell.exe
940	powershell.exe
4244	powershell.exe
4244	powershell.exe
3112	powershell.exe
3112	powershell.exe
2108	powershell.exe
2108	powershell.exe
1180	powershell.exe
1180	powershell.exe
868	powershell.exe
868	powershell.exe
4720	powershell.exe
4720	powershell.exe
3084	powershell.exe
3084	powershell.exe
3412	powershell.exe
3412	powershell.exe
4452	powershell.exe
4452	powershell.exe
4544	powershell.exe
4544	powershell.exe
3936	powershell.exe
3936	powershell.exe
3472	powershell.exe
3472	powershell.exe
4660	powershell.exe
4660	powershell.exe
1336	powershell.exe
1336	powershell.exe
1828	powershell.exe
1828	powershell.exe
4640	powershell.exe
4640	powershell.exe
4648	powershell.exe
4648	powershell.exe
3112	powershell.exe
5008	powershell.exe
5008	powershell.exe
1180	powershell.exe
2836	powershell.exe
2836	powershell.exe
940	powershell.exe
940	powershell.exe
2108	powershell.exe
2108	powershell.exe
4244	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	632	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
Token: SeDebugPrivilege	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	3084	powershell.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	3936	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	2996	SppExtComObj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 3972	632	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	89
PID 632 wrote to memory of 3972	632	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	89
PID 632 wrote to memory of 3972	632	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	89
PID 632 wrote to memory of 3292	632	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	90
PID 632 wrote to memory of 3292	632	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	90
PID 632 wrote to memory of 3292	632	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	90
PID 632 wrote to memory of 3292	632	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	90
PID 632 wrote to memory of 3292	632	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	90
PID 632 wrote to memory of 3292	632	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	90
PID 632 wrote to memory of 3292	632	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	90
PID 632 wrote to memory of 3292	632	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	90
PID 3292 wrote to memory of 5008	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	150
PID 3292 wrote to memory of 5008	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	150
PID 3292 wrote to memory of 5008	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	150
PID 3292 wrote to memory of 940	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	151
PID 3292 wrote to memory of 940	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	151
PID 3292 wrote to memory of 940	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	151
PID 3292 wrote to memory of 2108	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	152
PID 3292 wrote to memory of 2108	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	152
PID 3292 wrote to memory of 2108	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	152
PID 3292 wrote to memory of 4720	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	153
PID 3292 wrote to memory of 4720	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	153
PID 3292 wrote to memory of 4720	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	153
PID 3292 wrote to memory of 4244	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	154
PID 3292 wrote to memory of 4244	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	154
PID 3292 wrote to memory of 4244	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	154
PID 3292 wrote to memory of 4648	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	155
PID 3292 wrote to memory of 4648	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	155
PID 3292 wrote to memory of 4648	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	155
PID 3292 wrote to memory of 4640	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	157
PID 3292 wrote to memory of 4640	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	157
PID 3292 wrote to memory of 4640	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	157
PID 3292 wrote to memory of 1180	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	158
PID 3292 wrote to memory of 1180	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	158
PID 3292 wrote to memory of 1180	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	158
PID 3292 wrote to memory of 868	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	159
PID 3292 wrote to memory of 868	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	159
PID 3292 wrote to memory of 868	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	159
PID 3292 wrote to memory of 4544	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	160
PID 3292 wrote to memory of 4544	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	160
PID 3292 wrote to memory of 4544	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	160
PID 3292 wrote to memory of 3936	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	161
PID 3292 wrote to memory of 3936	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	161
PID 3292 wrote to memory of 3936	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	161
PID 3292 wrote to memory of 2836	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	162
PID 3292 wrote to memory of 2836	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	162
PID 3292 wrote to memory of 2836	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	162
PID 3292 wrote to memory of 1336	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	163
PID 3292 wrote to memory of 1336	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	163
PID 3292 wrote to memory of 1336	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	163
PID 3292 wrote to memory of 3412	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	164
PID 3292 wrote to memory of 3412	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	164
PID 3292 wrote to memory of 3412	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	164
PID 3292 wrote to memory of 1828	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	165
PID 3292 wrote to memory of 1828	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	165
PID 3292 wrote to memory of 1828	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	165
PID 3292 wrote to memory of 3084	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	166
PID 3292 wrote to memory of 3084	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	166
PID 3292 wrote to memory of 3084	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	166
PID 3292 wrote to memory of 3112	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	167
PID 3292 wrote to memory of 3112	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	167
PID 3292 wrote to memory of 3112	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	167
PID 3292 wrote to memory of 4660	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	168
PID 3292 wrote to memory of 4660	3292	6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe	168

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
"C:\Users\Admin\AppData\Local\Temp\6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632
- C:\Users\Admin\AppData\Local\Temp\6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
  "{path}"
  2⤵
  PID:3972
- C:\Users\Admin\AppData\Local\Temp\6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5008
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\MoUsoCoreWorker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:940
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\StartMenuExperienceHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4720
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4244
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\es-ES\spoolsv.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4648
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\sppsvc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4640
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1180
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Configuration\Registration\explorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:868
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4544
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\StartMenuExperienceHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3936
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System\dwm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1336
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\sysprep\en-US\unsecapp.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3412
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1828
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\fontdrvhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3084
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3112
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\fontdrvhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4660
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4452
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\upfc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3472
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jpInxrUfyF.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876
  - - C:\Windows\SysWOW64\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5844
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:5880
  - - C:\Recovery\WindowsRE\SppExtComObj.exe
      "C:\Recovery\WindowsRE\SppExtComObj.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:6020
    - - C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "{path}"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6dd1ac84-1e85-4e6b-8301-24e03bbc7ec8.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5536
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3156
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5c0d952-43ef-4c1b-ba4d-69dfcdd1eb71.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 10 /tr "'C:\Windows\Provisioning\MoUsoCoreWorker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\Provisioning\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 7 /tr "'C:\Windows\Provisioning\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\es-ES\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\System\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\System\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a6" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a6" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\sysprep\en-US\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\sysprep\en-US\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Windows\System32\sysprep\en-US\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Cookies\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Cookies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Cookies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Media Player\es-ES\spoolsv.exe

Filesize
1.2MB

MD5
377293496a9862cb5482dbfc78db25be

SHA1
286fe8ad63b881ed9d06698a370c0392548fa113

SHA256
6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a

SHA512
da08f1618701ed5de26a7f1d283c373d0668293ac6cdd3db93096956ae2569c3a3770d4bff109f72fef4e5f3e6cfdd7fff88f16b6223a83fe34240a730415870

Download Submit
C:\Program Files (x86)\Windows Media Player\es-ES\spoolsv.exe

Filesize
1.2MB

MD5
2b8235264f75e5ae24bfdd03f85da571

SHA1
b697bc8092333dcb48427f930d00ee5e4d9c1621

SHA256
f39509abd5cfeeb8243d91063a6af8c3834c60bb8db43c51075b02d628f3cdb8

SHA512
339bbd4a774c27cec10f65a8aeaf0e0a455a78add8d03fc8b2054d7cccea5e6b991561f78942d69a7dead9baafb3f7d0ddbff71b4ec207c09f4d082a69130316

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.2MB

MD5
5b34d7aeaccf9805f9814e685010324f

SHA1
83db87064430faa793ffc378760206dbcdb9f539

SHA256
d1271c13eafd87604d755713d61a1f1fb40b6a9260c27276cc65b8d34a39cc96

SHA512
044bb22c61a84e1b35745d299248f8f23459c20c9b889c81c53886941e02fed875539b87d12a075e65351246c6f508b1ca9fa87ba7363d80c05e4b990738d9eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6f49e661d55c95786bcee06a63f95dab201483dfa9c6fb2ca0882c0b67009f8a.exe.log

Filesize
1KB

MD5
84e77a587d94307c0ac1357eb4d3d46f

SHA1
83cc900f9401f43d181207d64c5adba7a85edc1e

SHA256
e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

SHA512
aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a56dcd9cc336ba1da5bdeff33c048328

SHA1
a54bfa15288d276c96a3a8370e4c59abc7860de1

SHA256
b0dc2b218fea95d1d7551704a70db838c16a888362631ca042b60cf8d64e6574

SHA512
14ce9e7c5ca58f5bf7cd25e19fe14ebedbef7f923b748ee4799e37854c38f4364fc912a99764323a5e335fbd20ba5f184cc2bdf538cfd380014693295b71322f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
590d3a84c740e0f7f24286fd6953adff

SHA1
05a3551828da27f47792444b97b8140484fb489b

SHA256
f160ea9000d3c706898d3a69ca16d4aaf451a44538b74c960a152c78c2632c97

SHA512
0100ee55a8a46ca7369ae7b7c1d1a58e9d604a22b9aa7bda1a5f4bf8b17d223586ecab3ca8308e6ed67cab57cae9948cac43173cd4cb41ebb61fa86e53cb42ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a36a132acb02832eeaaf34c83d85a8f2

SHA1
0c67c0237762063130c57b6215679629390aa9eb

SHA256
964a7c36a671d58aebfde93c51e858c251cba8db479012d0ae39198e0c8f241a

SHA512
cf6b1ab63496d250d1dbe3d819cfca8ba7ac543d7aadabad18b22641c4eac0dfbbdf549c0ce6dbdbfb84a33dbe724971d0edac9015d91a54dc4c42a7460e0efd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0620ae8eff0454f6fc60c5f5647d9e1f

SHA1
e2d80baaa246038521bcdcb66f97fc9202f37372

SHA256
6e570fba2e6e059397126fae93908ea9038249ed6d87198462c9d9b17fd776c3

SHA512
af6b7ba5dc2be0c2aca9f1b5093e9a05d5437ae9f1e39c9d9b8e4f7b0cf32c51a296eac3c8d29c07afed5f4742d377b66d8a26f0d02519e5fb966a875d95b167

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
557c484f8140301196a8c443baf3a022

SHA1
0ef48992e614f68e8cc33e937d9b0fb09565c7a7

SHA256
39669dcefdb4efa9484aa1d0f6b4a904344425b3694ae09d71c467b270ce1adf

SHA512
6a8969a85c7d717a3c1d2fb6eca2e61fdd04f385368f3c27736982fb04e75def69af8b3e7b596adefc337bd313d53bc6d9f0bd46b1da7ef4914307a9b8c7a653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5e37d4217a7c4490893d1d664b15e75d

SHA1
8326981e92ad4780805c6e2e30abc9bc1b92781e

SHA256
7dd90e1e9ceb1d2ef393c2451f516b527e8e01d99527a50d9f04831a087d80c0

SHA512
7f4875b4295333843e84ce93f0d6b8ee0fc074d850892ecda76b726a8465f3c6e6e3d5399882b008f1bc580e9c4306a42cab9e3dd247febf22522b2b306c7072

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
fe0951703dba6250d04fbae85283ec7e

SHA1
1a8b4d6b9ed984f30db24936da9ca2048679d9c1

SHA256
95994d65442637d9b3d44c2fb347179fbe525ec1818b2b3f82f984b8b8ead143

SHA512
e4b5ec3a52469bd336d68747ab8bb59611b12b6aa0256037767a7a000b2737c97401e6a58eaf7bbdb6e54b454dad4a2265894c63c69e15be4810b03f59d1f672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
cdde99ab8ddc567d8aa9263930248c76

SHA1
0a1949586762a0402d34377f116c5b0a37b5203f

SHA256
a7b23ee6cc48291f21d0467df889372a2ed48d4e108b965b45b44647f8038025

SHA512
986f7dc6b28393a850da2de38062da68c101d4ac6107e2076c8a9f2354c262582c12280fc7fc272724cd28272f50690505ac549713c246afb07a3330a89b9a61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
bdc9513f878e9712d120bf903af19130

SHA1
305f7ccd943b82629f03dab0571eb9d74b5c5c8b

SHA256
8d3903ea48254e7c9b16ebae120c3f174ab36557ea2c59add51a5e5a7ac1cde5

SHA512
ee010a26e551496d550df80076188782c9fbde307608f03f8d32b3e35a56b84dc3499fdcd109079f77cc9cfd4380e3e57dcadfeb0daeb2a263af04924d8d5e90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6fbcb6b6e41726621b3ba5bbf37d0c05

SHA1
0297c5de829afb37d72bfa356e0ad67a754d0fcd

SHA256
23892299542aa7765d6ec661c908d13d12b1f7c6cf80095d8280da4f27b8115f

SHA512
3b2eafc6921398fa9e555c68e6fe52e7fc78d04b6ff10cc6fd1a3864207a6dfe025fa013376b7a686bee1cd12d70eff7ff043a0839d31522f8fa76de5009a61f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
7343a2fd6f09fc9367c4d6121f2d1d77

SHA1
bc18854d05e3d87a3270526b77062c6135551a99

SHA256
a8b37be4176660c6cd5d36abf0b26c45b68429a08d2295923b7d65392c93a996

SHA512
87718cfd4e4b6af1dfef52852ea696730b87c8770e75028f44b9476420215743877b3eef3cc11cd49a24bb714382552b31f09f22bb18405099b22bed7234ca43

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dd1ac84-1e85-4e6b-8301-24e03bbc7ec8.vbs

Filesize
714B

MD5
367648da46399d18f4794d2ab3c8a34d

SHA1
0a599bf8f9654a6e5aec184692e7c42ffe271126

SHA256
fed3753eb4ab31ad8016e26e799a105458917af997c042b6b75278449af511d4

SHA512
4ea4dd0467aa11aff95a9d2dd34fe0b8fa05f108203628ad563a847226842092b4e85a8e3665ae93b5c51c09f60d7b49ae3843913bc4f9d530ed2d54eb1206dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tpym4mz1.4tu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5c0d952-43ef-4c1b-ba4d-69dfcdd1eb71.vbs

Filesize
490B

MD5
24315fa715c4035abe0bfdc83a458ba4

SHA1
973cff2a35068eda8e2abe3548b47eb436a96dc6

SHA256
e4348e5860764940cb84989cf710719da49e15545eb3e9dd621936892f30f0af

SHA512
51de90f0cce481efa15004726153c5e1781ac60087ccac45e7e56ba924ad3cf95ff4e785094ac12c7b75a48a624bc888bdeab9798b588ebaef566619122cb5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpInxrUfyF.bat

Filesize
203B

MD5
8645d8685879228dc56e300e353cf6e0

SHA1
3049eaf107e83a61f42b76cedf0884cfa229ac08

SHA256
47ad5c7e24ee8fa93df9b5a229d64015549807053fa6f6c9f084bdbcb514f8d1

SHA512
74ecdb1c41701da0c672b8579ec39f0fd7d81221bffcd90dc90f58c160da626336fc8f7e2cf84bf2d59bfcebb5b265920ecc899cfc4bf4cf9dfedfa3f950db19

Download Submit
C:\Users\Default\sppsvc.exe

Filesize
1.2MB

MD5
229a6472ddd27c23b0602bd1ab384597

SHA1
0397a14d3b94d02746cb4526b273c8d2e12edb96

SHA256
adfbf02d5f95b184b4be815a251e8a31767a7509f2a76a54af8c22da56260d93

SHA512
d8972789a89c4fff3986d113fd1d00bc15619871d837de4ed2e65b03c67c35f1cf2f19cbc6a9ae2276148872b0153d618ea71f27e39ca149a069b015a5e6fa61

Download Submit
C:\Windows\Provisioning\MoUsoCoreWorker.exe

Filesize
1.2MB

MD5
6402c3e84e5b95ed9a915bd7c7daef89

SHA1
00ababd406c3c844dace8ed761b8b7ceb2380df3

SHA256
0270d01a8ed3b7d92632af92fe2f8c0f81c00ce2277166bb099a5a42ec91781f

SHA512
9892c2b0369f0cfb2cea7a16c7175f5bb82266a77f60a0a236898804e35b989fa15af49410bcb02364a652f42afef9c9ed383c2a81312fff16f77ab3b08480ae

Download Submit
C:\Windows\SysWOW64\sysprep\en-US\unsecapp.exe

Filesize
1.2MB

MD5
443f8e5d3affbfa0a5aab17ba6299ea9

SHA1
e1d03e2a5586fae56ca481a2c2ed49b16fdde72c

SHA256
177e900f67bdc5d9e40621c95e0fc1bc2efad9c8b857af3f8c3476b32b37b391

SHA512
584ffc6fe7d39fe37bedddb6794691c6bb1bfd07a9d86c53c6430bc2facbc003c8e5b537fc7a4c470ec4d1bd6c77205feb881a464917298cf0c657b6fc0851df

Download Submit
C:\Windows\System\dwm.exe

Filesize
1.2MB

MD5
20a6c803cb79aea951bacf773da621da

SHA1
dd591e497a86e8aff29bc7b78c594a8cd98afece

SHA256
571b28c00d82c7e54b8eeee8a3401f6e66a871cf09db43be684874e3a38ccf69

SHA512
fa5637c0133c06cf1f4050cf5d7b67166541b898f54baf56a9ae7dc709e5f80b485181ddae8faff796c2673ea8226495b1e4e9da6f4afa2dc8fb244813fb186b

Download Submit
memory/632-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/632-2-0x0000000005DA0000-0x0000000006344000-memory.dmp

Filesize
5.6MB

Download
memory/632-6-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/632-10-0x00000000081F0000-0x00000000082E6000-memory.dmp

Filesize
984KB

Download
memory/632-7-0x0000000006450000-0x0000000006462000-memory.dmp

Filesize
72KB

Download
memory/632-16-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/632-8-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/632-3-0x00000000057F0000-0x0000000005882000-memory.dmp

Filesize
584KB

Download
memory/632-5-0x0000000005910000-0x000000000591A000-memory.dmp

Filesize
40KB

Download
memory/632-9-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/632-4-0x0000000005980000-0x0000000005A1C000-memory.dmp

Filesize
624KB

Download
memory/632-1-0x0000000000DD0000-0x0000000000EFC000-memory.dmp

Filesize
1.2MB

Download
memory/632-11-0x000000000A810000-0x000000000A93E000-memory.dmp

Filesize
1.2MB

Download
memory/868-613-0x0000000070860000-0x00000000708AC000-memory.dmp

Filesize
304KB

Download
memory/940-684-0x0000000006DF0000-0x0000000006DFA000-memory.dmp

Filesize
40KB

Download
memory/940-489-0x0000000070860000-0x00000000708AC000-memory.dmp

Filesize
304KB

Download
memory/1180-540-0x0000000070860000-0x00000000708AC000-memory.dmp

Filesize
304KB

Download
memory/1180-690-0x0000000007570000-0x000000000758A000-memory.dmp

Filesize
104KB

Download
memory/1180-691-0x0000000007550000-0x0000000007558000-memory.dmp

Filesize
32KB

Download
memory/1336-539-0x0000000070860000-0x00000000708AC000-memory.dmp

Filesize
304KB

Download
memory/1828-499-0x0000000070860000-0x00000000708AC000-memory.dmp

Filesize
304KB

Download
memory/1828-687-0x0000000007DE0000-0x0000000007DF1000-memory.dmp

Filesize
68KB

Download
memory/1828-689-0x0000000007E20000-0x0000000007E34000-memory.dmp

Filesize
80KB

Download
memory/2108-561-0x0000000070860000-0x00000000708AC000-memory.dmp

Filesize
304KB

Download
memory/2108-688-0x00000000071C0000-0x00000000071CE000-memory.dmp

Filesize
56KB

Download
memory/2836-529-0x0000000070860000-0x00000000708AC000-memory.dmp

Filesize
304KB

Download
memory/3084-635-0x0000000070860000-0x00000000708AC000-memory.dmp

Filesize
304KB

Download
memory/3112-487-0x0000000006630000-0x000000000664E000-memory.dmp

Filesize
120KB

Download
memory/3112-615-0x00000000073D0000-0x00000000073EA000-memory.dmp

Filesize
104KB

Download
memory/3112-488-0x00000000072A0000-0x0000000007343000-memory.dmp

Filesize
652KB

Download
memory/3112-476-0x0000000007060000-0x0000000007092000-memory.dmp

Filesize
200KB

Download
memory/3112-573-0x0000000007A50000-0x00000000080CA000-memory.dmp

Filesize
6.5MB

Download
memory/3112-477-0x0000000070860000-0x00000000708AC000-memory.dmp

Filesize
304KB

Download
memory/3112-686-0x0000000007650000-0x00000000076E6000-memory.dmp

Filesize
600KB

Download
memory/3292-26-0x00000000058E0000-0x00000000058EA000-memory.dmp

Filesize
40KB

Download
memory/3292-15-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/3292-29-0x0000000005950000-0x000000000595A000-memory.dmp

Filesize
40KB

Download
memory/3292-289-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/3292-25-0x00000000058D0000-0x00000000058DC000-memory.dmp

Filesize
48KB

Download
memory/3292-24-0x0000000008AE0000-0x000000000900C000-memory.dmp

Filesize
5.2MB

Download
memory/3292-23-0x0000000005830000-0x0000000005842000-memory.dmp

Filesize
72KB

Download
memory/3292-28-0x0000000005920000-0x000000000592C000-memory.dmp

Filesize
48KB

Download
memory/3292-22-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/3292-21-0x0000000004A40000-0x0000000004A56000-memory.dmp

Filesize
88KB

Download
memory/3292-20-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/3292-200-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/3292-19-0x00000000057D0000-0x0000000005820000-memory.dmp

Filesize
320KB

Download
memory/3292-27-0x0000000005900000-0x000000000590E000-memory.dmp

Filesize
56KB

Download
memory/3292-18-0x00000000049F0000-0x0000000004A0C000-memory.dmp

Filesize
112KB

Download
memory/3292-17-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/3292-30-0x0000000005970000-0x000000000597C000-memory.dmp

Filesize
48KB

Download
memory/3292-12-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3292-33-0x00000000085B0000-0x0000000008616000-memory.dmp

Filesize
408KB

Download
memory/3292-176-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/3412-583-0x0000000070860000-0x00000000708AC000-memory.dmp

Filesize
304KB

Download
memory/3472-664-0x0000000070860000-0x00000000708AC000-memory.dmp

Filesize
304KB

Download
memory/3936-593-0x0000000070860000-0x00000000708AC000-memory.dmp

Filesize
304KB

Download
memory/4244-505-0x0000000070860000-0x00000000708AC000-memory.dmp

Filesize
304KB

Download
memory/4452-634-0x0000000070860000-0x00000000708AC000-memory.dmp

Filesize
304KB

Download
memory/4544-674-0x0000000070860000-0x00000000708AC000-memory.dmp

Filesize
304KB

Download
memory/4640-614-0x0000000070860000-0x00000000708AC000-memory.dmp

Filesize
304KB

Download
memory/4648-649-0x0000000070860000-0x00000000708AC000-memory.dmp

Filesize
304KB

Download
memory/4660-560-0x0000000070860000-0x00000000708AC000-memory.dmp

Filesize
304KB

Download
memory/4720-603-0x0000000070860000-0x00000000708AC000-memory.dmp

Filesize
304KB

Download
memory/5008-519-0x0000000070860000-0x00000000708AC000-memory.dmp

Filesize
304KB

Download
memory/5008-475-0x0000000006090000-0x00000000060DC000-memory.dmp

Filesize
304KB

Download
memory/5008-474-0x0000000005FD0000-0x0000000005FEE000-memory.dmp

Filesize
120KB

Download
memory/5008-292-0x00000000059A0000-0x0000000005CF4000-memory.dmp

Filesize
3.3MB

Download
memory/5008-291-0x00000000050A0000-0x0000000005106000-memory.dmp

Filesize
408KB

Download
memory/5008-290-0x0000000005000000-0x0000000005022000-memory.dmp

Filesize
136KB

Download
memory/5008-287-0x0000000005140000-0x0000000005768000-memory.dmp

Filesize
6.2MB

Download
memory/5008-286-0x00000000029B0000-0x00000000029E6000-memory.dmp

Filesize
216KB

Download
memory/6020-685-0x0000000005250000-0x0000000005262000-memory.dmp

Filesize
72KB

Download