dcrat | 4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4

Analysis

max time kernel
97s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
Size

1.2MB
MD5

1513343b7481b2f1bf7d66399dfc2120
SHA1

0db4b18d25118696dac687d45934e9d5ba17ce6f
SHA256

4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4
SHA512

5ad111a3b6121f0b3454fb5ba2034f3c4dbe545191d0a020241f614eee87913b78481b26d208ffa86ce96b70386cf701a774999bebd4f1021455e4b494b0b282
SSDEEP

24576:lxU376C0skFgqIyXFnbCDQgZ8e7FRsWC9ZRHInh4j1Cf6liXwkOmpdT:APkVXFGDQoP7FRCZRonh4hfewhmpd

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3932	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	1668	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	1668	schtasks.exe	88

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2856-12-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2200	powershell.exe
4304	powershell.exe
1196	powershell.exe
2772	powershell.exe
1848	powershell.exe
2808	powershell.exe
5080	powershell.exe
2456	powershell.exe
4380	powershell.exe
4108	powershell.exe
3932	powershell.exe
2196	powershell.exe
4736	powershell.exe
552	powershell.exe
4432	powershell.exe
4916	powershell.exe
3612	powershell.exe
4784	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Executes dropped EXE 4 IoCs

pid	Process
5560	spoolsv.exe
2552	spoolsv.exe
5468	spoolsv.exe
5896	spoolsv.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3964 set thread context of 2856	3964	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	96
PID 5560 set thread context of 5468	5560	spoolsv.exe	196

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsPowerShell\WmiPrvSE.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX3691.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\sysmon.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files\Internet Explorer\uk-UA\sihost.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\RuntimeBroker.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files\WindowsPowerShell\RCX55CD.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Program Files\Windows Photo Viewer\121e5b5079f7c0	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Program Files\ModifiableWindowsApps\RuntimeBroker.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files\WindowsPowerShell\WmiPrvSE.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\RCX4A5A.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\24dbde2999530e	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Program Files\dotnet\host\fxr\121e5b5079f7c0	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Program Files\dotnet\host\fxr\sysmon.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RCX3ABB.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files\Internet Explorer\uk-UA\RCX3CD1.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files\WindowsPowerShell\RCX55CE.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Program Files\Windows Photo Viewer\sysmon.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Program Files\Internet Explorer\uk-UA\66fc9ff0ee96c2	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\sysmon.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Program Files\Internet Explorer\uk-UA\sihost.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\RCX4A59.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Program Files (x86)\Common Files\Adobe\RuntimeBroker.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Program Files (x86)\Common Files\Adobe\9e8d7a4ca61bd9	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files\Internet Explorer\uk-UA\RCX3CD0.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\RCX4F7E.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Program Files\WindowsPowerShell\24dbde2999530e	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RCX3ABA.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX3690.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\RCX4EF1.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File created	C:\Windows\System\Speech\StartMenuExperienceHost.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Windows\ModemLogs\RCX38A5.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Windows\ModemLogs\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Windows\L2Schemas\RCX4188.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Windows\Panther\UnattendGC\sysmon.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\RCX461F.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Windows\ModemLogs\8ed8ba926a9222	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Windows\GameBarPresenceWriter\fontdrvhost.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Windows\GameBarPresenceWriter\5b884080fd4f94	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Windows\Sun\StartMenuExperienceHost.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Windows\L2Schemas\MoUsoCoreWorker.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Windows\Panther\UnattendGC\sysmon.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Windows\L2Schemas\RCX410A.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Windows\WinSxS\wininit.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Windows\Sun\55b276f4edf653	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Windows\ServiceState\TextInputHost.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Windows\Sun\StartMenuExperienceHost.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Windows\L2Schemas\1f93f77a7f4778	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Windows\Panther\UnattendGC\121e5b5079f7c0	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Windows\Sun\RCX4844.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File created	C:\Windows\ModemLogs\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Windows\ModemLogs\RCX38A6.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Windows\L2Schemas\MoUsoCoreWorker.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Windows\Panther\UnattendGC\RCX438D.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Windows\Sun\RCX4834.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Windows\Panther\UnattendGC\RCX438C.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\RCX4620.tmp	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\fontdrvhost.exe	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	spoolsv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1820	schtasks.exe
3208	schtasks.exe
2736	schtasks.exe
4796	schtasks.exe
4852	schtasks.exe
4756	schtasks.exe
2448	schtasks.exe
5060	schtasks.exe
1464	schtasks.exe
1120	schtasks.exe
2372	schtasks.exe
1848	schtasks.exe
2436	schtasks.exe
4060	schtasks.exe
4436	schtasks.exe
3712	schtasks.exe
3452	schtasks.exe
3612	schtasks.exe
2772	schtasks.exe
3008	schtasks.exe
4196	schtasks.exe
4140	schtasks.exe
2140	schtasks.exe
2520	schtasks.exe
3124	schtasks.exe
1436	schtasks.exe
1628	schtasks.exe
3932	schtasks.exe
4412	schtasks.exe
2840	schtasks.exe
1548	schtasks.exe
1232	schtasks.exe
4812	schtasks.exe
3892	schtasks.exe
3320	schtasks.exe
5040	schtasks.exe
1072	schtasks.exe
2940	schtasks.exe
2976	schtasks.exe
1844	schtasks.exe
4792	schtasks.exe
3632	schtasks.exe
1556	schtasks.exe
2788	schtasks.exe
1200	schtasks.exe
1684	schtasks.exe
1880	schtasks.exe
3860	schtasks.exe
2312	schtasks.exe
1624	schtasks.exe
3676	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
2196	powershell.exe
2196	powershell.exe
4304	powershell.exe
4736	powershell.exe
4736	powershell.exe
4304	powershell.exe
2772	powershell.exe
2772	powershell.exe
4916	powershell.exe
4916	powershell.exe
2456	powershell.exe
2456	powershell.exe
3612	powershell.exe
3612	powershell.exe
4380	powershell.exe
4380	powershell.exe
5080	powershell.exe
5080	powershell.exe
4432	powershell.exe
4432	powershell.exe
2200	powershell.exe
2200	powershell.exe
3932	powershell.exe
3932	powershell.exe
2808	powershell.exe
2808	powershell.exe
4108	powershell.exe
4108	powershell.exe
1848	powershell.exe
1848	powershell.exe
1196	powershell.exe
1196	powershell.exe
552	powershell.exe
552	powershell.exe
4784	powershell.exe
4784	powershell.exe
4916	powershell.exe
3932	powershell.exe
2196	powershell.exe
2196	powershell.exe
2772	powershell.exe
4380	powershell.exe
4736	powershell.exe
4304	powershell.exe
2456	powershell.exe
3612	powershell.exe
2200	powershell.exe
552	powershell.exe
5080	powershell.exe
4432	powershell.exe
1196	powershell.exe
2808	powershell.exe
4108	powershell.exe
1848	powershell.exe
4784	powershell.exe
5560	spoolsv.exe
5560	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	4432	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	4108	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	5560	spoolsv.exe
Token: SeDebugPrivilege	5468	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 2856	3964	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	96
PID 3964 wrote to memory of 2856	3964	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	96
PID 3964 wrote to memory of 2856	3964	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	96
PID 3964 wrote to memory of 2856	3964	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	96
PID 3964 wrote to memory of 2856	3964	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	96
PID 3964 wrote to memory of 2856	3964	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	96
PID 3964 wrote to memory of 2856	3964	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	96
PID 3964 wrote to memory of 2856	3964	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	96
PID 2856 wrote to memory of 2196	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	152
PID 2856 wrote to memory of 2196	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	152
PID 2856 wrote to memory of 2196	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	152
PID 2856 wrote to memory of 4736	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	153
PID 2856 wrote to memory of 4736	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	153
PID 2856 wrote to memory of 4736	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	153
PID 2856 wrote to memory of 3612	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	154
PID 2856 wrote to memory of 3612	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	154
PID 2856 wrote to memory of 3612	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	154
PID 2856 wrote to memory of 4304	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	155
PID 2856 wrote to memory of 4304	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	155
PID 2856 wrote to memory of 4304	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	155
PID 2856 wrote to memory of 2200	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	157
PID 2856 wrote to memory of 2200	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	157
PID 2856 wrote to memory of 2200	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	157
PID 2856 wrote to memory of 552	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	158
PID 2856 wrote to memory of 552	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	158
PID 2856 wrote to memory of 552	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	158
PID 2856 wrote to memory of 3932	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	159
PID 2856 wrote to memory of 3932	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	159
PID 2856 wrote to memory of 3932	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	159
PID 2856 wrote to memory of 2772	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	161
PID 2856 wrote to memory of 2772	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	161
PID 2856 wrote to memory of 2772	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	161
PID 2856 wrote to memory of 4108	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	162
PID 2856 wrote to memory of 4108	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	162
PID 2856 wrote to memory of 4108	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	162
PID 2856 wrote to memory of 4380	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	163
PID 2856 wrote to memory of 4380	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	163
PID 2856 wrote to memory of 4380	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	163
PID 2856 wrote to memory of 4916	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	165
PID 2856 wrote to memory of 4916	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	165
PID 2856 wrote to memory of 4916	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	165
PID 2856 wrote to memory of 2456	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	167
PID 2856 wrote to memory of 2456	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	167
PID 2856 wrote to memory of 2456	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	167
PID 2856 wrote to memory of 1848	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	168
PID 2856 wrote to memory of 1848	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	168
PID 2856 wrote to memory of 1848	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	168
PID 2856 wrote to memory of 5080	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	169
PID 2856 wrote to memory of 5080	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	169
PID 2856 wrote to memory of 5080	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	169
PID 2856 wrote to memory of 4432	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	170
PID 2856 wrote to memory of 4432	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	170
PID 2856 wrote to memory of 4432	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	170
PID 2856 wrote to memory of 1196	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	171
PID 2856 wrote to memory of 1196	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	171
PID 2856 wrote to memory of 1196	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	171
PID 2856 wrote to memory of 4784	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	172
PID 2856 wrote to memory of 4784	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	172
PID 2856 wrote to memory of 4784	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	172
PID 2856 wrote to memory of 2808	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	178
PID 2856 wrote to memory of 2808	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	178
PID 2856 wrote to memory of 2808	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	178
PID 2856 wrote to memory of 1620	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	189
PID 2856 wrote to memory of 1620	2856	4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe	189

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
"C:\Users\Admin\AppData\Local\Temp\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Users\Admin\AppData\Local\Temp\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4736
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3612
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4304
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\sysmon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\uk-UA\sihost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:552
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3932
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\MoUsoCoreWorker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\UnattendGC\sysmon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4108
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\GameBarPresenceWriter\fontdrvhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4380
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Sun\StartMenuExperienceHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4916
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\host\fxr\sysmon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1848
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5080
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4432
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1196
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4784
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\unsecapp.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CE4ikEee1q.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1620
  - - C:\Windows\SysWOW64\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5800
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:5848
  - - C:\Recovery\WindowsRE\spoolsv.exe
      "C:\Recovery\WindowsRE\spoolsv.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5560
    - - C:\Recovery\WindowsRE\spoolsv.exe
        
        "{path}"
        5⤵
        Executes dropped EXE
        
        PID:2552
    - - C:\Recovery\WindowsRE\spoolsv.exe
        
        "{path}"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5468
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ade250e-b88a-47aa-9037-d41da426ef90.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Recovery\WindowsRE\spoolsv.exe
        
        C:\Recovery\WindowsRE\spoolsv.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5896
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99914139-d13c-47d5-ab24-41df8f080f40.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N4" /sc MINUTE /mo 10 /tr "'C:\Windows\ModemLogs\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N" /sc ONLOGON /tr "'C:\Windows\ModemLogs\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N4" /sc MINUTE /mo 6 /tr "'C:\Windows\ModemLogs\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\uk-UA\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\uk-UA\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\uk-UA\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\MoUsoCoreWorker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\L2Schemas\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Windows\Panther\UnattendGC\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Windows\Panther\UnattendGC\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\GameBarPresenceWriter\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\GameBarPresenceWriter\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Sun\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Windows\Sun\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files\dotnet\host\fxr\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\host\fxr\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Adobe\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Adobe\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Desktop\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Desktop\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe\RuntimeBroker.exe

Filesize
1.2MB

MD5
4311460809345528e4f4c0a631c372da

SHA1
ba1d440f0104bd9d63e184503ca5cbe70521efd6

SHA256
7e8e50f319627cf0fb11e4809e81a1fbf7907264381a1609cc51ff40e56efac3

SHA512
51d337ef04458604c544014ce4db69dcbf91bc46b09c9a84cfb15afc93b532c38ddc74b3cafcf9138e2da71985cee4075a02df3666c8e40945b4acc39d3d98b9

Download Submit
C:\Program Files\Internet Explorer\uk-UA\sihost.exe

Filesize
1.2MB

MD5
1513343b7481b2f1bf7d66399dfc2120

SHA1
0db4b18d25118696dac687d45934e9d5ba17ce6f

SHA256
4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4

SHA512
5ad111a3b6121f0b3454fb5ba2034f3c4dbe545191d0a020241f614eee87913b78481b26d208ffa86ce96b70386cf701a774999bebd4f1021455e4b494b0b282

Download Submit
C:\Program Files\WindowsPowerShell\RCX55CD.tmp

Filesize
1.2MB

MD5
f690d49a86dad71dcc64680e0dca28c1

SHA1
34f3ba0f8a256a0f2ab212a3a9379c5383c05055

SHA256
19664c7cdc12e6a6a9b1b8d5a9c2a7e406f4b261f86d2650290754ed99594cb5

SHA512
481a00952b3c8305d399cde165d2690ff2f7f2eecadefb98a33a13522957298a15f5134071cbe8b3f6f016e7d6c7d06e5ed9fdf8c48fc49a47b74ea56b84f485

Download Submit
C:\Recovery\WindowsRE\sysmon.exe

Filesize
1.2MB

MD5
faaf65db0c7f2d827a2b4fea695d317e

SHA1
d20854c5bd1489a112b06e5adbd251c20b188e85

SHA256
57c9ea02a6345264b6bf9e83534d7e85eb6d38aaadb6d570c2a82ea383f45808

SHA512
602c8e8b4bdc004ba1f3bdef98e4666e7d0d474d39f839966956275b3a394716324b23f9541664de2618cd4b5405ed9dc9c7a7813c972c328188b52c34898922

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4f4a6991ab94f82f6e06f643d6e5dcb62de92b8691bf65695e2a2417f0d44be4N.exe.log

Filesize
1KB

MD5
84e77a587d94307c0ac1357eb4d3d46f

SHA1
83cc900f9401f43d181207d64c5adba7a85edc1e

SHA256
e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

SHA512
aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9fe9fe3fbc1a7092ed67d765864bdb6a

SHA1
c5fba5eb7c8158477214e51047d884064bdb4ab0

SHA256
8019dafe89739857586c7495f936be692790f6abc3a48d1bb4f1505650ffb499

SHA512
7357fc3163f1f1969e690714c66ededae6c980a88649a1c87e8499c06e51eba85afdff90627c624bfa43ce12bb29fedf227ff3fc61ebe5b350d0a09fe66e1129

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e8d2d610993d800b056ccee58cfa3666

SHA1
49e642ddd79276f1842d0785ad503f411cef3568

SHA256
11706bff010b0c73f274d60343b68b0d3034a8411c9416d1fd16d3b9f71a2b2d

SHA512
bad6713f6c2f572ef8d21a6cbe6ad5dd724a7c48889865f2573990880689574b38abf02a14da7f11ea5766c991e9152cd3850d519f149b02ca7b219f7775b8f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
32c6fb31916db8c3fa3e7e3370a24ab1

SHA1
e3d0d0635d7ce8263b80c45de03eb6696a061adb

SHA256
bd2dc8030897f279fd9718e700662b02800d736ac40db2f8b9ab2b2e011c2019

SHA512
1c8cfdca801698c546a4386960de5b2df355bcef4d5ff8facb5a52c36f3c1fc12c039fdcead8b366a9b487c68c8da976ee0ba55fafa067548740fa0a00be6ba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5c7dea599e5adc82f7a6e2ef9fb41a71

SHA1
075208e697e6388f62fee52240c1cb35451079c0

SHA256
fcd43fa0b1f0db00ede9b7c33c06ff00c17db9226d2bb1709844f1e335c24baf

SHA512
f502044edbe4c40e003befa32a4fccc6f736819236962205921adb6957278cef269c00795106f21920425de2117fcd076d55a78a71de4682380175ec54ab28b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d8327934f9223f5e5abf31daef9015e1

SHA1
da4d80b122d3e1982667a44c953a53514c1fff2c

SHA256
54d8d3acf59657437ea24a03012ebf74de11f5f1d7ce0a8c64f285fb6ebfdedb

SHA512
850659b968630adaf881365c6aba7b07b52bcbc44741902343076a9f6d431f557444057ac62522a51b2abb1bbd9579f7e6131b17c65aa953e86176397eb52fd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
03cd1a4ca673b9dedfed57ea07dbbaee

SHA1
d9881793b53b60bbf0c0eb191457dbe8fa5bfa61

SHA256
30e18f224729e6b7aa02ac8a1870658137fd4e3eb9b1864fb1749c59b0087c77

SHA512
ef94bee1d20e331706ffb5e81537a4da4c0521fa9112d4a0fce6ba31933f4f820a486738336297f87ab7eb0a61e24833df14832f381314126398439a327d48d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
681ea3586cfaecad4f988b57a1b8cf30

SHA1
6a1082e25d420b119f4c0c18acd31212e43d04e6

SHA256
eb40b5e2de5e107d5cd8044a48dc15b1cb532f6f48edb3b831d13a7a5907fb07

SHA512
3f62544707ace3b4842d559f20592631b3ddefba74f3c06f0e21cfb78aa9447c78472f1786c83f554a025ea9371a11d33625577752eeb49a843d3017a2ff8498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
7d12fb1491b607ed4fde454365241545

SHA1
44788b77c465085d0d2c6613372efc049dc4c2fe

SHA256
a3c25c183c82dc347d237a0b583637edccccc0c009e0ae305a6a39fc81d2090d

SHA512
569f15149c9f41864f5035bd448559eafbc88e5b72857f393a8bdad71e1bc328602455574cb5b6c0048a65487c61bbbfddcd1f094dd12e4d8c8dbed1768852f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ade250e-b88a-47aa-9037-d41da426ef90.vbs

Filesize
709B

MD5
c13fff83c4445893ca3c3fbab7340f9e

SHA1
9fc091092246e9728bb4a888ff0b09cc91fb38ed

SHA256
16ac384211fc53d6aa9a391101b0ada4a2183d8a4c66c443641e062dcde6bbc9

SHA512
e24eb39db9e8f018e9314b811fe4e91748369ffc6ffbbebf942457e2a402bbc98a02fc0ab3ccdcddfa5c61ddc1d0c7f42ca9f728df8ab306d4c5754187a6fe0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\99914139-d13c-47d5-ab24-41df8f080f40.vbs

Filesize
485B

MD5
d2a842e8a90a57aae3a3e98319caa428

SHA1
b5d384bf1c9548828c53bfe544fe0c6b5c58a517

SHA256
f52b5f8b217857c4c07ae57bc069350fbd50f33d01ee4a5d4c2ee5b1ab98632e

SHA512
422845ef0dbb9438cd3de7e5630ca89e5a8f5db4fadcc9aba757c756292aac8a1d5454d382921971fc10d84bd173205560482cf3969af439c088d195aa38a3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE4ikEee1q.bat

Filesize
198B

MD5
799b3a8eb5fcb7936893d4d496baba06

SHA1
2383723d7d42bf6ed18de9ccf80ae4bec3faa036

SHA256
3baf832f2e4efa1f63c012b74d8ba0ed9af63ddf453e5abeac88d1e6f366c85d

SHA512
f7e7cbb7fc3360d7455a31261824eebb84661b38696faabbc421efd7ac892fa938cf9254ce44d324f0e09c925f068fd963fad51d3839e5daabec2d8e154c7efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qgfcvbof.bne.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\RCX3EE5.tmp

Filesize
1.2MB

MD5
0b380bcf5516cb9857d6c571990a2566

SHA1
9fdb095bab64c4414764bc66e781aa17f65c4096

SHA256
105da1140851d482aba20c5426385ab70e1b3892f6d2bd2a2975e3da56541754

SHA512
cadcf7e6acacf0542c6fb405a11c0fbd46a01c5b0735b2b525acc23ac4f03ca412dce43ba816a9bd3eab5039e53e23898e2304d54625846a5417a813b7265d11

Download Submit
C:\Windows\L2Schemas\MoUsoCoreWorker.exe

Filesize
1.2MB

MD5
1e74b510729b81e8bbdb060d72e017d8

SHA1
a7d86ec09951f87e20c1cf995b1a7ee91985e9be

SHA256
54cde3fb9454fcb0086a76bf4c4d97a08e9a9c76955ccbda5b9dee65cdaf560f

SHA512
0bc709ed1b512413091de3a0bec49fd2b04adbb500f78cdc0e6c0153af6ce94dfff9f771baad11b18e97b84150baec2d5f6d9dd621e84233e80dd2db66f62019

Download Submit
memory/552-547-0x00000000716E0000-0x000000007172C000-memory.dmp

Filesize
304KB

Download
memory/1196-597-0x00000000716E0000-0x000000007172C000-memory.dmp

Filesize
304KB

Download
memory/1848-618-0x00000000716E0000-0x000000007172C000-memory.dmp

Filesize
304KB

Download
memory/2196-448-0x00000000060A0000-0x00000000060EC000-memory.dmp

Filesize
304KB

Download
memory/2196-277-0x0000000005460000-0x0000000005A88000-memory.dmp

Filesize
6.2MB

Download
memory/2196-288-0x0000000005A90000-0x0000000005DE4000-memory.dmp

Filesize
3.3MB

Download
memory/2196-460-0x00000000065B0000-0x00000000065CE000-memory.dmp

Filesize
120KB

Download
memory/2196-471-0x00000000071F0000-0x0000000007293000-memory.dmp

Filesize
652KB

Download
memory/2196-450-0x00000000716E0000-0x000000007172C000-memory.dmp

Filesize
304KB

Download
memory/2196-449-0x00000000065D0000-0x0000000006602000-memory.dmp

Filesize
200KB

Download
memory/2196-527-0x0000000007330000-0x000000000734A000-memory.dmp

Filesize
104KB

Download
memory/2196-447-0x0000000006010000-0x000000000602E000-memory.dmp

Filesize
120KB

Download
memory/2196-617-0x00000000073D0000-0x00000000073DA000-memory.dmp

Filesize
40KB

Download
memory/2196-643-0x0000000007670000-0x0000000007678000-memory.dmp

Filesize
32KB

Download
memory/2196-642-0x0000000007690000-0x00000000076AA000-memory.dmp

Filesize
104KB

Download
memory/2196-286-0x00000000052E0000-0x0000000005346000-memory.dmp

Filesize
408KB

Download
memory/2196-285-0x0000000005240000-0x0000000005262000-memory.dmp

Filesize
136KB

Download
memory/2196-640-0x0000000007580000-0x000000000758E000-memory.dmp

Filesize
56KB

Download
memory/2196-276-0x0000000000F10000-0x0000000000F46000-memory.dmp

Filesize
216KB

Download
memory/2196-525-0x0000000007980000-0x0000000007FFA000-memory.dmp

Filesize
6.5MB

Download
memory/2200-557-0x00000000716E0000-0x000000007172C000-memory.dmp

Filesize
304KB

Download
memory/2456-515-0x00000000716E0000-0x000000007172C000-memory.dmp

Filesize
304KB

Download
memory/2772-639-0x0000000007450000-0x0000000007461000-memory.dmp

Filesize
68KB

Download
memory/2772-628-0x00000000074D0000-0x0000000007566000-memory.dmp

Filesize
600KB

Download
memory/2772-472-0x00000000716E0000-0x000000007172C000-memory.dmp

Filesize
304KB

Download
memory/2808-578-0x00000000716E0000-0x000000007172C000-memory.dmp

Filesize
304KB

Download
memory/2856-26-0x00000000059A0000-0x00000000059AE000-memory.dmp

Filesize
56KB

Download
memory/2856-200-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/2856-12-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2856-32-0x0000000006370000-0x00000000063D6000-memory.dmp

Filesize
408KB

Download
memory/2856-21-0x00000000058A0000-0x00000000058B0000-memory.dmp

Filesize
64KB

Download
memory/2856-29-0x0000000005B50000-0x0000000005B5C000-memory.dmp

Filesize
48KB

Download
memory/2856-28-0x0000000005B30000-0x0000000005B3A000-memory.dmp

Filesize
40KB

Download
memory/2856-25-0x0000000005980000-0x000000000598A000-memory.dmp

Filesize
40KB

Download
memory/2856-14-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/2856-27-0x0000000005B00000-0x0000000005B0C000-memory.dmp

Filesize
48KB

Download
memory/2856-20-0x0000000005820000-0x0000000005836000-memory.dmp

Filesize
88KB

Download
memory/2856-212-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/2856-287-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/2856-24-0x0000000005970000-0x000000000597C000-memory.dmp

Filesize
48KB

Download
memory/2856-16-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/2856-23-0x0000000006730000-0x0000000006C5C000-memory.dmp

Filesize
5.2MB

Download
memory/2856-22-0x00000000058C0000-0x00000000058D2000-memory.dmp

Filesize
72KB

Download
memory/2856-17-0x00000000057E0000-0x00000000057FC000-memory.dmp

Filesize
112KB

Download
memory/2856-19-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/2856-18-0x0000000005850000-0x00000000058A0000-memory.dmp

Filesize
320KB

Download
memory/3612-577-0x00000000716E0000-0x000000007172C000-memory.dmp

Filesize
304KB

Download
memory/3932-461-0x00000000716E0000-0x000000007172C000-memory.dmp

Filesize
304KB

Download
memory/3964-11-0x00000000098A0000-0x00000000099CE000-memory.dmp

Filesize
1.2MB

Download
memory/3964-15-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/3964-1-0x0000000000280000-0x00000000003AC000-memory.dmp

Filesize
1.2MB

Download
memory/3964-0-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/3964-2-0x00000000052D0000-0x0000000005874000-memory.dmp

Filesize
5.6MB

Download
memory/3964-3-0x0000000004DC0000-0x0000000004E52000-memory.dmp

Filesize
584KB

Download
memory/3964-4-0x0000000004F00000-0x0000000004F9C000-memory.dmp

Filesize
624KB

Download
memory/3964-7-0x0000000005150000-0x0000000005162000-memory.dmp

Filesize
72KB

Download
memory/3964-5-0x0000000004EC0000-0x0000000004ECA000-memory.dmp

Filesize
40KB

Download
memory/3964-6-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/3964-8-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/3964-9-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/3964-10-0x00000000072D0000-0x00000000073C6000-memory.dmp

Filesize
984KB

Download
memory/4108-607-0x00000000716E0000-0x000000007172C000-memory.dmp

Filesize
304KB

Download
memory/4304-484-0x00000000716E0000-0x000000007172C000-memory.dmp

Filesize
304KB

Download
memory/4380-503-0x00000000716E0000-0x000000007172C000-memory.dmp

Filesize
304KB

Download
memory/4432-537-0x00000000716E0000-0x000000007172C000-memory.dmp

Filesize
304KB

Download
memory/4736-526-0x00000000716E0000-0x000000007172C000-memory.dmp

Filesize
304KB

Download
memory/4784-629-0x00000000716E0000-0x000000007172C000-memory.dmp

Filesize
304KB

Download
memory/4916-483-0x00000000716E0000-0x000000007172C000-memory.dmp

Filesize
304KB

Download
memory/4916-641-0x0000000007170000-0x0000000007184000-memory.dmp

Filesize
80KB

Download
memory/5080-558-0x00000000716E0000-0x000000007172C000-memory.dmp

Filesize
304KB

Download
memory/5560-681-0x0000000006FA0000-0x0000000007096000-memory.dmp

Filesize
984KB

Download