dcrat | c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252

Analysis

max time kernel
119s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
Size

1.7MB
MD5

8abf836c2a16ee571afc67fde90325b1
SHA1

c224cbb2b5b5f09cb1c60e20b3d4d9ca726d1d08
SHA256

c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252
SHA512

c17401b6614b0a242f93fd39cc526180a0642e0458e3c98705aec842ec4d7e29221abce5a89c0463fcab9755c419ddb2a6456481be06e306cbc6dc168da66ad1
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvd:+THUxUoh1IF9gl22

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	3948	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3216	3948	schtasks.exe	85

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/100-1-0x0000000000E80000-0x0000000001040000-memory.dmp	dcrat
behavioral2/files/0x0007000000023c9a-30.dat	dcrat
behavioral2/files/0x0008000000023ca2-141.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1844	powershell.exe
2948	powershell.exe
3464	powershell.exe
3408	powershell.exe
740	powershell.exe
4488	powershell.exe
2996	powershell.exe
1064	powershell.exe
2040	powershell.exe
2196	powershell.exe
4440	powershell.exe
3128	powershell.exe
4392	powershell.exe
1984	powershell.exe
1876	powershell.exe
1420	powershell.exe
4500	powershell.exe
3412	powershell.exe
3016	powershell.exe
5016	powershell.exe
3596	powershell.exe
3164	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	services.exe

Executes dropped EXE 3 IoCs

pid	Process
508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
1756	services.exe
2196	services.exe

Drops file in Program Files directory 54 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\taskhostw.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\taskhostw.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\powershell.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\66fc9ff0ee96c2	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files (x86)\Adobe\29c1c3cc0f7685	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files\7-Zip\Lang\6ccacd8608530f	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\conhost.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files\Windows Media Player\Visualizations\c5b4cb5e9653cc	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\RCXD913.tmp	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\RuntimeBroker.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\e978f868350d50	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files\Windows Media Player\Visualizations\RCXC666.tmp	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXD48B.tmp	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\conhost.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files (x86)\Windows Media Player\ea9f0e6c9e2dcd	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\9e8d7a4ca61bd9	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files\7-Zip\Lang\Idle.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\088424020bedd6	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\6cb0b6c459d5d3	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXD48A.tmp	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXD70E.tmp	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files (x86)\Adobe\unsecapp.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files (x86)\Common Files\RuntimeBroker.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files (x86)\Windows Mail\e1ef82546f0b02	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\RCXC1FC.tmp	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\sihost.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files\Windows Media Player\Visualizations\RCXC655.tmp	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\RuntimeBroker.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files\Internet Explorer\en-US\ea9f0e6c9e2dcd	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files (x86)\Adobe\unsecapp.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\powershell.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files\Windows Media Player\Visualizations\services.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files (x86)\Windows Mail\SppExtComObj.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXD276.tmp	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files (x86)\Common Files\RuntimeBroker.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\taskhostw.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\dwm.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXD70D.tmp	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\e978f868350d50	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\sihost.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\dwm.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files\Internet Explorer\en-US\taskhostw.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\9e8d7a4ca61bd9	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\RCXC1FD.tmp	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files\Windows Media Player\Visualizations\services.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXD275.tmp	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\SppExtComObj.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\RCXD923.tmp	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files\7-Zip\Lang\Idle.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files (x86)\Common Files\9e8d7a4ca61bd9	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\de-DE\f3b6ecef712a24	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Windows\LiveKernelReports\conhost.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Windows\twain_32\c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Favorites\27d1bcfc3c54e0	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Windows\Registration\services.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\RCXCD61.tmp	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Windows\Registration\services.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Windows\Registration\c5b4cb5e9653cc	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\RCXCD60.tmp	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Favorites\System.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Windows\twain_32\c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\Favorites\System.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Windows\System\c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Windows\System\3150bb21dc778b	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Windows\PolicyDefinitions\de-DE\spoolsv.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\spoolsv.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Windows\twain_32\3150bb21dc778b	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Windows\LiveKernelReports\conhost.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Windows\LiveKernelReports\088424020bedd6	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Windows\System\c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Windows\System\RCXBFD7.tmp	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Windows\System\RCXBFE8.tmp	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1476	schtasks.exe
4972	schtasks.exe
4168	schtasks.exe
3988	schtasks.exe
4680	schtasks.exe
4056	schtasks.exe
2368	schtasks.exe
4664	schtasks.exe
1716	schtasks.exe
4168	schtasks.exe
4536	schtasks.exe
2592	schtasks.exe
4380	schtasks.exe
2672	schtasks.exe
4796	schtasks.exe
3560	schtasks.exe
3728	schtasks.exe
4624	schtasks.exe
3984	schtasks.exe
4796	schtasks.exe
4608	schtasks.exe
3920	schtasks.exe
2888	schtasks.exe
1712	schtasks.exe
3032	schtasks.exe
324	schtasks.exe
2332	schtasks.exe
4228	schtasks.exe
3316	schtasks.exe
3876	schtasks.exe
116	schtasks.exe
3188	schtasks.exe
1612	schtasks.exe
1492	schtasks.exe
2500	schtasks.exe
436	schtasks.exe
3972	schtasks.exe
2932	schtasks.exe
4156	schtasks.exe
3596	schtasks.exe
2508	schtasks.exe
1620	schtasks.exe
1440	schtasks.exe
1704	schtasks.exe
3212	schtasks.exe
2512	schtasks.exe
2900	schtasks.exe
3796	schtasks.exe
1624	schtasks.exe
1280	schtasks.exe
1172	schtasks.exe
2704	schtasks.exe
1340	schtasks.exe
1492	schtasks.exe
2680	schtasks.exe
4988	schtasks.exe
1816	schtasks.exe
1592	schtasks.exe
1524	schtasks.exe
3216	schtasks.exe
4992	schtasks.exe
2512	schtasks.exe
512	schtasks.exe
4660	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
3128	powershell.exe
3128	powershell.exe
2948	powershell.exe
2948	powershell.exe
1844	powershell.exe
1844	powershell.exe
4488	powershell.exe
4488	powershell.exe
1064	powershell.exe
1064	powershell.exe
4500	powershell.exe
4500	powershell.exe
3412	powershell.exe
3412	powershell.exe
2996	powershell.exe
2996	powershell.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	3464	powershell.exe
Token: SeDebugPrivilege	508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	1756	services.exe
Token: SeDebugPrivilege	2196	services.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 100 wrote to memory of 3464	100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	123
PID 100 wrote to memory of 3464	100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	123
PID 100 wrote to memory of 1064	100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	124
PID 100 wrote to memory of 1064	100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	124
PID 100 wrote to memory of 3128	100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	125
PID 100 wrote to memory of 3128	100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	125
PID 100 wrote to memory of 2996	100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	126
PID 100 wrote to memory of 2996	100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	126
PID 100 wrote to memory of 4440	100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	127
PID 100 wrote to memory of 4440	100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	127
PID 100 wrote to memory of 4488	100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	128
PID 100 wrote to memory of 4488	100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	128
PID 100 wrote to memory of 3412	100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	129
PID 100 wrote to memory of 3412	100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	129
PID 100 wrote to memory of 4500	100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	130
PID 100 wrote to memory of 4500	100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	130
PID 100 wrote to memory of 2948	100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	131
PID 100 wrote to memory of 2948	100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	131
PID 100 wrote to memory of 1844	100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	132
PID 100 wrote to memory of 1844	100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	132
PID 100 wrote to memory of 740	100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	133
PID 100 wrote to memory of 740	100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	133
PID 100 wrote to memory of 508	100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	145
PID 100 wrote to memory of 508	100	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	145
PID 508 wrote to memory of 4392	508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	213
PID 508 wrote to memory of 4392	508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	213
PID 508 wrote to memory of 3016	508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	214
PID 508 wrote to memory of 3016	508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	214
PID 508 wrote to memory of 1984	508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	215
PID 508 wrote to memory of 1984	508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	215
PID 508 wrote to memory of 5016	508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	216
PID 508 wrote to memory of 5016	508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	216
PID 508 wrote to memory of 2040	508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	217
PID 508 wrote to memory of 2040	508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	217
PID 508 wrote to memory of 3408	508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	218
PID 508 wrote to memory of 3408	508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	218
PID 508 wrote to memory of 1876	508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	219
PID 508 wrote to memory of 1876	508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	219
PID 508 wrote to memory of 1420	508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	220
PID 508 wrote to memory of 1420	508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	220
PID 508 wrote to memory of 3596	508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	221
PID 508 wrote to memory of 3596	508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	221
PID 508 wrote to memory of 3164	508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	222
PID 508 wrote to memory of 3164	508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	222
PID 508 wrote to memory of 2196	508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	223
PID 508 wrote to memory of 2196	508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	223
PID 508 wrote to memory of 1756	508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	235
PID 508 wrote to memory of 1756	508	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	235
PID 1756 wrote to memory of 864	1756	services.exe	237
PID 1756 wrote to memory of 864	1756	services.exe	237
PID 1756 wrote to memory of 2680	1756	services.exe	238
PID 1756 wrote to memory of 2680	1756	services.exe	238
PID 864 wrote to memory of 2196	864	WScript.exe	243
PID 864 wrote to memory of 2196	864	WScript.exe	243
PID 2196 wrote to memory of 3248	2196	services.exe	245
PID 2196 wrote to memory of 3248	2196	services.exe	245
PID 2196 wrote to memory of 100	2196	services.exe	246
PID 2196 wrote to memory of 100	2196	services.exe	246

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
"C:\Users\Admin\AppData\Local\Temp\c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:740
- C:\Users\Admin\AppData\Local\Temp\c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
  "C:\Users\Admin\AppData\Local\Temp\c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Windows\Registration\services.exe
    "C:\Windows\Registration\services.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b9c12dc-5215-47ea-8e5b-45769feade09.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:864
    - - C:\Windows\Registration\services.exe
        
        C:\Windows\Registration\services.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2196
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9c03a26-ce46-4be2-82f9-1f82f5792b64.vbs"
        6⤵
        
        PID:3248
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b51afd1-2952-4aa2-a1ee-87ab046b4974.vbs"
        6⤵
        
        PID:100
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2455390e-b02d-4cc9-ae23-e5d1e22eec00.vbs"
      4⤵
      PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252c" /sc MINUTE /mo 11 /tr "'C:\Windows\System\c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252" /sc ONLOGON /tr "'C:\Windows\System\c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252c" /sc MINUTE /mo 9 /tr "'C:\Windows\System\c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Configuration\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Configuration\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Visualizations\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\Visualizations\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\de-DE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\PolicyDefinitions\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Users\Default\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Default\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Users\Default\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Registration\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\en-US\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Music\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Music\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Music\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252c" /sc MINUTE /mo 9 /tr "'C:\Windows\twain_32\c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252" /sc ONLOGON /tr "'C:\Windows\twain_32\c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252c" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\ServiceProfiles\NetworkService\Favorites\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\Favorites\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\NetworkService\Favorites\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\System\msadc\powershell.exe'" /f
1⤵
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\msadc\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\System\msadc\powershell.exe'" /rl HIGHEST /f
1⤵
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /f
1⤵
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /f
1⤵
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\RuntimeBroker.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252c" /sc MINUTE /mo 12 /tr "'C:\Users\Public\AccountPictures\c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe'" /rl HIGHEST /f
1⤵
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252c" /sc MINUTE /mo 13 /tr "'C:\Users\Public\AccountPictures\c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\conhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\conhost.exe'" /rl HIGHEST /f
1⤵
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f
1⤵
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\conhost.exe'" /f
1⤵
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\conhost.exe'" /rl HIGHEST /f
1⤵
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\wininit.exe

Filesize
1.7MB

MD5
8abf836c2a16ee571afc67fde90325b1

SHA1
c224cbb2b5b5f09cb1c60e20b3d4d9ca726d1d08

SHA256
c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252

SHA512
c17401b6614b0a242f93fd39cc526180a0642e0458e3c98705aec842ec4d7e29221abce5a89c0463fcab9755c419ddb2a6456481be06e306cbc6dc168da66ad1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c75751639c8d83322d5e5b62ee283042

SHA1
fc732ec1b1a3c39624eaf368b04417f690b2bdac

SHA256
4580ab7ebc53e3f6e12ba554b5163fd6ca67b4b81e2d53eb9af57a1d986fe9e4

SHA512
fa3bf4f87a87b05133047ab0e6d1bb53f6ad4b08f875af6584ad356f0b7915f2902d79af29ad08eee22aa06e157fb016471ce55475f018ee79f346e20aac15d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
36c0eb4cc9fdffc5d2d368d7231ad514

SHA1
ce52fda315ce5c60a0af506f87edb0c2b3fdebcc

SHA256
f6efe796606c4be6422dfd070d8c8e1bcda5852520633e3ef071541ff29f359b

SHA512
4ad7de3b286152386c4cfecb07d004d9ee3976c4e397d6a13b1ddee6524c4cb78b1c4bc9c2f984f321082f6ed6da2a2cd93f9954fd378b46f24fbf19bd15fb54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3b6cc0fbea08a0831f0026a696db8b8

SHA1
4e32202d4700061cfd80d55e42798131c9f530d4

SHA256
3284cae7b82be99d93064390ba071ba4321f3f24dd21515b37b2ca9f31b2e8d5

SHA512
6a06856f360b48c8bc8a15ffb8d7a6604ec357bcb1d0fad5d71a2cb876929a7b67eb40ba4493998ab1bbae8cb71212e124276f27d5c138a135041c27a41a0b7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
89b9b22e2cb6f0b903e7f8755f49d7be

SHA1
e13b62b19dccdbacb5fec9227e34f21e34fe5cad

SHA256
17b31393e036af7d83e6ea288a0bbad0278c404f5e0698b3a28f2fa1faa99537

SHA512
f4817348aa7f297c7c81db010bc0ce09c9193c32f0f7c2b0592df0c7731921830b5a3868486f986edfd863d7d82815e67598392b94782b9d317b7066b9fb7064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
705e397ba2c670b0b9fcebdd31e0feea

SHA1
8566fe7e0903b7495e659ba0588b72e3ce538c3b

SHA256
ae5d0de2ba6fe534bf67dcdbbfd71cf3f8c26f3d6ec852d73362d274a242732f

SHA512
a2914a193cbea13119567199082c52eebe67719c80bc056b3820c6a4b2e8cf8c7ecd3e38975f6ffc616b171ab722a6664f44f65496fdaf114615c1bbdf98306c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ec66606831e595ea115f35d1b61b7105

SHA1
f22d025450dc8dafd9b434b2eb31cb876bcb8109

SHA256
4f17fe98ecf3ea9ec9873ff0a3acdd6ca93eb17e280a01ff6cfeca4422019dec

SHA512
f2922870f0b34b5cd8a75ce3aa94362a43997a752b0e8e9001f63d650225bf15415a75ce8aa333e4d3554a52ca5d40eec7b15ce67e3ee20441cf2680de59ed5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2455390e-b02d-4cc9-ae23-e5d1e22eec00.vbs

Filesize
488B

MD5
c1462ccd1cbfb9a968170f2c031613d7

SHA1
f480912778f257dfd131c0ef89af620b128339aa

SHA256
74067538fc2c1b5b5a18b308674ebe16f44ae7647ac06cabe61ed3d527299cdc

SHA512
1f11cf86020d41a84944b6353e6fefbacfe0f2c1d68b6d77c93feb307d5a3fa7b2a8facd9c6ef86ac62fecec9cf4a37b86a1e273ccf78eae0c86d7230c5b7aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b9c12dc-5215-47ea-8e5b-45769feade09.vbs

Filesize
712B

MD5
e099e06c5442a275158ac27adb131b63

SHA1
e4ca74be19e96b9605bbaff9ab0d9308219c1d78

SHA256
faa30af4b0c2b145d898818fb5f1e90932825b528db2ea27bf020338620b48b0

SHA512
b183db3ae25e5ae3ef740df7c2a20e32c6b3ec7084b8e61afe0004c20f3b63cca077ec6eaf2a1a25c41a91fa6204921db9e3b675304a655ceb97d947dc38fc40

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yzidmbua.t1n.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9c03a26-ce46-4be2-82f9-1f82f5792b64.vbs

Filesize
712B

MD5
927544ff7d1c368ba08c66fc2d3bb956

SHA1
d3fe1a3f62cf59690c96ab44906472a45fdbbb91

SHA256
d8a07ceaf617cc3275fb1bb99522f7418ce264a3a06419cc4244522c38435092

SHA512
db18eeeb70238f7054ed584f6693a1dd040e859976be46426f70758ec973e790f05bbb29ff0a64f058d594cbce0fb3f0ca73502705008b1c9f35f43d945b377c

Download Submit
C:\Users\Default\dllhost.exe

Filesize
1.7MB

MD5
bc4e6d08b1792abd69d59fa6a4ae6177

SHA1
8d900174d33d84d4fc7c212eaadb65b8a893dbc5

SHA256
ec94757d5977ccedfa1ad14af947d02f669ada8aff17d585d14e9300d0691bf9

SHA512
f52fb2efde63acacb65ca463b4eaa723809a91c0c877517c26858eb3fbbb8a22dbfd360943277c9c0d7e39bb9eb7808c81ad045436e05b35e5a8ec2455aac933

Download Submit
memory/100-20-0x00007FF9DC8D0000-0x00007FF9DD391000-memory.dmp

Filesize
10.8MB

Download
memory/100-8-0x000000001BCA0000-0x000000001BCB0000-memory.dmp

Filesize
64KB

Download
memory/100-156-0x00007FF9DC8D3000-0x00007FF9DC8D5000-memory.dmp

Filesize
8KB

Download
memory/100-180-0x00007FF9DC8D0000-0x00007FF9DD391000-memory.dmp

Filesize
10.8MB

Download
memory/100-194-0x00007FF9DC8D0000-0x00007FF9DD391000-memory.dmp

Filesize
10.8MB

Download
memory/100-5-0x0000000001AA0000-0x0000000001AA8000-memory.dmp

Filesize
32KB

Download
memory/100-0-0x00007FF9DC8D3000-0x00007FF9DC8D5000-memory.dmp

Filesize
8KB

Download
memory/100-296-0x00007FF9DC8D0000-0x00007FF9DD391000-memory.dmp

Filesize
10.8MB

Download
memory/100-298-0x00007FF9DC8D0000-0x00007FF9DD391000-memory.dmp

Filesize
10.8MB

Download
memory/100-2-0x00007FF9DC8D0000-0x00007FF9DD391000-memory.dmp

Filesize
10.8MB

Download
memory/100-6-0x0000000003120000-0x0000000003130000-memory.dmp

Filesize
64KB

Download
memory/100-23-0x00007FF9DC8D0000-0x00007FF9DD391000-memory.dmp

Filesize
10.8MB

Download
memory/100-7-0x000000001BC80000-0x000000001BC96000-memory.dmp

Filesize
88KB

Download
memory/100-4-0x000000001C300000-0x000000001C350000-memory.dmp

Filesize
320KB

Download
memory/100-13-0x000000001C8A0000-0x000000001CDC8000-memory.dmp

Filesize
5.2MB

Download
memory/100-14-0x000000001BCE0000-0x000000001BCEC000-memory.dmp

Filesize
48KB

Download
memory/100-1-0x0000000000E80000-0x0000000001040000-memory.dmp

Filesize
1.8MB

Download
memory/100-15-0x000000001C5E0000-0x000000001C5EA000-memory.dmp

Filesize
40KB

Download
memory/100-16-0x000000001C590000-0x000000001C59E000-memory.dmp

Filesize
56KB

Download
memory/100-19-0x000000001C580000-0x000000001C58C000-memory.dmp

Filesize
48KB

Download
memory/100-17-0x000000001C5A0000-0x000000001C5A8000-memory.dmp

Filesize
32KB

Download
memory/100-18-0x000000001C570000-0x000000001C57C000-memory.dmp

Filesize
48KB

Download
memory/100-10-0x000000001BCC0000-0x000000001BCC8000-memory.dmp

Filesize
32KB

Download
memory/100-12-0x000000001BCD0000-0x000000001BCE2000-memory.dmp

Filesize
72KB

Download
memory/100-9-0x000000001BCB0000-0x000000001BCBC000-memory.dmp

Filesize
48KB

Download
memory/100-3-0x000000001BC60000-0x000000001BC7C000-memory.dmp

Filesize
112KB

Download
memory/508-299-0x000000001B190000-0x000000001B1A2000-memory.dmp

Filesize
72KB

Download
memory/3128-204-0x0000015B5F290000-0x0000015B5F2B2000-memory.dmp

Filesize
136KB

Download