dcrat | e9e6a5e4d64f01b158801bbaead6aedfeeb8cd754e734d1471f591ca3e2c08f8

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
Size

1.6MB
MD5

9af38351067812c0e3fa8e5ba3fdab5f
SHA1

896e6735656cc62d2f9258672683e200c9e30be5
SHA256

da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442
SHA512

dd35feecbb645e33a4a13247e31fac3cb480c9c9cc6aeca1e9434a082b4d7aaa77585583650358d7507e5e02d9a441c43754897c6bf09baf446346574d870c9d
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5896	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5756	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5456	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5444	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5136	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5852	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5812	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	2148	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2148	schtasks.exe	87

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral12/memory/212-1-0x00000000003C0000-0x0000000000562000-memory.dmp	dcrat
behavioral12/files/0x000700000002429d-26.dat	dcrat
behavioral12/files/0x000d0000000242d1-163.dat	dcrat
behavioral12/files/0x00080000000242ac-173.dat	dcrat
behavioral12/files/0x00070000000242d4-209.dat	dcrat
behavioral12/files/0x00080000000242ba-230.dat	dcrat
behavioral12/files/0x00080000000242c8-275.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5692	powershell.exe
4868	powershell.exe
4604	powershell.exe
4600	powershell.exe
4568	powershell.exe
4544	powershell.exe
4676	powershell.exe
4888	powershell.exe
3104	powershell.exe
3692	powershell.exe
2252	powershell.exe
4656	powershell.exe
952	powershell.exe
3036	powershell.exe
4548	powershell.exe
4708	powershell.exe
4620	powershell.exe
4684	powershell.exe
1772	powershell.exe
4752	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	dwm.exe

Executes dropped EXE 14 IoCs

pid	Process
5288	dwm.exe
5492	dwm.exe
4404	dwm.exe
5132	dwm.exe
2212	dwm.exe
5812	dwm.exe
5956	dwm.exe
772	dwm.exe
3624	dwm.exe
4196	dwm.exe
732	dwm.exe
1448	dwm.exe
3260	dwm.exe
1672	dwm.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\29c1c3cc0f7685	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\7a0fd90576e088	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCX6C7D.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\unsecapp.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\dllhost.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Program Files\Internet Explorer\images\RCX8E1D.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\dllhost.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\explorer.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File created	C:\Program Files\Internet Explorer\images\56085415360792	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\RCX7145.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Program Files\edge_BITS_4516_1522626358\RCX77E2.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\RCX8646.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\dllhost.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File created	C:\Program Files\edge_BITS_4516_1522626358\upfc.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\RCX7144.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Program Files\edge_BITS_4516_1522626358\upfc.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Program Files\Internet Explorer\images\RCX8E1C.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\5940a34987c991	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File created	C:\Program Files\edge_BITS_4516_1522626358\ea1d8f6d871115	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File created	C:\Program Files\Internet Explorer\images\wininit.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCX6C7E.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Program Files\edge_BITS_4516_1522626358\RCX7850.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\RCX86B4.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\explorer.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Program Files\Internet Explorer\images\wininit.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\unsecapp.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Registration\csrss.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File created	C:\Windows\Registration\886983d96e3d3e	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File created	C:\Windows\security\database\SearchApp.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Windows\Registration\RCX6854.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Windows\security\database\RCX6E94.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Windows\security\database\SearchApp.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File created	C:\Windows\security\database\38384e6a620884	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Windows\Registration\RCX6853.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Windows\Registration\csrss.exe	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
File opened for modification	C:\Windows\security\database\RCX6E93.tmp	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	dwm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4752	schtasks.exe
4600	schtasks.exe
4696	schtasks.exe
4848	schtasks.exe
5896	schtasks.exe
4544	schtasks.exe
5756	schtasks.exe
5456	schtasks.exe
4864	schtasks.exe
512	schtasks.exe
2784	schtasks.exe
5852	schtasks.exe
2876	schtasks.exe
1204	schtasks.exe
2252	schtasks.exe
4712	schtasks.exe
4512	schtasks.exe
64	schtasks.exe
3580	schtasks.exe
4232	schtasks.exe
3548	schtasks.exe
4728	schtasks.exe
1516	schtasks.exe
3928	schtasks.exe
3692	schtasks.exe
4676	schtasks.exe
3788	schtasks.exe
5024	schtasks.exe
2788	schtasks.exe
5028	schtasks.exe
5444	schtasks.exe
832	schtasks.exe
5812	schtasks.exe
1108	schtasks.exe
1888	schtasks.exe
4880	schtasks.exe
4620	schtasks.exe
4636	schtasks.exe
3588	schtasks.exe
4796	schtasks.exe
4404	schtasks.exe
4920	schtasks.exe
5136	schtasks.exe
4968	schtasks.exe
4980	schtasks.exe
2612	schtasks.exe
4744	schtasks.exe
4044	schtasks.exe
1208	schtasks.exe
4828	schtasks.exe
732	schtasks.exe
1068	schtasks.exe
1152	schtasks.exe
2636	schtasks.exe
3220	schtasks.exe
4000	schtasks.exe
1536	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
3104	powershell.exe
3104	powershell.exe
5692	powershell.exe
5692	powershell.exe
4548	powershell.exe
4548	powershell.exe
3036	powershell.exe
3036	powershell.exe
4676	powershell.exe
4676	powershell.exe
4868	powershell.exe
4868	powershell.exe
3692	powershell.exe
3692	powershell.exe
4604	powershell.exe
4604	powershell.exe
2252	powershell.exe
2252	powershell.exe
952	powershell.exe
4752	powershell.exe
952	powershell.exe
4752	powershell.exe
4684	powershell.exe
4684	powershell.exe
4620	powershell.exe
4620	powershell.exe
1772	powershell.exe
1772	powershell.exe
4708	powershell.exe
4708	powershell.exe
4600	powershell.exe
4600	powershell.exe
4568	powershell.exe
4568	powershell.exe
4544	powershell.exe
4544	powershell.exe
4888	powershell.exe
4888	powershell.exe
4656	powershell.exe
4656	powershell.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	5692	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	4604	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	5288	dwm.exe
Token: SeDebugPrivilege	5492	dwm.exe
Token: SeDebugPrivilege	4404	dwm.exe
Token: SeDebugPrivilege	5132	dwm.exe
Token: SeDebugPrivilege	2212	dwm.exe
Token: SeDebugPrivilege	5812	dwm.exe
Token: SeDebugPrivilege	5956	dwm.exe
Token: SeDebugPrivilege	772	dwm.exe
Token: SeDebugPrivilege	3624	dwm.exe
Token: SeDebugPrivilege	4196	dwm.exe
Token: SeDebugPrivilege	732	dwm.exe
Token: SeDebugPrivilege	1448	dwm.exe
Token: SeDebugPrivilege	3260	dwm.exe
Token: SeDebugPrivilege	1672	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 4888	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	152
PID 212 wrote to memory of 4888	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	152
PID 212 wrote to memory of 3104	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	153
PID 212 wrote to memory of 3104	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	153
PID 212 wrote to memory of 5692	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	154
PID 212 wrote to memory of 5692	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	154
PID 212 wrote to memory of 952	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	155
PID 212 wrote to memory of 952	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	155
PID 212 wrote to memory of 3036	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	156
PID 212 wrote to memory of 3036	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	156
PID 212 wrote to memory of 3692	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	157
PID 212 wrote to memory of 3692	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	157
PID 212 wrote to memory of 4548	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	158
PID 212 wrote to memory of 4548	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	158
PID 212 wrote to memory of 1772	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	159
PID 212 wrote to memory of 1772	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	159
PID 212 wrote to memory of 2252	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	160
PID 212 wrote to memory of 2252	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	160
PID 212 wrote to memory of 4868	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	161
PID 212 wrote to memory of 4868	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	161
PID 212 wrote to memory of 4752	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	162
PID 212 wrote to memory of 4752	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	162
PID 212 wrote to memory of 4604	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	163
PID 212 wrote to memory of 4604	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	163
PID 212 wrote to memory of 4600	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	164
PID 212 wrote to memory of 4600	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	164
PID 212 wrote to memory of 4568	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	165
PID 212 wrote to memory of 4568	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	165
PID 212 wrote to memory of 4544	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	166
PID 212 wrote to memory of 4544	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	166
PID 212 wrote to memory of 4708	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	167
PID 212 wrote to memory of 4708	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	167
PID 212 wrote to memory of 4656	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	168
PID 212 wrote to memory of 4656	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	168
PID 212 wrote to memory of 4620	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	169
PID 212 wrote to memory of 4620	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	169
PID 212 wrote to memory of 4684	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	170
PID 212 wrote to memory of 4684	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	170
PID 212 wrote to memory of 4676	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	171
PID 212 wrote to memory of 4676	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	171
PID 212 wrote to memory of 5780	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	191
PID 212 wrote to memory of 5780	212	da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe	191
PID 5780 wrote to memory of 1048	5780	cmd.exe	194
PID 5780 wrote to memory of 1048	5780	cmd.exe	194
PID 5780 wrote to memory of 5288	5780	cmd.exe	195
PID 5780 wrote to memory of 5288	5780	cmd.exe	195
PID 5288 wrote to memory of 5744	5288	dwm.exe	196
PID 5288 wrote to memory of 5744	5288	dwm.exe	196
PID 5288 wrote to memory of 4700	5288	dwm.exe	197
PID 5288 wrote to memory of 4700	5288	dwm.exe	197
PID 5744 wrote to memory of 5492	5744	WScript.exe	198
PID 5744 wrote to memory of 5492	5744	WScript.exe	198
PID 5492 wrote to memory of 3336	5492	dwm.exe	200
PID 5492 wrote to memory of 3336	5492	dwm.exe	200
PID 5492 wrote to memory of 3404	5492	dwm.exe	201
PID 5492 wrote to memory of 3404	5492	dwm.exe	201
PID 3336 wrote to memory of 4404	3336	WScript.exe	210
PID 3336 wrote to memory of 4404	3336	WScript.exe	210
PID 4404 wrote to memory of 5292	4404	dwm.exe	211
PID 4404 wrote to memory of 5292	4404	dwm.exe	211
PID 4404 wrote to memory of 2032	4404	dwm.exe	212
PID 4404 wrote to memory of 2032	4404	dwm.exe	212
PID 5292 wrote to memory of 5132	5292	WScript.exe	213
PID 5292 wrote to memory of 5132	5292	WScript.exe	213

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe
"C:\Users\Admin\AppData\Local\Temp\da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\database\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Media Renderer\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4516_1522626358\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\images\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jGqiFaSSq9.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5780
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1048
- - C:\d25f591a00514bc9ba8441\dwm.exe
    "C:\d25f591a00514bc9ba8441\dwm.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5288
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35310899-e3a2-4291-ae13-548be232dd00.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5744
    - - C:\d25f591a00514bc9ba8441\dwm.exe
        
        C:\d25f591a00514bc9ba8441\dwm.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5492
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce85b196-88ec-463b-9ab6-326857b7daaf.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\d25f591a00514bc9ba8441\dwm.exe
        
        C:\d25f591a00514bc9ba8441\dwm.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33fa9736-17be-4ccf-ab40-74136a0442e9.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5292
        
        C:\d25f591a00514bc9ba8441\dwm.exe
        
        C:\d25f591a00514bc9ba8441\dwm.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f012a26-9903-48e7-9f6e-5aae2ddcc741.vbs"
        10⤵
        
        PID:5740
        
        C:\d25f591a00514bc9ba8441\dwm.exe
        
        C:\d25f591a00514bc9ba8441\dwm.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a314603-aa3e-4827-8fbf-41cb3aa56050.vbs"
        12⤵
        
        PID:6040
        
        C:\d25f591a00514bc9ba8441\dwm.exe
        
        C:\d25f591a00514bc9ba8441\dwm.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\747ab7af-24eb-4d7e-a5fe-51b507f4013e.vbs"
        14⤵
        
        PID:1068
        
        C:\d25f591a00514bc9ba8441\dwm.exe
        
        C:\d25f591a00514bc9ba8441\dwm.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46f2dbb5-8b03-480a-ab29-a77784bbd354.vbs"
        16⤵
        
        PID:5744
        
        C:\d25f591a00514bc9ba8441\dwm.exe
        
        C:\d25f591a00514bc9ba8441\dwm.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec84ea05-c185-410c-be62-9f8b3a3965bf.vbs"
        18⤵
        
        PID:864
        
        C:\d25f591a00514bc9ba8441\dwm.exe
        
        C:\d25f591a00514bc9ba8441\dwm.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\075cba98-52e2-42cd-8b73-070f87bc3718.vbs"
        20⤵
        
        PID:1512
        
        C:\d25f591a00514bc9ba8441\dwm.exe
        
        C:\d25f591a00514bc9ba8441\dwm.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b6c9c0e-e810-4f55-b749-2b56af64edb4.vbs"
        22⤵
        
        PID:4880
        
        C:\d25f591a00514bc9ba8441\dwm.exe
        
        C:\d25f591a00514bc9ba8441\dwm.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66c40e66-8ce6-4df9-a08f-0b1a0e952134.vbs"
        24⤵
        
        PID:1812
        
        C:\d25f591a00514bc9ba8441\dwm.exe
        
        C:\d25f591a00514bc9ba8441\dwm.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e588007f-3e8a-4894-be4e-b34f5b36c9b9.vbs"
        26⤵
        
        PID:5512
        
        C:\d25f591a00514bc9ba8441\dwm.exe
        
        C:\d25f591a00514bc9ba8441\dwm.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b2e4064-1c4b-4f7c-aa0e-291440b266ab.vbs"
        28⤵
        
        PID:4356
        
        C:\d25f591a00514bc9ba8441\dwm.exe
        
        C:\d25f591a00514bc9ba8441\dwm.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ced678c-9948-4de2-a2a7-d3507bdb1453.vbs"
        30⤵
        
        PID:5960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c40cda2f-a6dd-4fe5-9f40-167418af9869.vbs"
        30⤵
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2bcb296-a4a1-4e77-bb6b-f41b7ac5d894.vbs"
        28⤵
        
        PID:6040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fab758c6-1e07-4d70-8f7b-7f82677e6619.vbs"
        26⤵
        
        PID:952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e60ae663-0740-4391-8f64-4aff6ddffd8f.vbs"
        24⤵
        
        PID:1704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f28afa3c-0297-4126-b090-744a8484b963.vbs"
        22⤵
        
        PID:6124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85e5329f-17f0-4644-825d-f21b80d1437f.vbs"
        20⤵
        
        PID:2572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e12f7c55-d67d-4c25-ba17-32b4eac93ba3.vbs"
        18⤵
        
        PID:5264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c9f3bb3-064a-443a-b17e-b3c3f6e16b7d.vbs"
        16⤵
        
        PID:1912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe444d45-17d9-4832-ba61-e95a4e3d398e.vbs"
        14⤵
        
        PID:5172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e92e78e-2be4-4d61-8c0f-faaf688376ab.vbs"
        12⤵
        
        PID:4472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd474e28-161b-45e5-8eee-9df19b671f21.vbs"
        10⤵
        
        PID:2668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cbbf970-acf1-4032-8fb2-5fff69b3f898.vbs"
        8⤵
        
        PID:2032
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\128eec90-c12b-41a9-a87d-09f4d9c36516.vbs"
        6⤵
        
        PID:3404
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1206b6c7-2aa0-4912-9234-def46b3c3320.vbs"
      4⤵
      PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Default\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Registration\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\d25f591a00514bc9ba8441\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\d25f591a00514bc9ba8441\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\security\database\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\security\database\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\security\database\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\d25f591a00514bc9ba8441\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\d25f591a00514bc9ba8441\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4516_1522626358\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4516_1522626358\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\edge_BITS_4516_1522626358\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\d25f591a00514bc9ba8441\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\d25f591a00514bc9ba8441\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\d25f591a00514bc9ba8441\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\d25f591a00514bc9ba8441\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\7e20f84d5244aba7145631d4073af8\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\7e20f84d5244aba7145631d4073af8\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\7e20f84d5244aba7145631d4073af8\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\7e20f84d5244aba7145631d4073af8\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\7e20f84d5244aba7145631d4073af8\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\7e20f84d5244aba7145631d4073af8\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\images\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\images\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Desktop\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7e20f84d5244aba7145631d4073af8\TextInputHost.exe

Filesize
1.6MB

MD5
2e5f1f26217f9d1398194200fbde8531

SHA1
a076d06c9dd1f7f7f0a51763a56cb0967b50cc59

SHA256
b9a36acbeb2bfd0ec08d0e5f8de14e8db46e96a32cee7534879bb36481049507

SHA512
407b027840194b2393ff7578b6e7f546d94d7ddfdc717e93f06629fe493fa76a92a89784604ccfbb1e311d3bbfe2822580f10feefbf339c9452ce2fe0f95ca68

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\explorer.exe

Filesize
1.6MB

MD5
d667bbb43961b2559d76a603f7b82882

SHA1
0c2110984d89f7d9eb7618907b96274b2cbd7655

SHA256
67475d8de99005c8c8c8b6531372cc3a694346f397f035f09f64fe2ff243e0db

SHA512
9264b73df92782f8eb56a49308c9640471561a9e2cfadefb839684a8ed023148a8980dbee043fd4eb24072594764f801d7cfc1b9c72b4d2ea2ce4a95d7f77b8d

Download Submit
C:\Program Files\edge_BITS_4516_1522626358\upfc.exe

Filesize
1.6MB

MD5
871559f0626a41efe8da8da81eb6d38a

SHA1
bf5a17ca97fef9b585b86b8badc32cd8b24430d7

SHA256
85443106a71f00eb9a11d842ccd92cfd17fb6e2e5d68ef095306fd060cdc0e1d

SHA512
06c50b7c850e0efe2dd60c9ceb17f8c8ae9ab20e9fd42c71f4fe061b1707c3eb46a88458d16b89c439702886231179786cb7819bd8956e4a167acf1a7c8bdcd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
599b0a17dc8a76cf55232bb8f12fe387

SHA1
5006cf38ce7ea0dec8db9ca3c926b24cc84b525a

SHA256
dff1d446d5ff74ab70581c25d4b597602e41616d3d61751ec442d0865a2562fd

SHA512
24d8d2d654a95c971c0bb3edb1746b66f6a96a8a213a8d76fa1ca199f79888df723b412da565dc769d0270f97fd4fa459288b2892bdc747ebc254d19a579abce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0bd4bd93f744979c2ff15fb339578468

SHA1
bdf6bca364e4263812b052c4fe23e7165a737367

SHA256
6ba3fbd61850a6bf89ae2a29e3fb64fd5b669132986e82faf91cd4d9cefe6026

SHA512
5f69263775513123d2e018ca15a67e86d09f205198e5959e758e33a7155f00b066599a64349a79ad5faad24bfa214ea3632adcf9da232e8e91fa1591f7eae19e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
af1e26d635495e7a52c5dc500610ee76

SHA1
7cffa44b70451795e240e707ca3c134b15fe4837

SHA256
3505a6078d79916aa201ce904383522973f0aed79ce19f86d74a879f81ce6980

SHA512
b6cabf85d7c177df9b81cb3e902171ad1cad43dbb6b21fa5735f8393a7b7cacbd1ac6bc4456be691070fec964c10d867e2db29efd7c6c7581ab3bbecac57a534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
94256212310a547ba240e2aa86468177

SHA1
f52a751219868220e86405aba60f0504332444be

SHA256
4ff13717087ef748699f1fd75630e1ff8d92694f4d2079826c7229608639c50a

SHA512
22efada6acfff168e1d60d5fbd9ae9b504a7eb52ae30e4a5b571880e9c8a4ff4dff7fbf453d5c7281e13b5d7ab9b4269f040dc1d58e523edf6de9496b4a0dd79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1b2770b6e93963548483b9857a191b12

SHA1
da1f36e92f6f116ea4d6300b279be899ed6413a8

SHA256
4c2f150efa24585d81d212c3d1618af0777e007596cf7bd76cbf660db384b00b

SHA512
6fe8388503b09ec12528e982fea548c271d5687163db05ede832a0814a0fad6fa7c4ff32ed0cfa48f90c9b2980e2613be1d673fa47eaa2a9ea9540add473b4ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
79a11bc629c54beffe541507473ca6c5

SHA1
7d1d78c10bfdb5e338ae4831f32a571a1362e3f6

SHA256
b75463c0765737425c2000412d88de89e64c69594cdbf48914b7973b32d4d919

SHA512
dcdf2dcfd3063a72096e3486bdd11b6a76a126320e3fc859543cac30e4d628b6bb873367d9c537657494d84ed3531cff355373a51af1ccda0c9be7b23356770a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
625c689ea160aa0287791e224e6dddf0

SHA1
daa4f06fbce11392bd6b7d137b938763683c8d55

SHA256
ff05cb1ccb64347598efa189167c7bfd407def795d0124e444f0d31e3ef98e27

SHA512
fe2df4b8a8ad16653f2ec87e9229fc27bfb596c50e490e1d0f71da7f8b535aad08ccb709d691f4f0e8f8e4759e322728ccf8fa179300fb5d74995e0d0ac6a6a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
57a97b6c8c4cecbbaca70e7453397c5e

SHA1
89aaaa12386a9b191b7570c942b6c302bce1b218

SHA256
61104d386ede610e31af0f4532e78f309a907a100b7de7f6bd362ba758b1372f

SHA512
0b475f771633930a90ccc9fcf3b823f7ba0aa8d1c1c984eed37d8844f01988740f1974c3536a690e033b7861018e1e25a46d8ef86abd5fa24db02e1f6a07ffa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
92b2deffd5900b3c60f9e6737bc5b67d

SHA1
6ce9b13b44a2d7f5635f909b0bb177ea60dd8d06

SHA256
780876a6d4beab15e3264f97a68092540e927c1a24250a03068c4374d57d0906

SHA512
4658231390e04649f6b393abb54d0b2a68771731ef3780207139d0a66a73e866f70dc4e6a0bc9a92e7e78ea01667c68263a001a0f275087a403afd11a80ee27d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd3836b9dfd35d27a1995a2fd22e3d69

SHA1
db2b529de5bc342001e1345cb080a6d4e37d4bbb

SHA256
68319d7a4938108026a325379c349b37812234bcfa2d20273c3190f7858f5e5e

SHA512
76faa047525920891f6ae4c25f86ebde4861a0fa3122bd697d8c7d6d84866495bb8344af15f53ebb60bec1a39df59b81cb245b213a0788465a20e501de9387b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a822dfe702436e366414e8ddb6fb41d0

SHA1
db35e49e01a1baf69d51d52375fb26da32b12ddf

SHA256
929a0a2762a94d0f949b0bec034d141a00c1653d8dec84ff994d32e6e115a3b2

SHA512
67d023275898ba86b0f1bc67b0868b0a31038ce366b1ade6e433c1785d4150c8b630462afd2af2479d2268351d1e7dd5a6e99042020cfbfa1490d04420bd296c

Download Submit
C:\Users\Admin\AppData\Local\Temp\075cba98-52e2-42cd-8b73-070f87bc3718.vbs

Filesize
709B

MD5
7728a570b4c6b3edb8626a5cc7133b32

SHA1
c126aebdb01653a5936bfb57864c620ddfcd508b

SHA256
23f562c01d2006b797b2878609d4500e38dcfca793ec0fe521a60d3df330d68f

SHA512
0e31a0648251d47914634b7c6601f4b5a626bc0daaaeb9fa05236dc8f65d2299d80b37a2f59758d331b7de5dd5c11bdc9a2a28772adea7eb4fbce0b2cc6c84d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1206b6c7-2aa0-4912-9234-def46b3c3320.vbs

Filesize
485B

MD5
7d3323a3d60a7e03918f3c93084768b9

SHA1
ef51e6bf4bfb455af2994ce1be50fc76cc92f459

SHA256
ed8a037d26c25cd9722add4ff1d26d493e516ec1f66430d6d1c369f82eb3a445

SHA512
c303c833efbffb6b7afce5a19c64cfc40a723cef729ce17222f3aed6ccc305ad31a66b9c5bb85f5500dfa66c678b6383f491d3dc9f008ef26dfc43b8d2cc446b

Download Submit
C:\Users\Admin\AppData\Local\Temp\33fa9736-17be-4ccf-ab40-74136a0442e9.vbs

Filesize
709B

MD5
34617709eadd80b3e8479fbedfbee8f2

SHA1
ad28ad9e21f32fcd67db5e74dcdef8cd8e873e3b

SHA256
5502ed4cdf1117b685f18b051ee5333b93c778ebb17fe0f7d53cd7db4df049b8

SHA512
6a60119d55ca9c34f0618a8110a1d42c1775ea6a113d51fea757f6cb96b211c02545fc75430066d56d68ac3346ff6600aa9aeb0d2bab5ee2daed8efb96c70c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\35310899-e3a2-4291-ae13-548be232dd00.vbs

Filesize
709B

MD5
16f2ef42813fb22be57e6b2e5d9894c2

SHA1
636dde01e3d43b948b485e4b2dcc02161c09bd76

SHA256
d2437637cd0bfa3214dc0b12e2e49a8768b377bd5bfbf3c814c048c851fbd8a0

SHA512
07b8901b62e0c2b90abe041ecd0c84c3585773c41438dc9834fb0215815c31b8379cbf5fa74ca5fd55db01ffaa272acdc5bfbe75b09219079cb4583f5abd941d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b6c9c0e-e810-4f55-b749-2b56af64edb4.vbs

Filesize
709B

MD5
3145aa43884da0ab7735af6ab25190e5

SHA1
e4dc92e0a906d80e8bcd56b737b1d1408d9c8c96

SHA256
6157cd7d8730792e4477c39f50306c00d56895e18a0278b06e4252ef770ebef1

SHA512
66ca4ac14630fb2b74fbb69698fca10e163493871d91bc51e8915eeb195e2b59a35b5ad05ecf1676a87461833e9466cb52658d2c6d6100e3ec486130cce7d2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\46f2dbb5-8b03-480a-ab29-a77784bbd354.vbs

Filesize
709B

MD5
7d46af8d4cdb623ecc5a1ec19310e75a

SHA1
f273dd7c83bb5407fcb35d769bf7b2285adc1c1e

SHA256
ee87d50cf116a43d3236193f71d3828715de0290623ac82b7d269b38b8b56b8b

SHA512
7575829c2554fc8c6851639413311f7ee057f6130ed568a655e2a9c310ffdf8852b0286fd527f843fa3a62ab09592cd270c67bfed7458ac8bea2a8ec583f0489

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a314603-aa3e-4827-8fbf-41cb3aa56050.vbs

Filesize
709B

MD5
9a3857bbe2272a4f5289f6a59438ab4c

SHA1
8b3740c36bd3bf4e8cc3a1ade81a73e7ed8c6c4c

SHA256
510803db91a6904c9cc78a177f3c234cee66afa9ddf6f24b3589ad10e168565f

SHA512
6dd79e3740f6e763be1addf0c0397a4ad0212b05f1fd4db771102fa86091c8831d7e82f567bcd3a992d117b56ab0590e4edb10511353957851c81d57c9b7ca7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f012a26-9903-48e7-9f6e-5aae2ddcc741.vbs

Filesize
709B

MD5
87d78aa756a6179fa59a6d1fc6e6c398

SHA1
97f66200451f2185f5929d11c86e344046b9d937

SHA256
faf03852757e3de136d7548e0441054a81a5d0bd4a88018866c7398bbb6a11a0

SHA512
10a91bfa25bc93067b0d6180f6fc1cfee2f96c0667d6e21623f7fc1a7ff2af2252cf93c28ea913e731382ea1d18a3572eb7dd47e4ed62996472e3d76e2b976d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\747ab7af-24eb-4d7e-a5fe-51b507f4013e.vbs

Filesize
709B

MD5
faa25a328df8405dfbffc43fcf0511b3

SHA1
92a1515a36da69af2c44c8a4dd9908309f4778c0

SHA256
cb71b55deb83eac0af81354da0386648256d82a4d69442288038161a3da8969a

SHA512
df67d775e7ef0319f4e6fba694f7d8be6b1e811a6c1d984206d89c39c53a3bb415ddcdddebdd18d2080c30c73d26c76dab47654a18b49cc502bf2f0469f7b1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_moq2nlvp.hfb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce85b196-88ec-463b-9ab6-326857b7daaf.vbs

Filesize
709B

MD5
e5c2ceec3e83f7d0fa5b5410dae37964

SHA1
7b1e8e88e6fba487067a44d7a2bfe6c7d114ebe4

SHA256
a93dfb2cb8a524eac4ea77552ce4e3f5abd5b63244147b7a56770f07e506cbd8

SHA512
b3881bb2c4357912480a6946d43aad9bdcd23732707202309dfb82d782aa02ba2107f0885719f27a2881f8c511055342dc400249231b14d5bb830b3ed4c4312c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec84ea05-c185-410c-be62-9f8b3a3965bf.vbs

Filesize
708B

MD5
37b9c23561b71f0be1eaaa3619686055

SHA1
03017a43ccab3eed97996eaf046ebd82a9b709fc

SHA256
53b46add8c67aedb87031b401d8d360e4ec116f544f442cba57f025a4df44f64

SHA512
f7d0e5ef20f1346152f52de3abb19869900ab3b6fcd4b45230e14f43f0eaa071e4f12d225e3b559106cf30d9cbc35de8c1981a5b92cb7bdd19ab79eaf9fd9655

Download Submit
C:\Users\Admin\AppData\Local\Temp\jGqiFaSSq9.bat

Filesize
198B

MD5
eb40d19baa8e6c8ee0b05dfb003fde4f

SHA1
1b48b3d857b2a574e6eb0345135882be971f7035

SHA256
fd6eeffd50fe773fa7ae777221fc60545f890092daf09f2115ce1685f8aaece3

SHA512
d2e8caad1cb7bb6e34e259fe5b735245aab7619c4771f7a8e544356be0d978f8e65492faac216aec239a5e22be797bc1bcbdd44028b1bc065e190a8d1e22ea88

Download Submit
C:\Users\Admin\Desktop\RuntimeBroker.exe

Filesize
1.6MB

MD5
8c843b36f9014f986a2fdf536a6ae848

SHA1
e569d1f6a5f9c5a38e20875b5e0fe4603e11d1a4

SHA256
449470f637ed92170af6cb1ebed508204275d5f7962ef0e0e0c67b1581dc005a

SHA512
1b8e7b7ee142c3e748fbb7d880bbaa78c469b9ea90891aedae97592a9be6b6b54d7e360da869ae99a4a5f559df6245d5bae7b9ee48994f7a1387f96174844b00

Download Submit
C:\Windows\security\database\SearchApp.exe

Filesize
1.6MB

MD5
9af38351067812c0e3fa8e5ba3fdab5f

SHA1
896e6735656cc62d2f9258672683e200c9e30be5

SHA256
da04c1cc45ee3c15dfa9a951b1e3c8d2d3fe4caa814713749b9471f3d1d49442

SHA512
dd35feecbb645e33a4a13247e31fac3cb480c9c9cc6aeca1e9434a082b4d7aaa77585583650358d7507e5e02d9a441c43754897c6bf09baf446346574d870c9d

Download Submit
C:\d25f591a00514bc9ba8441\RCX7AC3.tmp

Filesize
1.6MB

MD5
1f03ddcc4cfddc04ce25601f60375cc3

SHA1
45850dce2fac50ed6c239e75dad56c36098f9924

SHA256
030fbb5524087f6eb475f34a956fd3947591d9e2df1f4b9652c745b2df56ac56

SHA512
2887eddca9ceb946f6a7040af1264919dbfda1e362b19310f04e4ce94326dcb709cd289b261a3bf289f171979e46177604bd15be57a0272b824e18cc7be535bd

Download Submit
memory/212-12-0x000000001B810000-0x000000001B81A000-memory.dmp

Filesize
40KB

Download
memory/212-13-0x000000001B820000-0x000000001B82E000-memory.dmp

Filesize
56KB

Download
memory/212-200-0x00007FFC65343000-0x00007FFC65345000-memory.dmp

Filesize
8KB

Download
memory/212-0-0x00007FFC65343000-0x00007FFC65345000-memory.dmp

Filesize
8KB

Download
memory/212-284-0x00007FFC65340000-0x00007FFC65E01000-memory.dmp

Filesize
10.8MB

Download
memory/212-4-0x000000001B860000-0x000000001B8B0000-memory.dmp

Filesize
320KB

Download
memory/212-5-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download
memory/212-6-0x0000000002760000-0x0000000002776000-memory.dmp

Filesize
88KB

Download
memory/212-7-0x0000000002780000-0x0000000002788000-memory.dmp

Filesize
32KB

Download
memory/212-14-0x000000001B830000-0x000000001B838000-memory.dmp

Filesize
32KB

Download
memory/212-223-0x00007FFC65340000-0x00007FFC65E01000-memory.dmp

Filesize
10.8MB

Download
memory/212-1-0x00000000003C0000-0x0000000000562000-memory.dmp

Filesize
1.6MB

Download
memory/212-9-0x000000001B0D0000-0x000000001B0D8000-memory.dmp

Filesize
32KB

Download
memory/212-15-0x000000001B840000-0x000000001B848000-memory.dmp

Filesize
32KB

Download
memory/212-16-0x000000001B850000-0x000000001B85A000-memory.dmp

Filesize
40KB

Download
memory/212-17-0x000000001BA60000-0x000000001BA6C000-memory.dmp

Filesize
48KB

Download
memory/212-10-0x000000001B0E0000-0x000000001B0EC000-memory.dmp

Filesize
48KB

Download
memory/212-11-0x000000001B0F0000-0x000000001B0FC000-memory.dmp

Filesize
48KB

Download
memory/212-8-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/212-3-0x0000000000D20000-0x0000000000D3C000-memory.dmp

Filesize
112KB

Download
memory/212-2-0x00007FFC65340000-0x00007FFC65E01000-memory.dmp

Filesize
10.8MB

Download
memory/3692-285-0x0000024A48670000-0x0000024A48692000-memory.dmp

Filesize
136KB

Download