dcrat | f8eb9b286a0d33e287568961f883aa9d1be6e9ec8cf5eee3a3a1a6b106d02f74

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9f7b13b1d4a5686a42d38aaefabcaef.exe
Size

1.6MB
MD5

b9f7b13b1d4a5686a42d38aaefabcaef
SHA1

baef9eecc475391823826ba526c718bb37000265
SHA256

bbb979cf25c1acc089ab5d96f2a2a4f7d0276ad7d28f111f8f7d3b23226d07c9
SHA512

3905dc8820531d1c395c497ead44b034622b6277272cb64b0ed8c3906f4bd4dda396676db6cd8a520ad9c3a6420c67887ca2e5bbfc5388ea5e2b5caf8a9a7834
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6092	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5560	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5388	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6096	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5928	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5296	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5604	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5324	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2120	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	2120	schtasks.exe	90

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral22/memory/1940-1-0x0000000000020000-0x00000000001C2000-memory.dmp	dcrat
behavioral22/files/0x0007000000024236-26.dat	dcrat
behavioral22/files/0x000a000000024251-77.dat	dcrat
behavioral22/files/0x000900000002422d-88.dat	dcrat
behavioral22/files/0x000e000000024078-156.dat	dcrat
behavioral22/files/0x000d000000024060-167.dat	dcrat
behavioral22/files/0x0006000000021604-190.dat	dcrat
behavioral22/files/0x000c00000002406b-222.dat	dcrat
behavioral22/files/0x000c000000024270-625.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3512	powershell.exe
2344	powershell.exe
5020	powershell.exe
5992	powershell.exe
1060	powershell.exe
5868	powershell.exe
5412	powershell.exe
5748	powershell.exe
4608	powershell.exe
3420	powershell.exe
3940	powershell.exe
4520	powershell.exe
3624	powershell.exe
3992	powershell.exe
2324	powershell.exe
2440	powershell.exe
4516	powershell.exe
1448	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	b9f7b13b1d4a5686a42d38aaefabcaef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Executes dropped EXE 14 IoCs

pid	Process
216	spoolsv.exe
1824	spoolsv.exe
2320	spoolsv.exe
228	spoolsv.exe
5616	spoolsv.exe
6016	spoolsv.exe
212	spoolsv.exe
5124	spoolsv.exe
3260	spoolsv.exe
3320	spoolsv.exe
5884	spoolsv.exe
2576	spoolsv.exe
1064	spoolsv.exe
2816	spoolsv.exe

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Media Player\uk-UA\RCXA721.tmp	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\uk-UA\RCXA79F.tmp	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\f3b6ecef712a24	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\x64\services.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\RuntimeBroker.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX9D95.tmp	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCXAEB9.tmp	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Registry.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Program Files\edge_BITS_4440_96118664\RCXB875.tmp	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Program Files\edge_BITS_4440_96118664\RCXB876.tmp	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Program Files (x86)\Windows Media Player\uk-UA\SearchApp.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Program Files (x86)\Google\Update\Registry.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Program Files\edge_BITS_4440_96118664\winlogon.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Program Files (x86)\Google\Update\smss.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\uk-UA\SearchApp.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCXAEBA.tmp	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Program Files\edge_BITS_4440_96118664\winlogon.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Program Files (x86)\Google\Update\69ddcba757bf72	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Program Files (x86)\Windows Media Player\uk-UA\38384e6a620884	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Program Files\edge_BITS_4440_96118664\cc11b995f2a76d	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\RCX9B7F.tmp	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Program Files (x86)\Google\Update\smss.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Program Files (x86)\Google\Update\ee2ad38f3d4382	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\RCX9B80.tmp	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX9D94.tmp	b9f7b13b1d4a5686a42d38aaefabcaef.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Registration\CRMLog\RCXB43C.tmp	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Windows\Registration\CRMLog\9e8d7a4ca61bd9	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\RCXB13C.tmp	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Windows\Registration\CRMLog\RuntimeBroker.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Windows\servicing\winlogon.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Windows\SoftwareDistribution\DataStore\Logs\dwm.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Windows\SoftwareDistribution\DataStore\Logs\6cb0b6c459d5d3	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Windows\Registration\CRMLog\RuntimeBroker.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\RCXB13D.tmp	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\dwm.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCXB3BE.tmp	b9f7b13b1d4a5686a42d38aaefabcaef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	b9f7b13b1d4a5686a42d38aaefabcaef.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	spoolsv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4460	schtasks.exe
4804	schtasks.exe
3740	schtasks.exe
5104	schtasks.exe
4708	schtasks.exe
4684	schtasks.exe
4628	schtasks.exe
2044	schtasks.exe
4572	schtasks.exe
4644	schtasks.exe
4536	schtasks.exe
3376	schtasks.exe
3104	schtasks.exe
2800	schtasks.exe
1996	schtasks.exe
4624	schtasks.exe
6092	schtasks.exe
5560	schtasks.exe
388	schtasks.exe
4084	schtasks.exe
2624	schtasks.exe
2808	schtasks.exe
2320	schtasks.exe
4916	schtasks.exe
6096	schtasks.exe
3844	schtasks.exe
1216	schtasks.exe
820	schtasks.exe
1304	schtasks.exe
4800	schtasks.exe
4832	schtasks.exe
2020	schtasks.exe
2660	schtasks.exe
5296	schtasks.exe
4428	schtasks.exe
5324	schtasks.exe
4524	schtasks.exe
4444	schtasks.exe
4732	schtasks.exe
5388	schtasks.exe
4764	schtasks.exe
1652	schtasks.exe
1424	schtasks.exe
4080	schtasks.exe
1696	schtasks.exe
4780	schtasks.exe
2920	schtasks.exe
1928	schtasks.exe
5928	schtasks.exe
1776	schtasks.exe
5604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
3940	powershell.exe
3940	powershell.exe
4516	powershell.exe
4516	powershell.exe
3992	powershell.exe
3992	powershell.exe
5412	powershell.exe
5412	powershell.exe
3512	powershell.exe
3512	powershell.exe
5868	powershell.exe
5868	powershell.exe
4608	powershell.exe
4608	powershell.exe
2440	powershell.exe
2440	powershell.exe
1060	powershell.exe
1060	powershell.exe
5020	powershell.exe
5020	powershell.exe
2324	powershell.exe
2324	powershell.exe
1448	powershell.exe
1448	powershell.exe
4520	powershell.exe
4520	powershell.exe
3624	powershell.exe
3624	powershell.exe
2344	powershell.exe
2344	powershell.exe
5748	powershell.exe
5748	powershell.exe
5992	powershell.exe
5992	powershell.exe
4516	powershell.exe
4516	powershell.exe
3420	powershell.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	5412	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	5868	powershell.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	5748	powershell.exe
Token: SeDebugPrivilege	5992	powershell.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeDebugPrivilege	216	spoolsv.exe
Token: SeDebugPrivilege	1824	spoolsv.exe
Token: SeDebugPrivilege	2320	spoolsv.exe
Token: SeDebugPrivilege	228	spoolsv.exe
Token: SeDebugPrivilege	5616	spoolsv.exe
Token: SeDebugPrivilege	6016	spoolsv.exe
Token: SeDebugPrivilege	212	spoolsv.exe
Token: SeDebugPrivilege	5124	spoolsv.exe
Token: SeDebugPrivilege	3260	spoolsv.exe
Token: SeDebugPrivilege	3320	spoolsv.exe
Token: SeDebugPrivilege	5884	spoolsv.exe
Token: SeDebugPrivilege	2576	spoolsv.exe
Token: SeDebugPrivilege	1064	spoolsv.exe
Token: SeDebugPrivilege	2816	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 3940	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	145
PID 1940 wrote to memory of 3940	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	145
PID 1940 wrote to memory of 3512	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	146
PID 1940 wrote to memory of 3512	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	146
PID 1940 wrote to memory of 2440	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	147
PID 1940 wrote to memory of 2440	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	147
PID 1940 wrote to memory of 3420	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	148
PID 1940 wrote to memory of 3420	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	148
PID 1940 wrote to memory of 2344	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	149
PID 1940 wrote to memory of 2344	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	149
PID 1940 wrote to memory of 1448	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	151
PID 1940 wrote to memory of 1448	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	151
PID 1940 wrote to memory of 5412	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	152
PID 1940 wrote to memory of 5412	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	152
PID 1940 wrote to memory of 2324	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	154
PID 1940 wrote to memory of 2324	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	154
PID 1940 wrote to memory of 5868	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	156
PID 1940 wrote to memory of 5868	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	156
PID 1940 wrote to memory of 1060	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	158
PID 1940 wrote to memory of 1060	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	158
PID 1940 wrote to memory of 5748	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	159
PID 1940 wrote to memory of 5748	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	159
PID 1940 wrote to memory of 3992	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	161
PID 1940 wrote to memory of 3992	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	161
PID 1940 wrote to memory of 5992	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	162
PID 1940 wrote to memory of 5992	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	162
PID 1940 wrote to memory of 5020	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	163
PID 1940 wrote to memory of 5020	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	163
PID 1940 wrote to memory of 3624	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	164
PID 1940 wrote to memory of 3624	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	164
PID 1940 wrote to memory of 4608	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	165
PID 1940 wrote to memory of 4608	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	165
PID 1940 wrote to memory of 4520	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	166
PID 1940 wrote to memory of 4520	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	166
PID 1940 wrote to memory of 4516	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	167
PID 1940 wrote to memory of 4516	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	167
PID 1940 wrote to memory of 216	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	181
PID 1940 wrote to memory of 216	1940	b9f7b13b1d4a5686a42d38aaefabcaef.exe	181
PID 216 wrote to memory of 2624	216	spoolsv.exe	183
PID 216 wrote to memory of 2624	216	spoolsv.exe	183
PID 216 wrote to memory of 4532	216	spoolsv.exe	184
PID 216 wrote to memory of 4532	216	spoolsv.exe	184
PID 2624 wrote to memory of 1824	2624	WScript.exe	187
PID 2624 wrote to memory of 1824	2624	WScript.exe	187
PID 1824 wrote to memory of 4696	1824	spoolsv.exe	188
PID 1824 wrote to memory of 4696	1824	spoolsv.exe	188
PID 1824 wrote to memory of 4068	1824	spoolsv.exe	189
PID 1824 wrote to memory of 4068	1824	spoolsv.exe	189
PID 4696 wrote to memory of 2320	4696	WScript.exe	193
PID 4696 wrote to memory of 2320	4696	WScript.exe	193
PID 2320 wrote to memory of 4556	2320	spoolsv.exe	194
PID 2320 wrote to memory of 4556	2320	spoolsv.exe	194
PID 2320 wrote to memory of 4520	2320	spoolsv.exe	195
PID 2320 wrote to memory of 4520	2320	spoolsv.exe	195
PID 4556 wrote to memory of 228	4556	WScript.exe	197
PID 4556 wrote to memory of 228	4556	WScript.exe	197
PID 228 wrote to memory of 5548	228	spoolsv.exe	198
PID 228 wrote to memory of 5548	228	spoolsv.exe	198
PID 228 wrote to memory of 4976	228	spoolsv.exe	199
PID 228 wrote to memory of 4976	228	spoolsv.exe	199
PID 5548 wrote to memory of 5616	5548	WScript.exe	201
PID 5548 wrote to memory of 5616	5548	WScript.exe	201
PID 5616 wrote to memory of 5372	5616	spoolsv.exe	202
PID 5616 wrote to memory of 5372	5616	spoolsv.exe	202

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b9f7b13b1d4a5686a42d38aaefabcaef.exe
"C:\Users\Admin\AppData\Local\Temp\b9f7b13b1d4a5686a42d38aaefabcaef.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b9f7b13b1d4a5686a42d38aaefabcaef.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\60739cf6f660743813\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\uk-UA\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\900323d723f1dd1206\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\900323d723f1dd1206\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\DataStore\Logs\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4440_96118664\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe
  "C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e5c6748-028a-427e-9588-99d7e82afa84.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe
      "C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1824
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8feb929d-3cb1-4063-8209-7a00b23ff89b.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4696
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf2f1c50-8513-4995-996e-1c009602c1a6.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec5d0f7a-214b-4455-aea3-9645b4094ede.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5548
        
        C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb3eb732-fdfa-415b-a522-dd827b6581b2.vbs"
        11⤵
        
        PID:5372
        
        C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fcc2014-85ac-4e07-a39c-89a97ac7b094.vbs"
        13⤵
        
        PID:5160
        
        C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66da2dae-4359-4d29-84b4-f273f40a911b.vbs"
        15⤵
        
        PID:916
        
        C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48ca1eb1-d2e7-48d9-8ac3-1cf30461eeb9.vbs"
        17⤵
        
        PID:4936
        
        C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f072e2bc-17d4-481a-9751-1a77a719dfa1.vbs"
        19⤵
        
        PID:1812
        
        C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db35f3df-b63c-401b-b1f7-fae00e2d20b5.vbs"
        21⤵
        
        PID:452
        
        C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a87983f4-0a1f-48b5-93f1-38d8e7ea9a46.vbs"
        23⤵
        
        PID:4680
        
        C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4493dcb2-181c-4f41-82b2-7b55a2198d20.vbs"
        25⤵
        
        PID:3904
        
        C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b59cec4b-73f5-494f-8fff-e40de5764faf.vbs"
        27⤵
        
        PID:4036
        
        C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cafe4fa0-0d96-462b-8b41-0758bd382525.vbs"
        29⤵
        
        PID:2536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7753a4c1-ef90-48d2-9557-f5696b7c7f60.vbs"
        29⤵
        
        PID:4408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7cb7a003-103f-4689-b402-903e5c8cadab.vbs"
        27⤵
        
        PID:3656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56e4f885-4944-4ae2-8fd6-bf3e251f677a.vbs"
        25⤵
        
        PID:3524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21f0408b-c443-4dac-b856-3d448fcc53ff.vbs"
        23⤵
        
        PID:736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\461630c6-cb64-48bb-b45a-d7b2aabb2666.vbs"
        21⤵
        
        PID:5892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92b24540-cf6a-4bd1-b9bb-863692aedefb.vbs"
        19⤵
        
        PID:2768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88fcf2d2-ef85-4fa1-be67-8ebf0aed8049.vbs"
        17⤵
        
        PID:4984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88ff18f4-1a68-4157-b0c5-56715b1fc957.vbs"
        15⤵
        
        PID:3892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c5ecbda-39af-457e-851c-26c16b857f2e.vbs"
        13⤵
        
        PID:5116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23837a08-ac31-4eba-ba44-e618867578c5.vbs"
        11⤵
        
        PID:2196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1077917-e8ff-4fce-ab67-f29decaa0037.vbs"
        9⤵
        
        PID:4976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\933d6930-6aa3-4a1e-a3b2-3e0b1fe0289a.vbs"
        7⤵
        
        PID:4520
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e03baca-ae31-4b50-ac95-a0d0da2ebf6e.vbs"
        5⤵
        
        PID:4068
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\321dc835-6d26-4ab7-a701-947416d8cd24.vbs"
    3⤵
    PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\SendTo\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SendTo\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\60739cf6f660743813\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\60739cf6f660743813\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\60739cf6f660743813\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Admin\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\900323d723f1dd1206\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\900323d723f1dd1206\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\900323d723f1dd1206\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\900323d723f1dd1206\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\900323d723f1dd1206\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\900323d723f1dd1206\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Registration\CRMLog\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\edge_BITS_4440_96118664\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4440_96118664\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\edge_BITS_4440_96118664\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\900323d723f1dd1206\backgroundTaskHost.exe

Filesize
1.6MB

MD5
e816ce9b00a6e19e84181603cbcfb78a

SHA1
41e98b83f5e03f6a2ab9f6a58740b39dc10b5d5c

SHA256
44e58427e5790e88fe85edcbe6541e73b3c01b56a4f43b3c471bde167fdb8c10

SHA512
3a5ebbe5df70913ce957d77245c5f2625235643fcc8e434bfd44cb388d07c3ddbed01c4561b35fa42f1e875b0aeeea1dd8af4179b6a3cd91e8451bd44e800a1b

Download Submit
C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe

Filesize
1.6MB

MD5
b9f7b13b1d4a5686a42d38aaefabcaef

SHA1
baef9eecc475391823826ba526c718bb37000265

SHA256
bbb979cf25c1acc089ab5d96f2a2a4f7d0276ad7d28f111f8f7d3b23226d07c9

SHA512
3905dc8820531d1c395c497ead44b034622b6277272cb64b0ed8c3906f4bd4dda396676db6cd8a520ad9c3a6420c67887ca2e5bbfc5388ea5e2b5caf8a9a7834

Download Submit
C:\Program Files (x86)\Windows Media Player\uk-UA\SearchApp.exe

Filesize
1.6MB

MD5
9a4a3cc42f60885e68a10edfb58fb907

SHA1
cc52973a70a26c12fb8d2e8c6556484b9b39174a

SHA256
a568fb4c0a976445a884a065b8e87a7c11f9cc65c5b64b993fd060e0bc025941

SHA512
0052636c7dfc7f1ad7f0e60e16acf7c63443035c888142d0f99cd22222036bdf4c6c673dac1c6da1c799275cea80ffdeb8cb4760fcf442f804ad79a8d2552066

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.6MB

MD5
9bb771269a17df1c7803700ecc5bc8fd

SHA1
713eac788659ffc772c5d91b63507d78e3d20dae

SHA256
7c59a57e9132bb7e552ac205b50fa2957befeefe6541a1cab1f41a5e3e962379

SHA512
64e06fe30c6a853228fdb5637691b147a9ee9223962a82941b2110459efc6fc408f17b49467bba8fe42816df04209a404de79c16ee2b9127371b3efa7e5aded1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4ee21a21f8b414c5a89db56be6641dd5

SHA1
2403dc36f95bcc4536ac61057a9ce76e11b470f9

SHA256
49cd0e958905a47f71f38c2211bacb5607f7903ae593a6e7f8156a1bab364d71

SHA512
996352f4281526569825fbbf6de92fd01b724ebe3dff34516df65c9986cff7cc9ebdba5b3068808740087441508a0678e44bce158f9f998431b441b5d31aa7aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c9a06205efb4ec6b1ca25ba605f9f6d

SHA1
53f4cbc7a0b1f493e53f99d49c08c56c2ac912f8

SHA256
4ef4ffb0f743afc2ee1bb8edcc10ec450439a82dbbbb9cbdebeee633db4cc61a

SHA512
e936041f7fe2278a939290bc2b5409a01ae070abc58df4e4bb938e4a406d0c96b19a1fa4db21b9f158efcfbe956f3ddbd97cb670215f2d6f2c1328fa4e455657

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b0bd0ba1b6d523383ae26f8138bac15f

SHA1
8d2828b9380b09fe6b0a78703a821b9fb8a491e5

SHA256
a9878e55702f457717f86200e3258bfc960d37d5a8c2cab950c1dd842fbbaed1

SHA512
614df5e7b46469db879cf1be2cdc1df3071f0c3f0c1f78c73b81d23d651c54d246e8ca6e1923a34ac2dddc02c63b807c8d328f2d275f98e0997a12a7960bbf45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2044ef36c414ed6e6c991e5fbe7d5bf1

SHA1
0dbd4be869af1290a771fa295db969dc14b2a1fc

SHA256
1b508c6beaa65e0936d9b64f352c2fb87392666d3a96e6e67cb2ba162302b6c6

SHA512
304045461390f2c001bd141036f0d195845508d78ddd52c8e0132e625566e2f1dc0ae982b58323ad2f08c4d1f9d1771d19eb50ec9405eb991c485a4ab7d55b32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c926b492b1d39d04f6e9656ec7f5877d

SHA1
c2cb3c49c5aa9b0616a7ddb11c9a1453855b352a

SHA256
b0beda1f817ee65a341d4792f15dbd70be363835d7ebc3af6302b771295bc907

SHA512
df815fe9c34f85a90c3692534993955ca3c6f57a317f46bd9366152993c5918cd6f376678f9957ae43317bb7f1f5ba65ae175dce8f5e9735749263214e1fe74e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaf0080989fabad865a080216418fbf2

SHA1
935075309ff07f95b5c2ff643661fef989526e15

SHA256
86e6ca8dc0b47aadbc45bbb2a31b758ec729e69998ababdb1a4350924621de9c

SHA512
21721722c94447b4f0d20f03856ea1171c774eb59a8fd239809480ead6c5b7c5a3e43d1e79dfd1bd1dbdadb65269595e9376b3053c1bd6a54bac91e04536e676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
316c42ca95cd0ccbfd60996129f65adc

SHA1
e80bc56d3e28fc9081faae6a735d262fb0a8bbb1

SHA256
2cc6c0e6fc4690b21a7d1e699a487e22845a85933bab71638df535bb668e2d2f

SHA512
7be9772d74adec60087a0d18ef2a7ce837e7755f59077f311c4e52727184057774d279a508fb2407560f7a0b79f5c9a48fab8aff3f629bf2d967218816384242

Download Submit
C:\Users\Admin\AppData\Local\Temp\321dc835-6d26-4ab7-a701-947416d8cd24.vbs

Filesize
511B

MD5
a0cfe27af63e60b979993cdac9fea72f

SHA1
add4e510b9b8f6f01c643a09e9f6f30c7a1c00ef

SHA256
99358ddb6a65154095a320152a87ccba3ba597415ee5031ea788dafda8f997a9

SHA512
29e9964aa73331d961565f7b3f4c27ca1897fb3666cd9803e0fc20487bf40d16e52a2f070c4f53986832244ba426e7136d480bbd31ac3845f6fe7bbaa9719c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\48ca1eb1-d2e7-48d9-8ac3-1cf30461eeb9.vbs

Filesize
735B

MD5
8589219afbf123ab2915dd45c3b93f30

SHA1
16a04df8ac5f78b69bbeb32ed96236450b5daacb

SHA256
1a3bba37af348adb1f549f9aac2991da32c11a5282cb107cafb60ededf9bc2e5

SHA512
f8e6083aa67cc53643bc942a818f621038f02a8d0ca2327ef44677e5741f4e91bb4b10d3ecf8f7e4ac7680b7db5a006d838eb73070b74d1c920ea8bf414fc2c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5fcc2014-85ac-4e07-a39c-89a97ac7b094.vbs

Filesize
735B

MD5
5199015874cc7e0bbd2533c78e9d4209

SHA1
e71d7fa2aecc78071e2679971dd7c2bef6ba2e98

SHA256
9bb3dd6152629b1951d282f53095102fc83f149cb146831f106807f39f413563

SHA512
871b0d027f0ebfede3b55b20e4320f53ab40673c9a45fb2ebeb2c3dd608126ef2dcca0114869a7b3241df6ddcbddfcd1ef91682b9a5d68020a811dd6fae8b949

Download Submit
C:\Users\Admin\AppData\Local\Temp\66da2dae-4359-4d29-84b4-f273f40a911b.vbs

Filesize
734B

MD5
bcb00c550dc66f1decade51ea9d778bb

SHA1
31d7e650b9cb1915b238e768ed3f354820e23296

SHA256
c942bb90e8cd01b971d00c3e252d907a76a573e57f77ef8e740a0faea1b4f239

SHA512
8820a917100121f1aa9ed77b3dcdc4fda24121af266f4061ec7e0d36cfb4ca5fb0fb48e956f98f1a738cd321801996315260005e74d4adcf14e441e60d8c4225

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e5c6748-028a-427e-9588-99d7e82afa84.vbs

Filesize
734B

MD5
cb0f3f40bc3d52c3dc9ba3163c71095d

SHA1
b3eada27e082af2079a7820818723d364fe8d6b2

SHA256
765a6a2093b77094ef5ad044533d17f69b1bda12dafc002930a5d33071a341cc

SHA512
3ce8c55558b4c39eac21f6f239f9ce35335522446e1df073b16d0ce6f602c10e29b4ef15d1a0be2a7734ebb581cf1f277017f380825b05f6bc5ef4ddc699faf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8feb929d-3cb1-4063-8209-7a00b23ff89b.vbs

Filesize
735B

MD5
47fe62bcee2c73e1a7877ea844483c5b

SHA1
8d9e3f6dd07f9699029c92560fe3a61ccb5d649d

SHA256
69c048f0dc436edc6566d087b9720c96a991a464e0c121f44a270c964745772f

SHA512
a30d1b35b612387df254cf8283082de75631afd9cfa096113039af63b2c80352b98db88dac019724bfd91e2671414ee7f668791e4241a2884f352e687faaee89

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lmx45lnl.5ve.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a87983f4-0a1f-48b5-93f1-38d8e7ea9a46.vbs

Filesize
735B

MD5
5a4d03b38576c0d8bf19fe96882cf1b1

SHA1
790f56e2f0921d414124db9459ca1130ed71ccc6

SHA256
bdd53206bc0cd45c85ce13a31c663c72ecc7b51e1ee20ab8a8c7468af9ff860b

SHA512
7d313d0d1a180d74a42659fe0038a5ee718db242ebb48cea8b0c55796e36502d4a5b9234c074d191dcc83ff86a23081d8a0d4bacb1a74132c74745684a2e1c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf2f1c50-8513-4995-996e-1c009602c1a6.vbs

Filesize
735B

MD5
1c9076e0405f11cc928c53b4157b0923

SHA1
0540a534fca94b84d1b8c52b0e1493b4f14c7167

SHA256
f201de0c46c38c999c0dd0c7ec7ed6d482fb8f1bdbe6e98fe241a464e60061ac

SHA512
30cba25c03a96d1075be74538aca97416d7c7814ffb6330c7e6ef55e97435c3a317038cfe6e4fb120827919343fd782982397ebd1f68e52ab102bc601c660c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb3eb732-fdfa-415b-a522-dd827b6581b2.vbs

Filesize
735B

MD5
0f37ac2135964d7bdf94120f556bfbc4

SHA1
d52536456cb9c1bbff297c920ae1676772f8628d

SHA256
efbdb0cea8a6232df444924865d114f2fc6c080b4447f2624360127c4cbfa664

SHA512
60b02de81cb947d8368c8fc323124e494026c8f760c57a1c94b22462434dd7dcc6cbf3afb6372c4d166cc0a53fe828d0a61ab18ecb3051cb062bc18913295b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\db35f3df-b63c-401b-b1f7-fae00e2d20b5.vbs

Filesize
735B

MD5
ef9699806bc4168ba9dada102ac13127

SHA1
5ba7510e95d5d0d2b73996057835910dbe39a3a9

SHA256
38dfb086e3ca333b1db561e47e2037fe10cdd4189a245a26d5f3ce870697e64c

SHA512
e31eb3d74369a932125f00543c9dcd6a080fdc5a786730f9ab9936d2f51db782c0fc143c656d5dbe9d86c02e520b54f4afe5bbd295dadfabb8006115e7665ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec5d0f7a-214b-4455-aea3-9645b4094ede.vbs

Filesize
734B

MD5
adb72f924fa2f3889394a8b66d2320a4

SHA1
9901d40e5eb2ae5f4cb447a62b60c6733ebabbe3

SHA256
a1a9b82ee1e6f4d1a555ae1686a7b6ffdf70daf4e3788fa9e919c995730dd272

SHA512
91bc6147591e281b5aa0d4e644a14e86795f979383177035d77336f239d53bbf5ad559e612d4272fa69d0beed2bb08fbb56ecd34b57d4810b216b193a6a0f02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f072e2bc-17d4-481a-9751-1a77a719dfa1.vbs

Filesize
735B

MD5
13a16d3535b09fa86819ba8a07c55753

SHA1
9bdd2d6ec18c41628c20777cc34c3fd28359c8ae

SHA256
da7114f25e8bca809f89d526175605e81676f5cc6965502b148539a1e80ac025

SHA512
70f7ef20c95d0618d224c5b1adb0f65bd94063cbfbbbb8953b0c495e9582620268476964aced8a290f9e7580311db75ab4dab0c58036592fa762568bd9392640

Download Submit
C:\Users\Admin\AppData\Local\Temp\f41467ed2f8f667b0802443f55c4739e035a691f.exe

Filesize
1.6MB

MD5
ab4dd9d86b178ea7488b8eac33ea5cb7

SHA1
d1a6a63b9e716ed56df2240964fbafbf03b9781b

SHA256
c4941e660b7b749404724d470ea1d11b2ab3fbebb20a0f8988cf8430d420952c

SHA512
b8943e0ebbf5d68caf13d1a5a079cda587c4f65c48c5c48fe4484d32c312ba4ef0d3665c39ff92446726961022f90701a1726ac95fdc6c75ff32d1baeb672cb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\dllhost.exe

Filesize
1.6MB

MD5
4be138b4adc60f41d29b3dc4649c7007

SHA1
c8a89962947fcca6a2eadfbd6f5a1a43ef602a73

SHA256
31be11a6230b4dc6ff472d4774f981036ea8bc34771eacd3f35c265d83399c9c

SHA512
46feacb28b91455156989bc5567223ad6ee116c3e52c8557d66229aa74432182bb40a812eb8f9fedf4d2236eea9162b34b9eddaf8d55a25b95772ba9477a1a3c

Download Submit
C:\Users\Admin\Registry.exe

Filesize
1.6MB

MD5
923aaedaa70458735937c6e7a4bac565

SHA1
90025b21a612517389e2478cb8cbc57ad893d276

SHA256
fed45cb15e82196c86961c768cc164b698fd95ec9335fa5c0c600a16d0d051f8

SHA512
8631f7057aca508951a93099f0022775face3b780d57fadf795bf46f6582d6ff7164917e08bde44bfe8f6a48ff38b524010f30185d567f68aa21c4e4b5954add

Download Submit
C:\Windows\Registration\CRMLog\RuntimeBroker.exe

Filesize
1.6MB

MD5
8305de6239065bdd4b22060b159b9a65

SHA1
9b1f2d33e0ed0fb49499e27a233f45c3387766cb

SHA256
53c5942baedaf7e74b11c44916297683c6fa1f92cdb3eeb33a5ff737f0861090

SHA512
fb6aac07a2a4448f71d4a1901f30830ace049a5a0fd36258308b7d1acaafa254bd1e726fdb37ca2e4c4c6da19645e1452fda91699d40ca85cd650ea7272590c8

Download Submit
memory/1940-16-0x000000001B6B0000-0x000000001B6BA000-memory.dmp

Filesize
40KB

Download
memory/1940-11-0x00000000023D0000-0x00000000023DC000-memory.dmp

Filesize
48KB

Download
memory/1940-1-0x0000000000020000-0x00000000001C2000-memory.dmp

Filesize
1.6MB

Download
memory/1940-204-0x00007FFFEB160000-0x00007FFFEBC21000-memory.dmp

Filesize
10.8MB

Download
memory/1940-181-0x00007FFFEB163000-0x00007FFFEB165000-memory.dmp

Filesize
8KB

Download
memory/1940-12-0x000000001B670000-0x000000001B67A000-memory.dmp

Filesize
40KB

Download
memory/1940-13-0x000000001B680000-0x000000001B68E000-memory.dmp

Filesize
56KB

Download
memory/1940-14-0x000000001B690000-0x000000001B698000-memory.dmp

Filesize
32KB

Download
memory/1940-15-0x000000001B6A0000-0x000000001B6A8000-memory.dmp

Filesize
32KB

Download
memory/1940-0-0x00007FFFEB163000-0x00007FFFEB165000-memory.dmp

Filesize
8KB

Download
memory/1940-17-0x000000001B6C0000-0x000000001B6CC000-memory.dmp

Filesize
48KB

Download
memory/1940-473-0x00007FFFEB160000-0x00007FFFEBC21000-memory.dmp

Filesize
10.8MB

Download
memory/1940-9-0x00000000023B0000-0x00000000023B8000-memory.dmp

Filesize
32KB

Download
memory/1940-10-0x00000000023C0000-0x00000000023CC000-memory.dmp

Filesize
48KB

Download
memory/1940-8-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/1940-6-0x0000000002320000-0x0000000002336000-memory.dmp

Filesize
88KB

Download
memory/1940-7-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/1940-4-0x0000000002360000-0x00000000023B0000-memory.dmp

Filesize
320KB

Download
memory/1940-5-0x0000000002310000-0x0000000002320000-memory.dmp

Filesize
64KB

Download
memory/1940-3-0x00000000022F0000-0x000000000230C000-memory.dmp

Filesize
112KB

Download
memory/1940-2-0x00007FFFEB160000-0x00007FFFEBC21000-memory.dmp

Filesize
10.8MB

Download
memory/3940-301-0x000001B447FF0000-0x000001B448012000-memory.dmp

Filesize
136KB

Download