dcrat | 8d4b33f016a0358ab33a61a53be27b775979a15719e2168d66bae6a7a598d2e1

Analysis

max time kernel
127s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
Size

1.6MB
MD5

897ea9c4d942c8ff6dad7af9d25612b5
SHA1

4e34616e3bc3414cb3d264575f865c4a0f9eefbc
SHA256

cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5
SHA512

0c580b68fec12b9621a6c62b572cf9035c74fe288db14658aa8a3b04f49419ee19036213bf5c1dfa335e37f409fb816bf04d420905880321aeedb7a3fddee35b
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	728	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	2952	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2952	schtasks.exe	88

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral12/memory/4052-1-0x0000000000EF0000-0x0000000001092000-memory.dmp	dcrat
behavioral12/files/0x0007000000024147-26.dat	dcrat
behavioral12/files/0x000c000000024186-153.dat	dcrat
behavioral12/files/0x0009000000024152-164.dat	dcrat
behavioral12/files/0x0008000000024163-221.dat	dcrat
behavioral12/files/0x0009000000024167-233.dat	dcrat
behavioral12/files/0x0008000000024191-279.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4080	powershell.exe
2980	powershell.exe
2256	powershell.exe
3620	powershell.exe
4112	powershell.exe
1960	powershell.exe
2776	powershell.exe
4804	powershell.exe
3880	powershell.exe
616	powershell.exe
4668	powershell.exe
4468	powershell.exe
1420	powershell.exe
4556	powershell.exe
4020	powershell.exe
4528	powershell.exe
5056	powershell.exe
3600	powershell.exe
1344	powershell.exe
4564	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe

Executes dropped EXE 14 IoCs

pid	Process
6136	backgroundTaskHost.exe
3512	backgroundTaskHost.exe
3876	backgroundTaskHost.exe
5912	backgroundTaskHost.exe
1960	backgroundTaskHost.exe
5128	backgroundTaskHost.exe
5532	backgroundTaskHost.exe
2040	backgroundTaskHost.exe
4404	backgroundTaskHost.exe
5428	backgroundTaskHost.exe
4080	backgroundTaskHost.exe
732	backgroundTaskHost.exe
3928	backgroundTaskHost.exe
5276	backgroundTaskHost.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\PerceptionSimulation\en-US\unsecapp.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Windows\System32\PerceptionSimulation\en-US\29c1c3cc0f7685	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\System32\PerceptionSimulation\en-US\RCXA2C2.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\System32\PerceptionSimulation\en-US\RCXA2D3.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\System32\PerceptionSimulation\en-US\unsecapp.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCX99F0.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCX99F1.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCXB34B.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Program Files\Mozilla Firefox\fonts\56085415360792	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCXB34C.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Registry.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Program Files\Mozilla Firefox\fonts\wininit.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\wininit.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Program Files (x86)\Reference Assemblies\Registry.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Program Files (x86)\Reference Assemblies\ee2ad38f3d4382	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File created	C:\Windows\InputMethod\CHT\27d1bcfc3c54e0	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Windows\uk-UA\6cb0b6c459d5d3	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\InputMethod\CHT\RCX9C16.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\InputMethod\CHT\System.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\INF\TermService\0409\RuntimeBroker.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\Globalization\Sorting\RCXB0C8.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\INF\TermService\0409\RCXA4D7.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\uk-UA\dwm.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\Globalization\Sorting\RCXB0C9.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Windows\INF\TermService\0409\RuntimeBroker.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Windows\Speech\Engines\SR\SppExtComObj.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Windows\uk-UA\dwm.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\uk-UA\RCXA71C.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Windows\IdentityCRL\INT\6ccacd8608530f	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\IdentityCRL\INT\RCX9E1C.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\IdentityCRL\INT\Idle.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\INF\TermService\0409\RCXA4D8.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\Speech\Engines\SR\RCXB551.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Windows\INF\TermService\0409\9e8d7a4ca61bd9	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Windows\Globalization\Sorting\SppExtComObj.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Windows\Speech\Engines\SR\e1ef82546f0b02	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\Globalization\Sorting\SppExtComObj.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\Speech\Engines\SR\RCXB550.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\Speech\Engines\SR\SppExtComObj.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Windows\InputMethod\CHT\System.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Windows\IdentityCRL\INT\Idle.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Windows\Globalization\Sorting\e1ef82546f0b02	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\InputMethod\CHT\RCX9C05.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\IdentityCRL\INT\RCX9E1B.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\uk-UA\RCXA6DD.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	backgroundTaskHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2752	schtasks.exe
4352	schtasks.exe
760	schtasks.exe
4032	schtasks.exe
3876	schtasks.exe
3100	schtasks.exe
3632	schtasks.exe
4716	schtasks.exe
2916	schtasks.exe
4696	schtasks.exe
3356	schtasks.exe
2492	schtasks.exe
1804	schtasks.exe
4588	schtasks.exe
3164	schtasks.exe
2592	schtasks.exe
1312	schtasks.exe
4728	schtasks.exe
1296	schtasks.exe
3828	schtasks.exe
4944	schtasks.exe
4720	schtasks.exe
728	schtasks.exe
1472	schtasks.exe
376	schtasks.exe
2320	schtasks.exe
4476	schtasks.exe
1720	schtasks.exe
4060	schtasks.exe
3120	schtasks.exe
2544	schtasks.exe
4760	schtasks.exe
4112	schtasks.exe
2716	schtasks.exe
2284	schtasks.exe
1392	schtasks.exe
3976	schtasks.exe
1128	schtasks.exe
3096	schtasks.exe
2340	schtasks.exe
2092	schtasks.exe
2996	schtasks.exe
664	schtasks.exe
4560	schtasks.exe
1636	schtasks.exe
4228	schtasks.exe
368	schtasks.exe
1560	schtasks.exe
1536	schtasks.exe
1708	schtasks.exe
1776	schtasks.exe
4068	schtasks.exe
2784	schtasks.exe
2620	schtasks.exe
3040	schtasks.exe
3456	schtasks.exe
2276	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
4468	powershell.exe
4804	powershell.exe
4468	powershell.exe
4804	powershell.exe
3600	powershell.exe
3600	powershell.exe
3880	powershell.exe
3880	powershell.exe
4112	powershell.exe
4112	powershell.exe
4020	powershell.exe
4020	powershell.exe
4556	powershell.exe
4556	powershell.exe
3620	powershell.exe
3620	powershell.exe
5056	powershell.exe
5056	powershell.exe
4668	powershell.exe
4668	powershell.exe
2256	powershell.exe
2256	powershell.exe
4564	powershell.exe
4564	powershell.exe
4528	powershell.exe
616	powershell.exe
4528	powershell.exe
616	powershell.exe
1420	powershell.exe
1420	powershell.exe
2980	powershell.exe
2980	powershell.exe
2776	powershell.exe
2776	powershell.exe
4080	powershell.exe
4080	powershell.exe
1344	powershell.exe
1344	powershell.exe
1960	powershell.exe
1960	powershell.exe
4020	powershell.exe
4080	powershell.exe
4468	powershell.exe
4468	powershell.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
Token: SeDebugPrivilege	4804	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	3620	powershell.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	616	powershell.exe
Token: SeDebugPrivilege	4528	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	4080	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	6136	backgroundTaskHost.exe
Token: SeDebugPrivilege	3512	backgroundTaskHost.exe
Token: SeDebugPrivilege	3876	backgroundTaskHost.exe
Token: SeDebugPrivilege	5912	backgroundTaskHost.exe
Token: SeDebugPrivilege	1960	backgroundTaskHost.exe
Token: SeDebugPrivilege	5128	backgroundTaskHost.exe
Token: SeDebugPrivilege	5532	backgroundTaskHost.exe
Token: SeDebugPrivilege	2040	backgroundTaskHost.exe
Token: SeDebugPrivilege	4404	backgroundTaskHost.exe
Token: SeDebugPrivilege	5428	backgroundTaskHost.exe
Token: SeDebugPrivilege	4080	backgroundTaskHost.exe
Token: SeDebugPrivilege	732	backgroundTaskHost.exe
Token: SeDebugPrivilege	3928	backgroundTaskHost.exe
Token: SeDebugPrivilege	5276	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 1344	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	153
PID 4052 wrote to memory of 1344	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	153
PID 4052 wrote to memory of 3880	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	154
PID 4052 wrote to memory of 3880	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	154
PID 4052 wrote to memory of 3600	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	155
PID 4052 wrote to memory of 3600	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	155
PID 4052 wrote to memory of 3620	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	156
PID 4052 wrote to memory of 3620	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	156
PID 4052 wrote to memory of 2256	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	157
PID 4052 wrote to memory of 2256	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	157
PID 4052 wrote to memory of 4468	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	158
PID 4052 wrote to memory of 4468	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	158
PID 4052 wrote to memory of 5056	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	159
PID 4052 wrote to memory of 5056	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	159
PID 4052 wrote to memory of 4668	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	161
PID 4052 wrote to memory of 4668	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	161
PID 4052 wrote to memory of 2980	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	162
PID 4052 wrote to memory of 2980	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	162
PID 4052 wrote to memory of 4804	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	163
PID 4052 wrote to memory of 4804	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	163
PID 4052 wrote to memory of 4528	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	164
PID 4052 wrote to memory of 4528	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	164
PID 4052 wrote to memory of 2776	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	165
PID 4052 wrote to memory of 2776	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	165
PID 4052 wrote to memory of 4020	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	166
PID 4052 wrote to memory of 4020	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	166
PID 4052 wrote to memory of 1960	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	167
PID 4052 wrote to memory of 1960	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	167
PID 4052 wrote to memory of 4080	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	168
PID 4052 wrote to memory of 4080	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	168
PID 4052 wrote to memory of 4556	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	170
PID 4052 wrote to memory of 4556	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	170
PID 4052 wrote to memory of 4564	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	172
PID 4052 wrote to memory of 4564	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	172
PID 4052 wrote to memory of 1420	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	173
PID 4052 wrote to memory of 1420	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	173
PID 4052 wrote to memory of 616	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	175
PID 4052 wrote to memory of 616	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	175
PID 4052 wrote to memory of 4112	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	176
PID 4052 wrote to memory of 4112	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	176
PID 4052 wrote to memory of 6136	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	193
PID 4052 wrote to memory of 6136	4052	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	193
PID 6136 wrote to memory of 5200	6136	backgroundTaskHost.exe	194
PID 6136 wrote to memory of 5200	6136	backgroundTaskHost.exe	194
PID 6136 wrote to memory of 5496	6136	backgroundTaskHost.exe	195
PID 6136 wrote to memory of 5496	6136	backgroundTaskHost.exe	195
PID 5200 wrote to memory of 3512	5200	WScript.exe	196
PID 5200 wrote to memory of 3512	5200	WScript.exe	196
PID 3512 wrote to memory of 2492	3512	backgroundTaskHost.exe	198
PID 3512 wrote to memory of 2492	3512	backgroundTaskHost.exe	198
PID 3512 wrote to memory of 4952	3512	backgroundTaskHost.exe	199
PID 3512 wrote to memory of 4952	3512	backgroundTaskHost.exe	199
PID 2492 wrote to memory of 3876	2492	WScript.exe	201
PID 2492 wrote to memory of 3876	2492	WScript.exe	201
PID 3876 wrote to memory of 5188	3876	backgroundTaskHost.exe	203
PID 3876 wrote to memory of 5188	3876	backgroundTaskHost.exe	203
PID 3876 wrote to memory of 3296	3876	backgroundTaskHost.exe	204
PID 3876 wrote to memory of 3296	3876	backgroundTaskHost.exe	204
PID 5188 wrote to memory of 5912	5188	WScript.exe	211
PID 5188 wrote to memory of 5912	5188	WScript.exe	211
PID 5912 wrote to memory of 1100	5912	backgroundTaskHost.exe	212
PID 5912 wrote to memory of 1100	5912	backgroundTaskHost.exe	212
PID 5912 wrote to memory of 5840	5912	backgroundTaskHost.exe	213
PID 5912 wrote to memory of 5840	5912	backgroundTaskHost.exe	213

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
"C:\Users\Admin\AppData\Local\Temp\cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\InputMethod\CHT\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IdentityCRL\INT\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\PerceptionSimulation\en-US\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\INF\TermService\0409\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\uk-UA\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\Sorting\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\Engines\SR\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4112
- C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
  "C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:6136
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76c31ff4-9ca5-4902-bc9e-0e5b3303cac7.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5200
  - - C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
      C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3512
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7d9f112-d145-4028-9e36-dd0d7117e100.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2492
      - C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4c88472-f0f6-42d9-97a9-f0f6e20dff4f.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5188
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c008bef-5790-4f15-ace0-8040d6616e31.vbs"
        9⤵
        
        PID:1100
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11d2636e-5f09-4084-9d54-eb04a49d868c.vbs"
        11⤵
        
        PID:5868
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4da20b5-b983-4ea1-b187-d6c2fbbd9473.vbs"
        13⤵
        
        PID:5576
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcd6e8cd-90e8-4ad1-8754-51ab11ac5cb1.vbs"
        15⤵
        
        PID:2356
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96973b0a-313e-4523-9dc5-476849781661.vbs"
        17⤵
        
        PID:3732
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fdf098a-7cd1-41b7-9f7f-f92feff43a1e.vbs"
        19⤵
        
        PID:4656
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32d626de-7beb-4ebf-9f50-daeaa8630b49.vbs"
        21⤵
        
        PID:3548
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86309f46-b6e6-4713-a594-7d7be81145fa.vbs"
        23⤵
        
        PID:1992
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb710c40-0b39-4f5a-a876-d4d324a2397d.vbs"
        25⤵
        
        PID:1960
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\088db5b3-7f71-453c-8e5a-d66328f8ead7.vbs"
        27⤵
        
        PID:2236
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1107ad1-096f-44a3-a467-22fa4b4cd5bb.vbs"
        29⤵
        
        PID:524
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        30⤵
        
        PID:5664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\912e8567-727e-4720-9be3-89f05d2980c5.vbs"
        31⤵
        
        PID:4032
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe
        32⤵
        
        PID:5864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\748cfac1-208c-4b34-9a2a-63aeea25b68f.vbs"
        33⤵
        
        PID:5224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3cec464-fa79-4e3b-ae9f-874a7d8f2df1.vbs"
        33⤵
        
        PID:1056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\102030b9-e8e1-461f-b341-bcda5bdc6fc7.vbs"
        31⤵
        
        PID:2760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76514fb7-acaf-498d-9ba8-f393b185cdb1.vbs"
        29⤵
        
        PID:5396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ffe0ed7-14f8-4a01-9ab0-00eabea8d92f.vbs"
        27⤵
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\165722b0-92c0-44c4-8030-c22278f6bb32.vbs"
        25⤵
        
        PID:5048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69e73a9f-d802-4ca3-9c7a-29e882ecff88.vbs"
        23⤵
        
        PID:5228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae72923c-9964-4d66-a914-c33ef1b206d9.vbs"
        21⤵
        
        PID:4344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89b026ad-3c1b-4d4a-83de-c13b65e91586.vbs"
        19⤵
        
        PID:5796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ecb61af-1773-4d2a-83aa-4e6478b5059f.vbs"
        17⤵
        
        PID:1052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c6ea9c1-b32c-4465-808f-ca9c2736552c.vbs"
        15⤵
        
        PID:5960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99c12247-6ca0-4035-88e5-e1da161bad15.vbs"
        13⤵
        
        PID:4212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e198797-5f62-45b4-8d2a-8808a6412d96.vbs"
        11⤵
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e364f52-5522-40a5-a932-13f6016d8cdb.vbs"
        9⤵
        
        PID:5840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2371e1f5-09a8-4799-918a-005cca1d5a33.vbs"
        7⤵
        
        PID:3296
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6d82930-e8e4-4c82-bb3a-1df91bef3cf4.vbs"
        5⤵
        
        PID:4952
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fe95771-5fab-488d-96f3-0bde38885c71.vbs"
    3⤵
    PID:5496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\fonts\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\fonts\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\InputMethod\CHT\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\InputMethod\CHT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\InputMethod\CHT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\IdentityCRL\INT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\IdentityCRL\INT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\System32\PerceptionSimulation\en-US\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\PerceptionSimulation\en-US\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Windows\System32\PerceptionSimulation\en-US\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\INF\TermService\0409\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\INF\TermService\0409\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\TermService\0409\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\uk-UA\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\uk-UA\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\uk-UA\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5c" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5c" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\Sorting\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\Globalization\Sorting\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech\Engines\SR\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\SR\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech\Engines\SR\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\TextInputHost.exe

Filesize
1.6MB

MD5
6d5035a60b6b4f004d6ebf84fe61206c

SHA1
619ae3044d57a735376d617eea59366b9c48d6cd

SHA256
eabf6b0218bb87688cc08b7cb7926f64319a3bc7f2d70aa9eae8b67f2c3c8f32

SHA512
5f32f1b0ec25773c948b7ac722b907673c3be6419872cda2e31bed64852fb936cbe34ccd46c4fa6b9fc0d746434946af671105f70747786a8c2d8863fa1ca9bb

Download Submit
C:\Recovery\WindowsRE\cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe

Filesize
1.6MB

MD5
6bbec0c1875cd4313985127231dd54d8

SHA1
f6d76594a25617e107ec75f374e36838a2837810

SHA256
4449998ffa0411d73a5b55c2b8829509fce56580a58d5bf0e93385a5192a0024

SHA512
a49ec22adc9893d47387b0104989952afa779bcd768d2c016506fe9dbb2b049312f866c40a684ad200aa1feb9fdbf19bbed9990906b7adefd61c50e411d07078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\backgroundTaskHost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0bd4bd93f744979c2ff15fb339578468

SHA1
bdf6bca364e4263812b052c4fe23e7165a737367

SHA256
6ba3fbd61850a6bf89ae2a29e3fb64fd5b669132986e82faf91cd4d9cefe6026

SHA512
5f69263775513123d2e018ca15a67e86d09f205198e5959e758e33a7155f00b066599a64349a79ad5faad24bfa214ea3632adcf9da232e8e91fa1591f7eae19e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
af1e26d635495e7a52c5dc500610ee76

SHA1
7cffa44b70451795e240e707ca3c134b15fe4837

SHA256
3505a6078d79916aa201ce904383522973f0aed79ce19f86d74a879f81ce6980

SHA512
b6cabf85d7c177df9b81cb3e902171ad1cad43dbb6b21fa5735f8393a7b7cacbd1ac6bc4456be691070fec964c10d867e2db29efd7c6c7581ab3bbecac57a534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
57a97b6c8c4cecbbaca70e7453397c5e

SHA1
89aaaa12386a9b191b7570c942b6c302bce1b218

SHA256
61104d386ede610e31af0f4532e78f309a907a100b7de7f6bd362ba758b1372f

SHA512
0b475f771633930a90ccc9fcf3b823f7ba0aa8d1c1c984eed37d8844f01988740f1974c3536a690e033b7861018e1e25a46d8ef86abd5fa24db02e1f6a07ffa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
94256212310a547ba240e2aa86468177

SHA1
f52a751219868220e86405aba60f0504332444be

SHA256
4ff13717087ef748699f1fd75630e1ff8d92694f4d2079826c7229608639c50a

SHA512
22efada6acfff168e1d60d5fbd9ae9b504a7eb52ae30e4a5b571880e9c8a4ff4dff7fbf453d5c7281e13b5d7ab9b4269f040dc1d58e523edf6de9496b4a0dd79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dc3171c3b52aa17359a2dd52f98ac905

SHA1
690d766c5fc3f21a91e27e4ba11513f135c640ee

SHA256
cdab093c32bd06c16808a03bef83de05f6a5ed68dc335fada9f925831215cf33

SHA512
5a069ce11527f5375ab5a8ef53602b39ce7e44a61a1e001662ec06836715c1bcdba34da441ec599648b761f1234e7231d160c4e0ccec92d9d003c3d31420d40c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0cf7dcc8e715a3adb60273e2d687ec14

SHA1
153e79121708a67a619762b6ead0991d321667ac

SHA256
df09c90760a7d935978206d29a0cd22bf2454f1e73d862d339af43503c6e93f2

SHA512
6e057853c247186574cde2bd8c5c085311ab2a24e85ed16078c869f82379d702b8b7f35400f3430aba03b6103529e6042fe9d6f517b08f9ee1c365d0d3fbec24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f532a56ff7168bf1c954233a1f87b6c

SHA1
379d43d676d92b455f62b4677389e488905a55c6

SHA256
0a23108d89a76df1d5c3b869dc77157c66ea2873346d7d7427fab9c49ec53f07

SHA512
3c07fd3e20ac3b58ca06f1db83a5e0120f6eee5acf69d2456f035975636d3777feaa00289cd84b9397c515def9db0add9c1f2c6b9e168568ccee009f7dc06769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1b2770b6e93963548483b9857a191b12

SHA1
da1f36e92f6f116ea4d6300b279be899ed6413a8

SHA256
4c2f150efa24585d81d212c3d1618af0777e007596cf7bd76cbf660db384b00b

SHA512
6fe8388503b09ec12528e982fea548c271d5687163db05ede832a0814a0fad6fa7c4ff32ed0cfa48f90c9b2980e2613be1d673fa47eaa2a9ea9540add473b4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\0fe95771-5fab-488d-96f3-0bde38885c71.vbs

Filesize
510B

MD5
e9d7acd43c53dfdf337cfdb0d13dbb56

SHA1
0528d20754dfc26edd369f8b7ba70a083940627d

SHA256
4775691a5d9d6c1a401abefef7d75a09623f05522f59cdbbf3ff89e38b93962b

SHA512
18924da1a666832a3e25867b4613c7f814522b72f3ef4f58c5509e08639c127b6c447a916ca2c8b49c4dc4ad80c255ce5d43f50eef2c08cda6a0d322d2520b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\11d2636e-5f09-4084-9d54-eb04a49d868c.vbs

Filesize
734B

MD5
38b32a8a42a8a5b2b75339da2a23ae77

SHA1
ba34e998ab5afc014a3f3576353b60db9700b831

SHA256
eafc5730f0354bf7ed4e943226c26803b75d9d35e88ba71c14e7bab63413f30f

SHA512
2a4ca638080c10a6440583e9b0559f14a289d7af0262c61f7045163f02aad420127497cdb230045d1b25302519e52d4a35787a5363bab1803d72a702a6eea676

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c008bef-5790-4f15-ace0-8040d6616e31.vbs

Filesize
734B

MD5
373542695db2c953bb9aa44ad7f656ed

SHA1
83ac33bd4103dcd6f9c49d707b8e8f07d245585c

SHA256
4aa255a8604be1ad91c00964b4b4b2f70cb5f22fd60d4502c8209c9dc852b95c

SHA512
1b16cce9e98a23b8fb88ebf00f9b1f9ebb3d70672b19eaf8b567d7c4c7f03e12d53d99820cc9988b667ebb8cdb4cd4b717a754fed5f046d387d5b736b4eca10c

Download Submit
C:\Users\Admin\AppData\Local\Temp\32d626de-7beb-4ebf-9f50-daeaa8630b49.vbs

Filesize
734B

MD5
38216234b9bc17856d1b5fe7fd7597aa

SHA1
354a66b51cb954cc42715d3d5b162df29d049fd4

SHA256
513a5fc15c77a986d36b95e0729a601de492778e16e67931922148dbec06f268

SHA512
282a87d7a9e8d2c08bd745a6ac3552c58388741136fb4fb00dfd823f55e53c1373956975bf7ad58955a9607f12029520bf9bc46095543758fbbceeb16fdfcc00

Download Submit
C:\Users\Admin\AppData\Local\Temp\6fdf098a-7cd1-41b7-9f7f-f92feff43a1e.vbs

Filesize
734B

MD5
86fce07eeea831c99a6aa6edf6f1d663

SHA1
6b9ab6c1db249b0d0e4da479c903b64bde52e882

SHA256
5d3b1229bc62613789032af9e8e24ad67e696bb33435ffcb991ad592153fcfe7

SHA512
05976c402e82cafe8294ef3083cb9ee4688caee663967bebe2b3a739e0f2d0ac178dce29e326e8f2fd78e10d493e800135fa47bfd793f515002d11f249b4898a

Download Submit
C:\Users\Admin\AppData\Local\Temp\76c31ff4-9ca5-4902-bc9e-0e5b3303cac7.vbs

Filesize
734B

MD5
73c0911f243b5c4fefb10691d75b9d7f

SHA1
56fe6f381140e6c3c0a994fca0c1ea2f58150913

SHA256
c69417e265dd796087101ef4bd95a56a7d6b826331e87b21e5a2a31d18cb8b69

SHA512
9e9036684ab102ebd88799395c23c9ff11dc21ddc15d15fdeeb36c0251531160cbf15f103b56e09eeea8e34f741febe1c095ab4226b68aa01349f84f93fc2ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\86309f46-b6e6-4713-a594-7d7be81145fa.vbs

Filesize
734B

MD5
ad51eee8e87494c31851a10f26d75a53

SHA1
06cd5d2a191cd27c8e1e69b8ed62d1a9bef981ce

SHA256
ad8c685e0b8dcd5044f154ecf3eb3a6a3e0a1c57534cb33d87c0fe034ce3a17b

SHA512
54a2335924902897e2f3fdafe1cef9a2760b894909dda8cae888ce59fbb22d2347b123bd87f8fd8595b3318e0fa61f3ccfeb9f6ed3aa1ce5bc37870cebb2c348

Download Submit
C:\Users\Admin\AppData\Local\Temp\96973b0a-313e-4523-9dc5-476849781661.vbs

Filesize
734B

MD5
f634f916c7d6ee8385553ef47710ae32

SHA1
d68342d6a43e8158d18cb03ff1f96f57f218b9de

SHA256
66399e955ea09c239e520f92f3bccbf883b403f84639a4e747b6ed8201e691e6

SHA512
2d813694817d9a25e29319b771443e61b636960e401b206d26b94569140512b6895e8abda0bfa7b3c501618a044e50f797183111a6f381ae605e53d8e99baabc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_urwncmc3.ck0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4c88472-f0f6-42d9-97a9-f0f6e20dff4f.vbs

Filesize
734B

MD5
fca5794b4ee1698974d38f300f1ccc47

SHA1
80b6f32493ea0f4ae1b8700ea81f94652f9a0a76

SHA256
0f51312744c39bc5cb38641d6f7d612100109840f98c5dad58c5a21a4cf37fdb

SHA512
f5c3dc56d753b689741513154547a530c54be85a3aec9b0b9caee264ace82352085b49f476efc88380c3d962fc5981816b7f70a84fcc4386e80cd95a4fbe24eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4da20b5-b983-4ea1-b187-d6c2fbbd9473.vbs

Filesize
734B

MD5
2ce91ad762df2a9d13bf618b214f9612

SHA1
4c651e813b6d5b6062979168e78b3455bfb0cc04

SHA256
2008be39399749b69862ef14c98a76a24693a4498a9574d34f85bccf9a720793

SHA512
be500756c24baafe64241976fe500028b92371bc889560d6e6330ac96d758860566b8690c9ad6451f281ea88400a48636788bc5755228f6e23dc6aabbf6e726d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7d9f112-d145-4028-9e36-dd0d7117e100.vbs

Filesize
734B

MD5
be7c6133b56f28854f95999fd09de556

SHA1
96692fea5195bdaf2f81ca8216280533c0fad903

SHA256
6a3e54635ff7d83c1a73f0e73ffe609e4116eee2ad1b2c3db4ca11fec9f38e6b

SHA512
acaa5a37ebf853c41dce8b9452f55c3ccab50cebc47ac56b6db0fa10bb05fff5b27e19c0fc053ff0dec9b7635201ae717646923c46f7d4ccfcc5fa67984c7920

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb710c40-0b39-4f5a-a876-d4d324a2397d.vbs

Filesize
733B

MD5
beb336e6832412b22c12fe0ceea2b604

SHA1
c2149c463a8450ecd86d99b7799a8094e947118e

SHA256
f383e97af3ec1e42de6cdb90a14d544b67eec2d620ad4447f54bea7bf93e5af4

SHA512
cdf3d15ffe67e9e1a40c05041c53d9abf20615b90bb87368c7ff6910765cb3f8990548f5be22198c0c6027770de79a231c8784657775dfd341ebb8da86c3a31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcd6e8cd-90e8-4ad1-8754-51ab11ac5cb1.vbs

Filesize
734B

MD5
28f7cee3e6af336b638dd3c79b5f47fc

SHA1
dd648a7a71cee51b599c725c1ab5a90ebd89b54f

SHA256
3ae702e382d6280ed0f16f8a3b2eeac0864d55991ec8ceff54794c7b3f28cce4

SHA512
4aecbe7957cf1b2b9133fb00ffb21c58d290f9b86bb552721c24c193d8a6160e64153fca255b8ce1312f840a056f87a1efcd21235baf5a5a6354919f4de2980d

Download Submit
C:\Windows\System32\PerceptionSimulation\en-US\unsecapp.exe

Filesize
1.6MB

MD5
897ea9c4d942c8ff6dad7af9d25612b5

SHA1
4e34616e3bc3414cb3d264575f865c4a0f9eefbc

SHA256
cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5

SHA512
0c580b68fec12b9621a6c62b572cf9035c74fe288db14658aa8a3b04f49419ee19036213bf5c1dfa335e37f409fb816bf04d420905880321aeedb7a3fddee35b

Download Submit
C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe

Filesize
1.6MB

MD5
a6e8c610f932f52a5c17c92a5f8b567a

SHA1
cc446d8b44d148234c568329ad3fcd438edf7116

SHA256
dab5b85be15b84f7aa1e4c7bd5d045f4e2999300ad6d63970c7037010e682c60

SHA512
09e64dff2d020f049daeecdf759bdfb241a5a301f54a1cf157ea74d3a748beb754667c2bd4417f7014b82ec63a8efbbe07644dc74a68fa34946c3b21c22e0239

Download Submit
C:\dfe2e59cddd00040f555dab607351a1d\StartMenuExperienceHost.exe

Filesize
1.6MB

MD5
7b4bffd1bc20771a142bcf4060346997

SHA1
12c9c2faab8f1ebac1a7121d749b8003b0e701c8

SHA256
2f504e57ad30347839e4eaf8595073af1062963d1373c57eabdc2c6200a43b93

SHA512
a636c7f96bbae494b072f6a188103862fe1bad7fe73d120bd9fe4466885ab12031f51da0c6459fceb5cc98c3a7f7f0db6af92532ad21bb521beab2befa51c9e8

Download Submit
C:\dfe2e59cddd00040f555dab607351a1d\fontdrvhost.exe

Filesize
1.6MB

MD5
2c849c036b01b9037c22edee4bd9e544

SHA1
f963808e05d787eeec7be8d264f42c939cb465de

SHA256
1cc3a2cbd89bb35d9cd2690f5e02e6184f40c29693c4982561aee2db629b94a5

SHA512
9936045eaa0c686601c398d47bf31e298ecf83c810d92f73dbdaed6984f91201a47463f6a4507edeb4774c1b512d5cdfd942e2f8432dfd0613fee72da99969e9

Download Submit
memory/4052-12-0x000000001C350000-0x000000001C35A000-memory.dmp

Filesize
40KB

Download
memory/4052-17-0x000000001C590000-0x000000001C59C000-memory.dmp

Filesize
48KB

Download
memory/4052-224-0x00007FFE2A110000-0x00007FFE2ABD1000-memory.dmp

Filesize
10.8MB

Download
memory/4052-1-0x0000000000EF0000-0x0000000001092000-memory.dmp

Filesize
1.6MB

Download
memory/4052-201-0x00007FFE2A113000-0x00007FFE2A115000-memory.dmp

Filesize
8KB

Download
memory/4052-4-0x000000001C380000-0x000000001C3D0000-memory.dmp

Filesize
320KB

Download
memory/4052-9-0x0000000003330000-0x0000000003338000-memory.dmp

Filesize
32KB

Download
memory/4052-10-0x000000001C330000-0x000000001C33C000-memory.dmp

Filesize
48KB

Download
memory/4052-11-0x000000001C340000-0x000000001C34C000-memory.dmp

Filesize
48KB

Download
memory/4052-16-0x000000001C690000-0x000000001C69A000-memory.dmp

Filesize
40KB

Download
memory/4052-0-0x00007FFE2A113000-0x00007FFE2A115000-memory.dmp

Filesize
8KB

Download
memory/4052-13-0x000000001C360000-0x000000001C36E000-memory.dmp

Filesize
56KB

Download
memory/4052-523-0x00007FFE2A110000-0x00007FFE2ABD1000-memory.dmp

Filesize
10.8MB

Download
memory/4052-14-0x000000001C370000-0x000000001C378000-memory.dmp

Filesize
32KB

Download
memory/4052-15-0x000000001C580000-0x000000001C588000-memory.dmp

Filesize
32KB

Download
memory/4052-8-0x0000000003320000-0x0000000003330000-memory.dmp

Filesize
64KB

Download
memory/4052-7-0x00000000019F0000-0x00000000019F8000-memory.dmp

Filesize
32KB

Download
memory/4052-6-0x0000000003300000-0x0000000003316000-memory.dmp

Filesize
88KB

Download
memory/4052-5-0x00000000019E0000-0x00000000019F0000-memory.dmp

Filesize
64KB

Download
memory/4052-3-0x00000000019C0000-0x00000000019DC000-memory.dmp

Filesize
112KB

Download
memory/4052-2-0x00007FFE2A110000-0x00007FFE2ABD1000-memory.dmp

Filesize
10.8MB

Download
memory/4468-336-0x0000023785560000-0x0000023785582000-memory.dmp

Filesize
136KB

Download