dcrat | e5d28ec84e4b5f023e3f386cf7e0776850b67e2bad1299413885f3fdd757f58c

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
Size

5.9MB
MD5

1e36a4648b29e6f1e182d0db0c45a3be
SHA1

934d5fe30ed8233d77098f1214d07b0d009e5371
SHA256

e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7
SHA512

ec6ddc3da4d504bac611d61d0e294f74e1092ce0d6afc1e56641ec99b44237af1fcbce374b39eb1b8aaf9e57de5997bd6917b38e1a5cf5c34f44e93e089061b2
SSDEEP

98304:RyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4H:RyeU11Rvqmu8TWKnF6N/1wK

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3932	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	4568	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	4568	schtasks.exe	91

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Registry.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3092	powershell.exe
4500	powershell.exe
4584	powershell.exe
3964	powershell.exe
5068	powershell.exe
1036	powershell.exe
4900	powershell.exe
920	powershell.exe
1692	powershell.exe
1636	powershell.exe
4856	powershell.exe
4844	powershell.exe
1772	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	Registry.exe

Executes dropped EXE 3 IoCs

pid	Process
5392	Registry.exe
2944	Registry.exe
2320	Registry.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Registry.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Registry.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Registry.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
5392	Registry.exe
5392	Registry.exe
2944	Registry.exe
2944	Registry.exe
2320	Registry.exe
2320	Registry.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\WaaSMedicAgent.exe	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\66fc9ff0ee96c2	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX88FC.tmp	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX890D.tmp	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX9966.tmp	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
File created	C:\Program Files (x86)\Windows Mail\121e5b5079f7c0	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
File created	C:\Program Files (x86)\Google\Update\c82b8037eab33d	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX9976.tmp	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\WaaSMedicAgent.exe	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
File created	C:\Program Files (x86)\Windows Mail\sysmon.exe	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\sysmon.exe	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX9B8B.tmp	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX9C09.tmp	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\tracing\csrss.exe	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
File created	C:\Windows\tracing\886983d96e3d3e	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
File opened for modification	C:\Windows\tracing\RCXA2F3.tmp	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
File opened for modification	C:\Windows\tracing\RCXA371.tmp	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
File opened for modification	C:\Windows\tracing\csrss.exe	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	Registry.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4016	schtasks.exe
4000	schtasks.exe
2720	schtasks.exe
3688	schtasks.exe
4992	schtasks.exe
2588	schtasks.exe
4308	schtasks.exe
2328	schtasks.exe
4836	schtasks.exe
4504	schtasks.exe
3716	schtasks.exe
2272	schtasks.exe
3676	schtasks.exe
2852	schtasks.exe
4020	schtasks.exe
4780	schtasks.exe
3836	schtasks.exe
2836	schtasks.exe
4088	schtasks.exe
1776	schtasks.exe
208	schtasks.exe
3044	schtasks.exe
3292	schtasks.exe
2460	schtasks.exe
4124	schtasks.exe
4960	schtasks.exe
4424	schtasks.exe
3488	schtasks.exe
3380	schtasks.exe
3932	schtasks.exe
4432	schtasks.exe
4720	schtasks.exe
2888	schtasks.exe
4784	schtasks.exe
3632	schtasks.exe
2832	schtasks.exe
1784	schtasks.exe
4728	schtasks.exe
4276	schtasks.exe
5020	schtasks.exe
2944	schtasks.exe
4564	schtasks.exe
2232	schtasks.exe
3288	schtasks.exe
3744	schtasks.exe
32	schtasks.exe
3244	schtasks.exe
4660	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
1036	powershell.exe
1036	powershell.exe
3092	powershell.exe
3092	powershell.exe
4500	powershell.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	5392	Registry.exe
Token: SeDebugPrivilege	2944	Registry.exe
Token: SeDebugPrivilege	2320	Registry.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 1692	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	144
PID 4920 wrote to memory of 1692	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	144
PID 4920 wrote to memory of 3092	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	145
PID 4920 wrote to memory of 3092	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	145
PID 4920 wrote to memory of 1636	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	146
PID 4920 wrote to memory of 1636	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	146
PID 4920 wrote to memory of 4856	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	147
PID 4920 wrote to memory of 4856	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	147
PID 4920 wrote to memory of 4500	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	148
PID 4920 wrote to memory of 4500	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	148
PID 4920 wrote to memory of 4844	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	149
PID 4920 wrote to memory of 4844	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	149
PID 4920 wrote to memory of 4584	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	150
PID 4920 wrote to memory of 4584	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	150
PID 4920 wrote to memory of 1772	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	151
PID 4920 wrote to memory of 1772	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	151
PID 4920 wrote to memory of 3964	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	152
PID 4920 wrote to memory of 3964	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	152
PID 4920 wrote to memory of 5068	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	153
PID 4920 wrote to memory of 5068	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	153
PID 4920 wrote to memory of 1036	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	154
PID 4920 wrote to memory of 1036	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	154
PID 4920 wrote to memory of 4900	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	155
PID 4920 wrote to memory of 4900	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	155
PID 4920 wrote to memory of 920	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	156
PID 4920 wrote to memory of 920	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	156
PID 4920 wrote to memory of 4972	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	170
PID 4920 wrote to memory of 4972	4920	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe	170
PID 4972 wrote to memory of 220	4972	cmd.exe	172
PID 4972 wrote to memory of 220	4972	cmd.exe	172
PID 4972 wrote to memory of 5392	4972	cmd.exe	173
PID 4972 wrote to memory of 5392	4972	cmd.exe	173
PID 5392 wrote to memory of 5604	5392	Registry.exe	174
PID 5392 wrote to memory of 5604	5392	Registry.exe	174
PID 5392 wrote to memory of 5660	5392	Registry.exe	175
PID 5392 wrote to memory of 5660	5392	Registry.exe	175
PID 5604 wrote to memory of 2944	5604	WScript.exe	185
PID 5604 wrote to memory of 2944	5604	WScript.exe	185
PID 2944 wrote to memory of 2232	2944	Registry.exe	187
PID 2944 wrote to memory of 2232	2944	Registry.exe	187
PID 2944 wrote to memory of 3556	2944	Registry.exe	188
PID 2944 wrote to memory of 3556	2944	Registry.exe	188
PID 2232 wrote to memory of 2320	2232	WScript.exe	189
PID 2232 wrote to memory of 2320	2232	WScript.exe	189
PID 2320 wrote to memory of 3744	2320	Registry.exe	190
PID 2320 wrote to memory of 3744	2320	Registry.exe	190
PID 2320 wrote to memory of 5460	2320	Registry.exe	191
PID 2320 wrote to memory of 5460	2320	Registry.exe	191

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Registry.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
"C:\Users\Admin\AppData\Local\Temp\e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/d9c22b4eaa3c0b9c12c7/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/dfe2e59cddd00040f555dab607351a1d/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YWzkvzDego.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:220
- - C:\dfe2e59cddd00040f555dab607351a1d\Registry.exe
    "C:\dfe2e59cddd00040f555dab607351a1d\Registry.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:5392
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b88b1fd-0d44-460d-9454-7ecfa80eb4fd.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5604
    - - C:\dfe2e59cddd00040f555dab607351a1d\Registry.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\Registry.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2944
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0282dfa-8769-459e-bcb4-d02f78f71d2a.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\dfe2e59cddd00040f555dab607351a1d\Registry.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\Registry.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\884730d1-6818-48b3-a378-0bfee62e1acd.vbs"
        8⤵
        
        PID:3744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb006a08-09f2-41b7-b07c-4eda1bc74cf6.vbs"
        8⤵
        
        PID:5460
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aae476f4-0202-4917-82ef-3d75bedfd496.vbs"
        6⤵
        
        PID:3556
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fea3be37-72a2-4b12-bb63-291c1f350f1b.vbs"
      4⤵
      PID:5660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\d9c22b4eaa3c0b9c12c7\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\d9c22b4eaa3c0b9c12c7\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\d9c22b4eaa3c0b9c12c7\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\d9c22b4eaa3c0b9c12c7\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\d9c22b4eaa3c0b9c12c7\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\d9c22b4eaa3c0b9c12c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\tracing\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Music\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\Music\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Music\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe

Filesize
5.9MB

MD5
004cd3c176aa701893c33196a14d6ec4

SHA1
dfe289675ea25ac7a2f4a2813395c80c19776b76

SHA256
d935ae3c19f4226f6b6340abbf26f2161b8426fb867d69ba0a2296f577f64d00

SHA512
0899d850f12e36fb8870374a29888535df69d218aee10328a673f1d370be3c2a7edeeafbfd4ce965614443d878db6c075d2ddd81b098ca2566342bb96067b8da

Download Submit
C:\Recovery\WindowsRE\Idle.exe

Filesize
5.9MB

MD5
56753dab1b531190e148e201db75c323

SHA1
c99012201f3460f26706b5f063bf683b7bdaa786

SHA256
9bda0e6ba071099f974e05e993f52f365dbf4a6998dce679cb4e1f41124a4440

SHA512
952480add0638bd5f029b24f4a0e090424c9a47de186817f40ca6d674b58f00a11a148434bf16d575b24ef2447fc612341c386bfe8d6eb60de7695f7ab0060ed

Download Submit
C:\Recovery\WindowsRE\backgroundTaskHost.exe

Filesize
5.9MB

MD5
1e36a4648b29e6f1e182d0db0c45a3be

SHA1
934d5fe30ed8233d77098f1214d07b0d009e5371

SHA256
e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7

SHA512
ec6ddc3da4d504bac611d61d0e294f74e1092ce0d6afc1e56641ec99b44237af1fcbce374b39eb1b8aaf9e57de5997bd6917b38e1a5cf5c34f44e93e089061b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log

Filesize
1KB

MD5
229da4b4256a6a948830de7ee5f9b298

SHA1
8118b8ddc115689ca9dc2fe8c244350333c5ba8b

SHA256
3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

SHA512
3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a16aff60eb3c3e35753a259b050c8a27

SHA1
85196d5dfb23d0c8b32b186325e2d58315a11287

SHA256
a057f85fa5358fac25f1337c1fbabeffb1ca1908b352208038293ec575dfc206

SHA512
13e6514cddaafba8f4fe3b08f6d6e118823ad454aac4efcb71a82438de50f97cd9570f44d594db27e4c534912a12ed066ea098b95505a6994f854f8349f2f5b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae19674c4dd6a419a8ce8bc65e65167

SHA1
8b3f7e010483412b803e756c850fecd29cf9fb8a

SHA256
f4a34d2ff32e49df841e87405dab2661bcae83c20ee781a13fbe73924fd672cd

SHA512
9865dd43b4494081bb625844fcedb56dfc335b5f2cadd5c4094f0848df07ab5fa40faeb3adbbb91e1355ed436dfbf44ff4ae9ad39cdbd5fbfdef4d1813f3ee74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47d9df7fab0d0c96afdd2ca49f2b5030

SHA1
92583883bcf376062ddef5db2333f066d8d36612

SHA256
0f244dd39698dace2c650435886b1175ea01131e581d6c13888576c07fa40b02

SHA512
1844ce4f35849b70c246127482040986caa1bbae2d81119c77e9841f2a3280aabae0ad0db52fc29fe48023b4f4c073fe759b1f54e70e1562289d5e349c015200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2cb0c163f92e343cbfa657ce4d842fb6

SHA1
0299696d7430f09f9e3d32aa5b95f01363b405f5

SHA256
c604c709aa50f7f59c87b4420713c8563bc5b80d9bce8f812d26e0a7c25d13f7

SHA512
780353a0fa086a96d6b186a4f38160b0521e972ccfa18803db64ecd2ef6d3c1c69ea4dba0b557f1cf7c1ff6ab8720e447e827c92549b6aea5a0ecacd0494b8d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0c87ff349c47ae6e678ea72feb4bb181

SHA1
0668dc890d29354fbb86cfaeae5363d9f2c1fdc8

SHA256
68decb0f61e56ef1ad4a9c69e0c496ac30ead7bdb15ae2830a01a21cb4c243fc

SHA512
32a9a76ddc1de0612c74ce170e86e716fde003306c202c68573ce4dcbb58e2ff59b7bdff77e4c259c869f4443e2c6aa023d1fcae6857ea36e4bf8a3110b58fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3fe089fecc1a7897c40a12707d788ca9

SHA1
97f8ab9020333729ec191b3dbd044c57227b84fc

SHA256
70d80df3a3a68fa45dd114205f58cc05df07e22940ec0f0f6172abfccf671e7c

SHA512
4e4feebea709ed3bbfd82ed507d04566593e9cb7bb02ca1056d8ecb6cbcd3b5118be5dee4ee80bf158565a009c05b217bd4c885fb1e01c7d61f5e3d430c940cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
c8c0f32a25907ba471d7a5a5e9bd8d2e

SHA1
cf86348f63f811d8d3ef71fb61899af30237ae60

SHA256
e2d32ca6ad18455b709d32f0cfd431b01a096d584016d861e182fa2e24d16122

SHA512
721060ed71e5d8f7a0c9780da5032f7433f2db60ccf166524c61ee67ebe587189a5101d24c3ae18a077e59463f140adc6564ccdc34480cd0f8addd2614c3661f

Download Submit
C:\Users\Admin\AppData\Local\Temp\884730d1-6818-48b3-a378-0bfee62e1acd.vbs

Filesize
724B

MD5
9307c32da80f2f4945a735410985f4fe

SHA1
03fa64b8750f36bbca8f24070bcd74c41f813b57

SHA256
aa71ce659b19155b63194b9e20096b4773d107593f87ff03a67968f8367d8654

SHA512
a47403497035a683b77220a023cd7d5d8d4b9916cf6516e37b35d3f1861c29ad7804b1714da76c8c3129a4b8223f32d23069be9f1e19763c5404dca33e963ada

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b88b1fd-0d44-460d-9454-7ecfa80eb4fd.vbs

Filesize
724B

MD5
63ed1a2909d7d4d7c19159b5fa52263b

SHA1
0e7e37f8fd97281a9a775ecdc0d3abf781f238e0

SHA256
f7d1a1f3c422ce0e5095de7a28cce0575bee28eff09d15facd851f1ebd62a42e

SHA512
4a2c9ca8239c315a06d59f0d5acde19112e28f8bdd81111e18a9a831191d0181cdc748267cc670c54b64cf4a457a5ef409a9c4c186fce91989894b2b12f27d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\YWzkvzDego.bat

Filesize
213B

MD5
8a4e32c2d73437ca81dbfc318ffaecdc

SHA1
967cb5457339f475b5874e250ba3e657b238f00c

SHA256
01a5a57377e6aa99ebc3efc22e7ce0cca893ffc61d06075f1b1bf55185af49ab

SHA512
3bfd803ddb97136967326a4e63947c060d7ba3d9b05f5c2fce7933d4eb8d4c796ebb4bfb726677dab82f6b15d13b4f1797aa4122f41f12637422b02c577ea841

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nynjesmd.5iw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0282dfa-8769-459e-bcb4-d02f78f71d2a.vbs

Filesize
724B

MD5
16459157ce2e4b2724c714b5a38fa1be

SHA1
7f89eece1cc48ed64c188902fe0d5b10ab54fd1f

SHA256
155207d79fc8c6bf8d2d647ae8dab124a41ae26b9963af0b97b6dfd38993ca20

SHA512
3a8b392d92865155292016885d807235e3e353c98b232e1994804a79c838fad9bcf8c6a62cd0c622899dbbd3a0c6c3e584c2c8813ee6177b198ee7d62601cbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fea3be37-72a2-4b12-bb63-291c1f350f1b.vbs

Filesize
500B

MD5
6718412c3f8782485f5237ff0f17a3d1

SHA1
83c687431a06a7b4a30b2d104f34f505fe0764f4

SHA256
5c4108a253427c594b07528ef2fad51443d785552067304e424341e412aa1359

SHA512
a2959d77431bb7d12aada218c4ab6177e2f91e1da971b2c929027f41652d1445f5ecc96154eff28163f8bfd672491c3dac8b95dc6c1ec0aff7ca9d0f2a92e7c6

Download Submit
C:\Windows\tracing\csrss.exe

Filesize
5.9MB

MD5
77c18859b13f93c439cb0a4dfb015eba

SHA1
e3c6a86f7582436e5b246ab7f18920bc9e641711

SHA256
71831cc0eb93ff7422f23b60755e9b3c2e4078dc71ade0e472506565da4da880

SHA512
38e8ae7c6d42f395c19145a6d8f910ae2f5b8b01f2ab50c969b4dc9c85dc75ffe140af39d4231082acf808138a6cbbf6b9676c076c363265d058cd1bd05ffe73

Download Submit
C:\d9c22b4eaa3c0b9c12c7\spoolsv.exe

Filesize
5.9MB

MD5
1314b1d768af058bbd26eb7d34998b35

SHA1
a20b32d85e772b07b5af026a1e4cd1357aa4d281

SHA256
78d5f8b4c5b56595cdfb22392e585eac7824aee059175fb840786ead1d03d5a8

SHA512
b2c42c9d628075971fd5cd2fe4f6dca4449ed79af16f6a84c0cb713ee022bc36b138aa17015f6ad896ddcbaaa4fd4f675bd25d98d5159ffffa48e787afcd8ba8

Download Submit
memory/2320-446-0x000000001BAA0000-0x000000001BAB2000-memory.dmp

Filesize
72KB

Download
memory/2944-433-0x000000001BDE0000-0x000000001BDF2000-memory.dmp

Filesize
72KB

Download
memory/3092-281-0x000001F9792A0000-0x000001F9792C2000-memory.dmp

Filesize
136KB

Download
memory/4920-16-0x000000001DD40000-0x000000001DD50000-memory.dmp

Filesize
64KB

Download
memory/4920-21-0x000000001DDE0000-0x000000001DDEC000-memory.dmp

Filesize
48KB

Download
memory/4920-27-0x000000001DE40000-0x000000001DE4C000-memory.dmp

Filesize
48KB

Download
memory/4920-28-0x000000001DE50000-0x000000001DE58000-memory.dmp

Filesize
32KB

Download
memory/4920-29-0x000000001DE60000-0x000000001DE6C000-memory.dmp

Filesize
48KB

Download
memory/4920-26-0x000000001DE30000-0x000000001DE3C000-memory.dmp

Filesize
48KB

Download
memory/4920-32-0x000000001DF90000-0x000000001DF9C000-memory.dmp

Filesize
48KB

Download
memory/4920-30-0x000000001DE70000-0x000000001DE7C000-memory.dmp

Filesize
48KB

Download
memory/4920-34-0x000000001E0B0000-0x000000001E0BE000-memory.dmp

Filesize
56KB

Download
memory/4920-36-0x000000001E0D0000-0x000000001E0DE000-memory.dmp

Filesize
56KB

Download
memory/4920-40-0x000000001C890000-0x000000001C89A000-memory.dmp

Filesize
40KB

Download
memory/4920-38-0x000000001E0F0000-0x000000001E0FC000-memory.dmp

Filesize
48KB

Download
memory/4920-37-0x000000001E0E0000-0x000000001E0E8000-memory.dmp

Filesize
32KB

Download
memory/4920-35-0x000000001E0C0000-0x000000001E0C8000-memory.dmp

Filesize
32KB

Download
memory/4920-33-0x000000001DFA0000-0x000000001DFAA000-memory.dmp

Filesize
40KB

Download
memory/4920-31-0x000000001DF80000-0x000000001DF88000-memory.dmp

Filesize
32KB

Download
memory/4920-39-0x000000001C880000-0x000000001C888000-memory.dmp

Filesize
32KB

Download
memory/4920-41-0x000000001C8A0000-0x000000001C8AC000-memory.dmp

Filesize
48KB

Download
memory/4920-24-0x000000001DE00000-0x000000001DE12000-memory.dmp

Filesize
72KB

Download
memory/4920-20-0x000000001DDD0000-0x000000001DDD8000-memory.dmp

Filesize
32KB

Download
memory/4920-173-0x00007FFC06653000-0x00007FFC06655000-memory.dmp

Filesize
8KB

Download
memory/4920-25-0x000000001E360000-0x000000001E888000-memory.dmp

Filesize
5.2MB

Download
memory/4920-220-0x00007FFC06650000-0x00007FFC07111000-memory.dmp

Filesize
10.8MB

Download
memory/4920-22-0x000000001DDF0000-0x000000001DDF8000-memory.dmp

Filesize
32KB

Download
memory/4920-19-0x000000001DDC0000-0x000000001DDCC000-memory.dmp

Filesize
48KB

Download
memory/4920-271-0x00007FFC06650000-0x00007FFC07111000-memory.dmp

Filesize
10.8MB

Download
memory/4920-18-0x000000001DD70000-0x000000001DDC6000-memory.dmp

Filesize
344KB

Download
memory/4920-17-0x000000001DD60000-0x000000001DD6A000-memory.dmp

Filesize
40KB

Download
memory/4920-0-0x00007FFC06653000-0x00007FFC06655000-memory.dmp

Filesize
8KB

Download
memory/4920-15-0x000000001DD30000-0x000000001DD38000-memory.dmp

Filesize
32KB

Download
memory/4920-14-0x000000001DD50000-0x000000001DD5C000-memory.dmp

Filesize
48KB

Download
memory/4920-8-0x000000001DBE0000-0x000000001DC30000-memory.dmp

Filesize
320KB

Download
memory/4920-9-0x000000001C360000-0x000000001C368000-memory.dmp

Filesize
32KB

Download
memory/4920-13-0x000000001DBD0000-0x000000001DBE2000-memory.dmp

Filesize
72KB

Download
memory/4920-11-0x000000001DBA0000-0x000000001DBB6000-memory.dmp

Filesize
88KB

Download
memory/4920-12-0x000000001DBC0000-0x000000001DBC8000-memory.dmp

Filesize
32KB

Download
memory/4920-10-0x000000001DB90000-0x000000001DBA0000-memory.dmp

Filesize
64KB

Download
memory/4920-6-0x000000001C2F0000-0x000000001C2F8000-memory.dmp

Filesize
32KB

Download
memory/4920-7-0x000000001DB70000-0x000000001DB8C000-memory.dmp

Filesize
112KB

Download
memory/4920-5-0x0000000003800000-0x000000000380E000-memory.dmp

Filesize
56KB

Download
memory/4920-4-0x00000000037F0000-0x00000000037FE000-memory.dmp

Filesize
56KB

Download
memory/4920-3-0x00007FFC06650000-0x00007FFC07111000-memory.dmp

Filesize
10.8MB

Download
memory/4920-2-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/4920-1-0x0000000000E70000-0x0000000001768000-memory.dmp

Filesize
9.0MB

Download