dcrat | 1364e3f0b350e7b83a82e9d75745a14b1d88ee737583dcf3450ec719fadf6ad8

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
Size

1.6MB
MD5

2cd96728fb8f5bef05b7c1d14200ffa0
SHA1

9c1ba4495ad7bb48aaac4123f62528ab80485c3e
SHA256

0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310
SHA512

aa6b10a50e766cc1203e05eb63eb6299cd528e836456368d3a2aa45dcf51cea26aa1380256e93e59245b0275d3568aeb8e9968e764c6d81483e77c258ea449f9
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6064	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5228	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5404	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5372	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5568	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5324	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5700	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	4532	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5628	4532	schtasks.exe	86

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral20/memory/2388-1-0x0000000000A70000-0x0000000000C12000-memory.dmp	dcrat
behavioral20/files/0x00070000000242c8-26.dat	dcrat
behavioral20/files/0x00090000000242f1-78.dat	dcrat
behavioral20/files/0x000f0000000242f2-124.dat	dcrat
behavioral20/files/0x00080000000242f5-159.dat	dcrat
behavioral20/files/0x00070000000242f6-209.dat	dcrat
behavioral20/files/0x00080000000242e6-230.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5112	powershell.exe
3564	powershell.exe
4904	powershell.exe
4308	powershell.exe
4880	powershell.exe
4592	powershell.exe
1880	powershell.exe
1160	powershell.exe
3248	powershell.exe
5268	powershell.exe
5284	powershell.exe
5668	powershell.exe
3204	powershell.exe
2016	powershell.exe
1828	powershell.exe
2768	powershell.exe
4300	powershell.exe
2456	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 15 IoCs

pid	Process
1440	dllhost.exe
1908	dllhost.exe
624	dllhost.exe
4660	dllhost.exe
4284	dllhost.exe
4588	dllhost.exe
1572	dllhost.exe
4120	dllhost.exe
1544	dllhost.exe
3936	dllhost.exe
6124	dllhost.exe
4592	dllhost.exe
396	dllhost.exe
5056	dllhost.exe
1464	dllhost.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\886983d96e3d3e	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\5b884080fd4f94	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File created	C:\Program Files (x86)\Windows Defender\uk-UA\69ddcba757bf72	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX6AD2.tmp	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCX7394.tmp	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCX7395.tmp	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\smss.exe	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File created	C:\Program Files (x86)\Google\Update\csrss.exe	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX6AD3.tmp	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\RCX870D.tmp	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File opened for modification	C:\Program Files (x86)\Google\Update\csrss.exe	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File created	C:\Program Files (x86)\Windows Defender\uk-UA\smss.exe	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\RCX878B.tmp	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemApps\sppsvc.exe	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File created	C:\Windows\uk-UA\f3b6ecef712a24	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File opened for modification	C:\Windows\uk-UA\RCX6F79.tmp	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File opened for modification	C:\Windows\uk-UA\spoolsv.exe	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File opened for modification	C:\Windows\es-ES\RCX899F.tmp	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File created	C:\Windows\System\Speech\sysmon.exe	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File created	C:\Windows\SystemApps\0a1fd5f707cd16	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File opened for modification	C:\Windows\SystemApps\RCX7CB5.tmp	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File created	C:\Windows\uk-UA\spoolsv.exe	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File created	C:\Windows\SystemApps\sppsvc.exe	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File created	C:\Windows\es-ES\csrss.exe	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File created	C:\Windows\es-ES\886983d96e3d3e	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File opened for modification	C:\Windows\uk-UA\RCX6F7A.tmp	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File opened for modification	C:\Windows\SystemApps\RCX7C47.tmp	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File opened for modification	C:\Windows\es-ES\RCX89A0.tmp	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
File opened for modification	C:\Windows\es-ES\csrss.exe	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	dllhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1532	schtasks.exe
1612	schtasks.exe
5404	schtasks.exe
2408	schtasks.exe
1000	schtasks.exe
4488	schtasks.exe
4804	schtasks.exe
4676	schtasks.exe
4700	schtasks.exe
1516	schtasks.exe
3044	schtasks.exe
1452	schtasks.exe
6064	schtasks.exe
3732	schtasks.exe
4140	schtasks.exe
2932	schtasks.exe
2084	schtasks.exe
4400	schtasks.exe
1668	schtasks.exe
5628	schtasks.exe
2724	schtasks.exe
4552	schtasks.exe
1992	schtasks.exe
5228	schtasks.exe
4756	schtasks.exe
5372	schtasks.exe
5324	schtasks.exe
1756	schtasks.exe
4452	schtasks.exe
4916	schtasks.exe
1720	schtasks.exe
616	schtasks.exe
5700	schtasks.exe
3380	schtasks.exe
2684	schtasks.exe
3552	schtasks.exe
3644	schtasks.exe
1776	schtasks.exe
1316	schtasks.exe
4636	schtasks.exe
1916	schtasks.exe
4084	schtasks.exe
3956	schtasks.exe
4668	schtasks.exe
4784	schtasks.exe
972	schtasks.exe
5568	schtasks.exe
2080	schtasks.exe
2124	schtasks.exe
4076	schtasks.exe
4608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
1880	powershell.exe
1880	powershell.exe
5284	powershell.exe
5284	powershell.exe
4300	powershell.exe
4300	powershell.exe
2016	powershell.exe
2016	powershell.exe
4904	powershell.exe
4904	powershell.exe
5112	powershell.exe
5112	powershell.exe
3564	powershell.exe
3564	powershell.exe
4308	powershell.exe
4308	powershell.exe
4592	powershell.exe
4592	powershell.exe
3248	powershell.exe
3248	powershell.exe
3204	powershell.exe
3204	powershell.exe
1828	powershell.exe
1828	powershell.exe
5668	powershell.exe
5668	powershell.exe
4880	powershell.exe
4880	powershell.exe
5268	powershell.exe
5268	powershell.exe
3248	powershell.exe
2456	powershell.exe
2456	powershell.exe
1160	powershell.exe
1160	powershell.exe
2768	powershell.exe
2768	powershell.exe
1160	powershell.exe
2456	powershell.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	5284	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	5668	powershell.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	5268	powershell.exe
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	1440	dllhost.exe
Token: SeDebugPrivilege	1908	dllhost.exe
Token: SeDebugPrivilege	624	dllhost.exe
Token: SeDebugPrivilege	4660	dllhost.exe
Token: SeDebugPrivilege	4284	dllhost.exe
Token: SeDebugPrivilege	4588	dllhost.exe
Token: SeDebugPrivilege	1572	dllhost.exe
Token: SeDebugPrivilege	4120	dllhost.exe
Token: SeDebugPrivilege	1544	dllhost.exe
Token: SeDebugPrivilege	3936	dllhost.exe
Token: SeDebugPrivilege	6124	dllhost.exe
Token: SeDebugPrivilege	4592	dllhost.exe
Token: SeDebugPrivilege	396	dllhost.exe
Token: SeDebugPrivilege	5056	dllhost.exe
Token: SeDebugPrivilege	1464	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 5112	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	143
PID 2388 wrote to memory of 5112	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	143
PID 2388 wrote to memory of 3564	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	144
PID 2388 wrote to memory of 3564	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	144
PID 2388 wrote to memory of 5668	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	145
PID 2388 wrote to memory of 5668	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	145
PID 2388 wrote to memory of 1880	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	146
PID 2388 wrote to memory of 1880	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	146
PID 2388 wrote to memory of 4904	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	147
PID 2388 wrote to memory of 4904	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	147
PID 2388 wrote to memory of 1828	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	148
PID 2388 wrote to memory of 1828	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	148
PID 2388 wrote to memory of 5284	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	149
PID 2388 wrote to memory of 5284	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	149
PID 2388 wrote to memory of 4592	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	150
PID 2388 wrote to memory of 4592	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	150
PID 2388 wrote to memory of 5268	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	151
PID 2388 wrote to memory of 5268	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	151
PID 2388 wrote to memory of 2456	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	152
PID 2388 wrote to memory of 2456	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	152
PID 2388 wrote to memory of 2016	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	153
PID 2388 wrote to memory of 2016	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	153
PID 2388 wrote to memory of 3248	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	154
PID 2388 wrote to memory of 3248	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	154
PID 2388 wrote to memory of 4300	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	155
PID 2388 wrote to memory of 4300	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	155
PID 2388 wrote to memory of 4880	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	157
PID 2388 wrote to memory of 4880	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	157
PID 2388 wrote to memory of 4308	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	158
PID 2388 wrote to memory of 4308	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	158
PID 2388 wrote to memory of 1160	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	160
PID 2388 wrote to memory of 1160	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	160
PID 2388 wrote to memory of 3204	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	161
PID 2388 wrote to memory of 3204	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	161
PID 2388 wrote to memory of 2768	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	164
PID 2388 wrote to memory of 2768	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	164
PID 2388 wrote to memory of 1440	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	179
PID 2388 wrote to memory of 1440	2388	0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe	179
PID 1440 wrote to memory of 5792	1440	dllhost.exe	181
PID 1440 wrote to memory of 5792	1440	dllhost.exe	181
PID 1440 wrote to memory of 3964	1440	dllhost.exe	182
PID 1440 wrote to memory of 3964	1440	dllhost.exe	182
PID 5792 wrote to memory of 1908	5792	WScript.exe	183
PID 5792 wrote to memory of 1908	5792	WScript.exe	183
PID 1908 wrote to memory of 4064	1908	dllhost.exe	184
PID 1908 wrote to memory of 4064	1908	dllhost.exe	184
PID 1908 wrote to memory of 3624	1908	dllhost.exe	185
PID 1908 wrote to memory of 3624	1908	dllhost.exe	185
PID 4064 wrote to memory of 624	4064	WScript.exe	191
PID 4064 wrote to memory of 624	4064	WScript.exe	191
PID 624 wrote to memory of 3196	624	dllhost.exe	195
PID 624 wrote to memory of 3196	624	dllhost.exe	195
PID 624 wrote to memory of 412	624	dllhost.exe	196
PID 624 wrote to memory of 412	624	dllhost.exe	196
PID 3196 wrote to memory of 4660	3196	WScript.exe	197
PID 3196 wrote to memory of 4660	3196	WScript.exe	197
PID 4660 wrote to memory of 5936	4660	dllhost.exe	198
PID 4660 wrote to memory of 5936	4660	dllhost.exe	198
PID 4660 wrote to memory of 4980	4660	dllhost.exe	199
PID 4660 wrote to memory of 4980	4660	dllhost.exe	199
PID 5936 wrote to memory of 4284	5936	WScript.exe	200
PID 5936 wrote to memory of 4284	5936	WScript.exe	200
PID 4284 wrote to memory of 2264	4284	dllhost.exe	201
PID 4284 wrote to memory of 2264	4284	dllhost.exe	201

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe
"C:\Users\Admin\AppData\Local\Temp\0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\uk-UA\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\900323d723f1dd1206\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\60739cf6f660743813\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\900323d723f1dd1206\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\60739cf6f660743813\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\uk-UA\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\900323d723f1dd1206\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\60739cf6f660743813\dllhost.exe
  "C:\60739cf6f660743813\dllhost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46650f68-17c6-45e0-a313-9c96724cf417.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5792
  - - C:\60739cf6f660743813\dllhost.exe
      C:\60739cf6f660743813\dllhost.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de7a613d-0ba1-485f-a218-6c520609f323.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4064
      - C:\60739cf6f660743813\dllhost.exe
        
        C:\60739cf6f660743813\dllhost.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4939af1f-7367-4256-92f6-7b656cddbaa4.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\60739cf6f660743813\dllhost.exe
        
        C:\60739cf6f660743813\dllhost.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ab288ad-f2c5-4d8d-9b45-cf4299b0e5df.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5936
        
        C:\60739cf6f660743813\dllhost.exe
        
        C:\60739cf6f660743813\dllhost.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70acb8bf-8d29-4f47-8017-4205f33fcc3e.vbs"
        11⤵
        
        PID:2264
        
        C:\60739cf6f660743813\dllhost.exe
        
        C:\60739cf6f660743813\dllhost.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\172a6a1c-1916-4569-9024-fbdda30bbd30.vbs"
        13⤵
        
        PID:5076
        
        C:\60739cf6f660743813\dllhost.exe
        
        C:\60739cf6f660743813\dllhost.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf0de2e1-7e49-4110-ad04-9b0c2dd722f3.vbs"
        15⤵
        
        PID:6128
        
        C:\60739cf6f660743813\dllhost.exe
        
        C:\60739cf6f660743813\dllhost.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\daa41ff6-370a-409d-8f3c-08897deaba67.vbs"
        17⤵
        
        PID:2544
        
        C:\60739cf6f660743813\dllhost.exe
        
        C:\60739cf6f660743813\dllhost.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\723fdd5f-c510-40c7-b460-87a9bff7cf5d.vbs"
        19⤵
        
        PID:1768
        
        C:\60739cf6f660743813\dllhost.exe
        
        C:\60739cf6f660743813\dllhost.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\285faec7-9541-4604-9902-3926ab7bba93.vbs"
        21⤵
        
        PID:4384
        
        C:\60739cf6f660743813\dllhost.exe
        
        C:\60739cf6f660743813\dllhost.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5b3c178-71c6-42f7-8924-b0772099294b.vbs"
        23⤵
        
        PID:2076
        
        C:\60739cf6f660743813\dllhost.exe
        
        C:\60739cf6f660743813\dllhost.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2616d44a-c053-4785-a45c-184a6b1eee07.vbs"
        25⤵
        
        PID:5040
        
        C:\60739cf6f660743813\dllhost.exe
        
        C:\60739cf6f660743813\dllhost.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fe3f1f6-f286-4f6c-9df9-beb31663e13e.vbs"
        27⤵
        
        PID:5928
        
        C:\60739cf6f660743813\dllhost.exe
        
        C:\60739cf6f660743813\dllhost.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9df1bfc-99cb-4ed9-be2d-0223c5cfeb47.vbs"
        29⤵
        
        PID:5744
        
        C:\60739cf6f660743813\dllhost.exe
        
        C:\60739cf6f660743813\dllhost.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20968bfb-178e-434c-bc90-15da91fcb5ff.vbs"
        31⤵
        
        PID:4624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a02ed05-1ca2-41da-8b39-f22b5ab17390.vbs"
        31⤵
        
        PID:5140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a7c485e-8dc7-4bfc-817e-fb80201078ff.vbs"
        29⤵
        
        PID:2724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79c385df-e44c-4285-b568-6e5c3802b6c5.vbs"
        27⤵
        
        PID:968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bfff48c-7bc5-4bcf-8adc-b91bd4fdd384.vbs"
        25⤵
        
        PID:4892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2f75fd3-596a-4869-b728-888119fa947b.vbs"
        23⤵
        
        PID:3876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\add26cf8-9d68-4665-971a-e49964fe0f21.vbs"
        21⤵
        
        PID:3564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db1b7612-a47b-4a8e-84d0-5fab79d2ea8b.vbs"
        19⤵
        
        PID:2232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1871178-1125-4fb5-abf9-c351fb08ba30.vbs"
        17⤵
        
        PID:5260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b81a62f6-f89a-4565-8243-1f4589d22e9d.vbs"
        15⤵
        
        PID:880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afb5b7f2-d623-4836-9126-6622842c57c0.vbs"
        13⤵
        
        PID:1052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8766b2c6-733b-4f96-ae3e-7a30c3bd28bb.vbs"
        11⤵
        
        PID:1652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06f41ebd-7dbe-4b02-9df3-eb0401240092.vbs"
        9⤵
        
        PID:4980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\623e9e8e-95a6-4b71-9995-fefd67f9be38.vbs"
        7⤵
        
        PID:412
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adc0447d-2bab-404a-86ec-286edc7446c3.vbs"
        5⤵
        
        PID:3624
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d5ad488-1d0f-43cb-b05e-ef4e42f97c71.vbs"
    3⤵
    PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\uk-UA\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\uk-UA\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\uk-UA\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\900323d723f1dd1206\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\900323d723f1dd1206\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\900323d723f1dd1206\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\60739cf6f660743813\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\60739cf6f660743813\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\60739cf6f660743813\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemApps\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\SystemApps\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemApps\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\900323d723f1dd1206\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\900323d723f1dd1206\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\900323d723f1dd1206\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\60739cf6f660743813\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\60739cf6f660743813\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\60739cf6f660743813\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad703783100" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad703783100" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\900323d723f1dd1206\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\900323d723f1dd1206\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\900323d723f1dd1206\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\900323d723f1dd1206\backgroundTaskHost.exe

Filesize
1.6MB

MD5
eaa921135190d95e2bb6437deb6b3356

SHA1
490c5daa30b88101a636a3c7f7aea58140b1ed6f

SHA256
9bff2d71ff503fd759103fa293448bd1d872fc6052166b55d33108b28fb6e100

SHA512
08ac6589a96a6cf5bf5d69751469a335e9ffa4e57aa05e8aec45f3ae7d6ad38b0340b14164ec552d4029d0b69b71627d7cb0949915adecf011f997effe8d8153

Download Submit
C:\Program Files (x86)\Windows Defender\uk-UA\smss.exe

Filesize
1.6MB

MD5
cbd8f6faaecb7e599d9ffeb7c9482abd

SHA1
68b77a2ac4b3c98217892839c07054725b71d1df

SHA256
11bfd828a10797bed49af979b11891aa75e4c0f16359db0d432567f6185c636b

SHA512
ee91a34017e01ffce14ee2a8495010216ef414b76f4cb2616d63a1e6a16077828970711995751ff35a3010f22a1da4804996b0d38a0214ae836f78ee0d0d6ebd

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe

Filesize
1.6MB

MD5
2cd96728fb8f5bef05b7c1d14200ffa0

SHA1
9c1ba4495ad7bb48aaac4123f62528ab80485c3e

SHA256
0a121eca45999b565da349e2265ccc0d446f51bb4fc2f86eccef31ad70378310

SHA512
aa6b10a50e766cc1203e05eb63eb6299cd528e836456368d3a2aa45dcf51cea26aa1380256e93e59245b0275d3568aeb8e9968e764c6d81483e77c258ea449f9

Download Submit
C:\Recovery\WindowsRE\RCX6D74.tmp

Filesize
1.6MB

MD5
8c054826270d34dc5f6d9265dd5647af

SHA1
7df5312a760cad999c036ce63feb2fc609d55cb9

SHA256
b4cf9c62b93e42cd16844fc62eddca6b72ba8766ce079773d55fbca9d52cc7df

SHA512
1515cac47d85a9e2f777297fb875af7ab08bf3242ca773855a31ffe0a87f8a6b2e50ff1e0f01bb7c5a51698c598ad33322342120c2b1ba40a7915e79cdbef069

Download Submit
C:\Recovery\WindowsRE\taskhostw.exe

Filesize
1.6MB

MD5
9de24806640e6efd74ff1b2dc6b5b153

SHA1
d37d68fb9d5cc6a5f926de2eb1817ef30b277f16

SHA256
a48646f89cf3fbbb07f8e207caf70e4ac175ae46a388ad3b2b5949168357948a

SHA512
d5bd460bc297215439306bab3bd45a03a27c85715909ebae752314faab9714918dab6fb65027699bd76a1859f22969654d0dde7dcf15f82776c5e308b4e42fc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ae16a918424e097a7381a2ccf705660f

SHA1
9dc31ecbed1a208c46ad3486a8cf2052fa2cf6e8

SHA256
1135a17413b8c2db64197b347d56634bfff703ab9de03a511703e3c94486655b

SHA512
b03f69c77c944d66f37fe8d03bdb5bbc11345746608fbc135f5f77df4f0840b1a0a26ee127dd338e2f61f81d592121458bffd134b1fb9f55a4f8b62e7a4d67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3daae9cdd018437ea3c21aba22ed09c6

SHA1
9f0127b1483e1937d5d8cccf3ae1de0cac1c4c58

SHA256
10ae5cee35e47503d6db91713d92e11babdbb6c06f309fc761dccc7d9684723a

SHA512
17b4b1aa30c7871f7325f67b1b3ab5cd6f6eaafd7e4b45e96beb7fb84f80d0c4858852dbb15c1dfa2abf3e2aa6507c85e041807a575f29fe0c5dc215b04a206a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c926b492b1d39d04f6e9656ec7f5877d

SHA1
c2cb3c49c5aa9b0616a7ddb11c9a1453855b352a

SHA256
b0beda1f817ee65a341d4792f15dbd70be363835d7ebc3af6302b771295bc907

SHA512
df815fe9c34f85a90c3692534993955ca3c6f57a317f46bd9366152993c5918cd6f376678f9957ae43317bb7f1f5ba65ae175dce8f5e9735749263214e1fe74e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b0bd0ba1b6d523383ae26f8138bac15f

SHA1
8d2828b9380b09fe6b0a78703a821b9fb8a491e5

SHA256
a9878e55702f457717f86200e3258bfc960d37d5a8c2cab950c1dd842fbbaed1

SHA512
614df5e7b46469db879cf1be2cdc1df3071f0c3f0c1f78c73b81d23d651c54d246e8ca6e1923a34ac2dddc02c63b807c8d328f2d275f98e0997a12a7960bbf45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3fe089fecc1a7897c40a12707d788ca9

SHA1
97f8ab9020333729ec191b3dbd044c57227b84fc

SHA256
70d80df3a3a68fa45dd114205f58cc05df07e22940ec0f0f6172abfccf671e7c

SHA512
4e4feebea709ed3bbfd82ed507d04566593e9cb7bb02ca1056d8ecb6cbcd3b5118be5dee4ee80bf158565a009c05b217bd4c885fb1e01c7d61f5e3d430c940cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
efd2dfedf7e67764ce4dc0c1475d5543

SHA1
be775a500ecf6c234153afad0b8ec07e56ad74fa

SHA256
662c4f869810ea7f43ce3ccbeccc5b80c443161c56a346fb9054fb1fa613a7ad

SHA512
b167fa92f6d63b18e6247445b1c532a2a229a0fc6dcd26c9d1526749f80c7ec01524b7ce497ab94a3df814f9ce4b7394d872d85555323ddcd08798d565f3211e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
68bf9e6d0adb2ef3481ca14096fb649c

SHA1
16ca4ae4e06b787cb7ce84d9520fe27d09800063

SHA256
f450abac163b8b6e1390084d47356b54bfcde6c0411924907d24c727e964025e

SHA512
3dee6b307cb014ada181e92e2358f40eebfd3c7e19ee3f33ffbe7a600f4052a73a8120d64eb51639ae23d64c94ad7fc60fda740f6c7487ff8285602dd24a024c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9ec1de5af22ee94e2a00a91da98957bd

SHA1
0ade5098be757a47adb6d5d0dbf576bcf41d6253

SHA256
540ab5c28d94cbbe9c9bf5334eb8dd7e203b7c4aa5c6f195f95fe64965f1ed76

SHA512
8c2242c22a8c2baa92e2ec47fd29447caa709093ed4ff6ee459f8f438c193bc0cb9f5baaf113696c63227f7a67462214236703569689f50272a6f37f5f63452b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4552709998d20ebebb7d79b1e2caba85

SHA1
a136173b2c02a5c678afbfb05d859dcf7fce5e73

SHA256
e96edbb0c4584421178d50c77bb16d7fe8b3839c357c170268dc13c00e8bb435

SHA512
53f623fa2780ceead709084e842a38f01ae921223e2bff2a97e45ad4a792c73e7370e97da4d323a5b857bf446e3295b6422ffa2dbaf68d34a65ebf6751d7d83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c63980b62b932c2336743babc337af85

SHA1
0ef001498596b702a9fd8944795d7ccb7aac5333

SHA256
59df6f476d34b7f08f279482dea01d2331665c987406de593ebcfd4bcbe73665

SHA512
71dab1d77cdefe2b22c6fd787dedf6c5296f05d450878d550ea9cd1f30fc575c6a234a1f798bb53815715f7f2d3db456358c1173f605f1eeabf41d921e94d067

Download Submit
C:\Users\Admin\AppData\Local\Temp\172a6a1c-1916-4569-9024-fbdda30bbd30.vbs

Filesize
709B

MD5
4c789132780c6ea0d10afecd4026ee74

SHA1
df04dfa7f7febb2ce161ff844a107cc0138bfe3b

SHA256
55d262ee551902fe515c12855bf8e339abb5159d1b15a67def6ef87641c4268f

SHA512
cf6dbb117e95278ad517e04c46f357345e79800f898ac0a309ba35a7e973abb155440772c084bd0906fccd15496b1c99e430f6114a5d206fb23d2b2dec6c11f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\285faec7-9541-4604-9902-3926ab7bba93.vbs

Filesize
709B

MD5
5c0eec36f73923e3d43c70925a33c0b0

SHA1
e06c375ea75889fbde7fefc03533fbaebc7d9fe3

SHA256
004e4cc826da570536638e915cf68a11053b701f69d1d3997ba143d0bd1b25fa

SHA512
f2c302beb546b01b515ea759eb1d05752871e273787922d4811c7059d137d09d05d4cbcaa86524059f110183ddd4d05e274a5899095b18d8a5959b0df90ca546

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ab288ad-f2c5-4d8d-9b45-cf4299b0e5df.vbs

Filesize
709B

MD5
924795000b3efef90f708b28c1be6ec1

SHA1
55e71599afe50ab9ce3fa36c5c94f80e072dd298

SHA256
a5bc81083b49c6d4b473bd988b826356ddf4f18b0e3b09e24fcee4fcf46a605e

SHA512
cd0f15bcbf0a9c173994df4e041c8b781b97dc4e07dfb81d95301c3dde77e9b5d79ec587c97865e25a0f8762d1831cddde9bbaa829ca4594f761f7d2c1c6709c

Download Submit
C:\Users\Admin\AppData\Local\Temp\46650f68-17c6-45e0-a313-9c96724cf417.vbs

Filesize
709B

MD5
05d81bf32735c845f0ebca5a1b930236

SHA1
7ccdcf41e05b1dddf2896f15c8fd916f4eff9787

SHA256
77436d3b37a340a8b7ba229cd2534611445ff5f11663bea47b90ccf9a8c8bdb5

SHA512
6b3a1ee3a080baf9239a5933451eb4af2085a9ebe65fcc4523ae323a8a82dc0e93762a8c9add5a129c9b213cc485b4b9993a27587d7fd035e8c918c869c44334

Download Submit
C:\Users\Admin\AppData\Local\Temp\4939af1f-7367-4256-92f6-7b656cddbaa4.vbs

Filesize
708B

MD5
789b42d7cc6b7763141472502341cc1e

SHA1
a863d1c34c0e9a1658dc5c27d019fc02da1f96fd

SHA256
c0c671d1a36519855ff46b65eb65875067d494e52c02a82f6e167857fb6a1849

SHA512
7b4e2fd79a72c74c6b26755c75d97a7f5b1c08c19a50541a8d59aa892fe5c46b9f58cf94d5ab54e7f266ede7c9e889fd8f6164b7a2b0ab9d8261f7178ed5cdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d5ad488-1d0f-43cb-b05e-ef4e42f97c71.vbs

Filesize
485B

MD5
b8f646229e7dcc1ef3afd690586a6217

SHA1
ce3de360bb7c9f49d03f0d7d51283312d0fb89ec

SHA256
f40753707a6a809cf89dbf055c3dd7089e93786763004c3a3fc30464260dbc27

SHA512
def66ae6fe256d17d151b1dbb56b7d268353a1c64a954f57ca4795c9eaedcae156e6a6f286005b4839eb6e5a1bdc73e646b4ba2aad32603fb47cd3fe20faf385

Download Submit
C:\Users\Admin\AppData\Local\Temp\70acb8bf-8d29-4f47-8017-4205f33fcc3e.vbs

Filesize
709B

MD5
2bec87b18c4e32cf6e9f00c81d525a84

SHA1
8af6c4c4838db51efcc1c61245d581f420b7f785

SHA256
8f68d408cf0ff90caeed9d6884bc632d65f581ed059db693bd8709c76c8e8ff0

SHA512
a488d3805f6e7b11923145cefc594603f37c96333d1e87119d0a0498703b7eb32f02152c7e6eecc3d1e31ea95dd761f317e2c629fec3f96537e8293916b2160b

Download Submit
C:\Users\Admin\AppData\Local\Temp\723fdd5f-c510-40c7-b460-87a9bff7cf5d.vbs

Filesize
709B

MD5
50103618ff4782a9ce8639be47c069c3

SHA1
204a740ef42e238211552b32477be2beae38b931

SHA256
6a1b9cd6781fc27e6f1d44b824d7f261da7e88d6dd5d1f643465a11126a14051

SHA512
78cf6063311f142781753dd08d9b957c1712490fedefb3b30ba3edc4bfec74cd511cf04c6e877abae56bc1210227d7e341ac795fff1518af8484705afad04d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_excf3evu.uw1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5b3c178-71c6-42f7-8924-b0772099294b.vbs

Filesize
709B

MD5
225dc428b4bcf4f867a1e2dbe40ea293

SHA1
7f4a513753aca8cf7ca95ded6c39169ba8b69138

SHA256
631ef4efb9d56eecc89196af574cf326da15d6d391bd43991b2b741cfc82e61f

SHA512
04468d0bfbd2f3d2c15c82b79234d4c34feeba02a1dc1a486e3630dd52f659a260e1c370dfb5c75d828f2992a4bea80e6eb6274a44895f9aab014d7bab4966fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf0de2e1-7e49-4110-ad04-9b0c2dd722f3.vbs

Filesize
709B

MD5
5027911fd81d61af368912d71e38f013

SHA1
6aa99ab4a4bdd690145c66989a2fb930c51f1f33

SHA256
c7357c39a1de3ab1c2519f3bdc1403f8d454705b0faca18ca7c15a6c491e35b3

SHA512
24b5d6bbfdeda6e5d609dc0d18f1f05e962d6143da797e4e239abe14990d9ae1e30f73c408104312d9f3a45af1e2790dce1550f9c74b4d61164be0f79c7ffd01

Download Submit
C:\Users\Admin\AppData\Local\Temp\daa41ff6-370a-409d-8f3c-08897deaba67.vbs

Filesize
709B

MD5
f64a87344679eb4cf3249e15c1127bf5

SHA1
2b86004dae35dd446a57c935c0f14dabfddc74b0

SHA256
2687ae942163f6dd971b6549a2401314677d877322859166f25e52db9f3f7334

SHA512
00f1f82f64e1d0306bcf5b156440b4539b05599b3cd489157a95bdbe80a02976e8e2d1a105ae1e820f428134b9527c115752fea14795eb91796b662c68c9286e

Download Submit
C:\Users\Admin\AppData\Local\Temp\de7a613d-0ba1-485f-a218-6c520609f323.vbs

Filesize
709B

MD5
bbb34ebc88ed8590ba7f51d86b3e14da

SHA1
4828dd72733ee44f5dba65ea00dad607db943130

SHA256
b547a86c4d2528ff4a88928a39af6e36f4d27a4fb48b45b284706f6ec35c06c0

SHA512
f9021868d31655aac27283b9491d54b410a12e684d54513bf3c5c9eb65962cfcbcced1a67522d0d23749d2a6218d8872472a79b2ca2f1b932de28254bd8b566c

Download Submit
C:\Windows\SystemApps\sppsvc.exe

Filesize
1.6MB

MD5
6983ad3106321abe74ca8f4f2d0c34f0

SHA1
8d1130bc023e00832028afda6d69eb954e87d6f2

SHA256
e36deeefdd6ee59dd499d2d9b7333e2100a5b31950caccabb1a2435ec8be892d

SHA512
509a65ad7368ac2ce3cbe828f7bebb0a9ab7432fc85aee3a171a131756c365bb7ab2780fc51270f703a7baed1645c75fc0c89b5659b68c90c344df65dd57101c

Download Submit
memory/1544-585-0x000000001BB10000-0x000000001BC12000-memory.dmp

Filesize
1.0MB

Download
memory/1572-561-0x000000001C210000-0x000000001C312000-memory.dmp

Filesize
1.0MB

Download
memory/2388-16-0x000000001BA40000-0x000000001BA4A000-memory.dmp

Filesize
40KB

Download
memory/2388-11-0x0000000002EB0000-0x0000000002EBC000-memory.dmp

Filesize
48KB

Download
memory/2388-1-0x0000000000A70000-0x0000000000C12000-memory.dmp

Filesize
1.6MB

Download
memory/2388-212-0x00007FFAEDE30000-0x00007FFAEE8F1000-memory.dmp

Filesize
10.8MB

Download
memory/2388-188-0x00007FFAEDE33000-0x00007FFAEDE35000-memory.dmp

Filesize
8KB

Download
memory/2388-17-0x000000001C110000-0x000000001C11C000-memory.dmp

Filesize
48KB

Download
memory/2388-15-0x000000001BA30000-0x000000001BA38000-memory.dmp

Filesize
32KB

Download
memory/2388-13-0x000000001B8B0000-0x000000001B8BE000-memory.dmp

Filesize
56KB

Download
memory/2388-0-0x00007FFAEDE33000-0x00007FFAEDE35000-memory.dmp

Filesize
8KB

Download
memory/2388-14-0x000000001BA20000-0x000000001BA28000-memory.dmp

Filesize
32KB

Download
memory/2388-12-0x0000000002EC0000-0x0000000002ECA000-memory.dmp

Filesize
40KB

Download
memory/2388-446-0x00007FFAEDE30000-0x00007FFAEE8F1000-memory.dmp

Filesize
10.8MB

Download
memory/2388-10-0x0000000002EA0000-0x0000000002EAC000-memory.dmp

Filesize
48KB

Download
memory/2388-9-0x0000000002E90000-0x0000000002E98000-memory.dmp

Filesize
32KB

Download
memory/2388-8-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/2388-6-0x00000000014A0000-0x00000000014B6000-memory.dmp

Filesize
88KB

Download
memory/2388-7-0x00000000014C0000-0x00000000014C8000-memory.dmp

Filesize
32KB

Download
memory/2388-4-0x000000001B9D0000-0x000000001BA20000-memory.dmp

Filesize
320KB

Download
memory/2388-2-0x00007FFAEDE30000-0x00007FFAEE8F1000-memory.dmp

Filesize
10.8MB

Download
memory/2388-5-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/2388-3-0x0000000001470000-0x000000000148C000-memory.dmp

Filesize
112KB

Download
memory/3936-597-0x000000001C690000-0x000000001C792000-memory.dmp

Filesize
1.0MB

Download
memory/4120-573-0x000000001C100000-0x000000001C202000-memory.dmp

Filesize
1.0MB

Download
memory/4904-286-0x0000018E585B0000-0x0000018E585D2000-memory.dmp

Filesize
136KB

Download