dcrat | 6681cb73deb0effc4f44f704c6bddb07e98c1f8da4c8478cca7ddd49abdb0c3f

Analysis

max time kernel
128s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
Size

5.9MB
MD5

5d8505501b7faa4c7e541b0a32467a58
SHA1

ed0b9de10c38774af49d9279e25a8958817f33a7
SHA256

1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca
SHA512

a1fb110b16700001f75d4f74d93746349b5e2e78d4a5dde84c00ffe4eeed914cf7a3702de507c9a287f6df54a4cc0a4010a6bc28e4b641e8d5dcf20db6a302d9
SSDEEP

98304:xyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw44:xyeU11Rvqmu8TWKnF6N/1wt

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5592	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5560	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5976	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3884	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5476	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	4436	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	4436	schtasks.exe	88

UAC bypass 3 TTPs 15 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3836	powershell.exe
5684	powershell.exe
316	powershell.exe
2128	powershell.exe
1772	powershell.exe
3796	powershell.exe
4780	powershell.exe
3184	powershell.exe
2368	powershell.exe
400	powershell.exe
3488	powershell.exe
5208	powershell.exe
5596	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	sppsvc.exe

Executes dropped EXE 4 IoCs

pid	Process
636	sppsvc.exe
1564	sppsvc.exe
1608	sppsvc.exe
6128	sppsvc.exe

Checks whether UAC is enabled 1 TTPs 10 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
636	sppsvc.exe
636	sppsvc.exe
1564	sppsvc.exe
1564	sppsvc.exe
1608	sppsvc.exe
1608	sppsvc.exe
6128	sppsvc.exe
6128	sppsvc.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\it-IT\0a1fd5f707cd16	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\RuntimeBroker.exe	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\9e8d7a4ca61bd9	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\9e8d7a4ca61bd9	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\RCX9359.tmp	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX988D.tmp	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RCXA5B7.tmp	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXB1B7.tmp	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File created	C:\Program Files\Windows Media Player\it-IT\sppsvc.exe	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RCXA7CB.tmp	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXB1C7.tmp	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\b8efadc0803b95	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCXA305.tmp	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\sppsvc.exe	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\7a0fd90576e088	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\ea1d8f6d871115	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RCXA849.tmp	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\RCX9369.tmp	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCXA315.tmp	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RCXA5A6.tmp	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\upfc.exe	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX989D.tmp	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\upfc.exe	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RuntimeBroker.exe	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LiveKernelReports\RuntimeBroker.exe	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File created	C:\Windows\LiveKernelReports\RuntimeBroker.exe	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File created	C:\Windows\LiveKernelReports\9e8d7a4ca61bd9	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXA072.tmp	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXA073.tmp	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	sppsvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
748	schtasks.exe
3572	schtasks.exe
2116	schtasks.exe
848	schtasks.exe
4552	schtasks.exe
2324	schtasks.exe
4540	schtasks.exe
4764	schtasks.exe
5100	schtasks.exe
1228	schtasks.exe
3648	schtasks.exe
940	schtasks.exe
3052	schtasks.exe
4760	schtasks.exe
4596	schtasks.exe
4528	schtasks.exe
2052	schtasks.exe
3640	schtasks.exe
4604	schtasks.exe
5476	schtasks.exe
3888	schtasks.exe
5592	schtasks.exe
2124	schtasks.exe
4896	schtasks.exe
4832	schtasks.exe
2548	schtasks.exe
5976	schtasks.exe
4532	schtasks.exe
4684	schtasks.exe
3476	schtasks.exe
1608	schtasks.exe
1468	schtasks.exe
1960	schtasks.exe
384	schtasks.exe
3920	schtasks.exe
432	schtasks.exe
4752	schtasks.exe
3644	schtasks.exe
5560	schtasks.exe
5108	schtasks.exe
3884	schtasks.exe
4420	schtasks.exe
4428	schtasks.exe
4380	schtasks.exe
1096	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	5684	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	5596	powershell.exe
Token: SeDebugPrivilege	5208	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	636	sppsvc.exe
Token: SeDebugPrivilege	1564	sppsvc.exe
Token: SeDebugPrivilege	1608	sppsvc.exe
Token: SeDebugPrivilege	6128	sppsvc.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 5684	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	139
PID 1848 wrote to memory of 5684	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	139
PID 1848 wrote to memory of 3836	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	140
PID 1848 wrote to memory of 3836	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	140
PID 1848 wrote to memory of 5596	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	141
PID 1848 wrote to memory of 5596	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	141
PID 1848 wrote to memory of 3184	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	143
PID 1848 wrote to memory of 3184	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	143
PID 1848 wrote to memory of 5208	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	144
PID 1848 wrote to memory of 5208	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	144
PID 1848 wrote to memory of 3488	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	145
PID 1848 wrote to memory of 3488	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	145
PID 1848 wrote to memory of 4780	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	146
PID 1848 wrote to memory of 4780	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	146
PID 1848 wrote to memory of 3796	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	148
PID 1848 wrote to memory of 3796	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	148
PID 1848 wrote to memory of 1772	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	149
PID 1848 wrote to memory of 1772	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	149
PID 1848 wrote to memory of 400	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	150
PID 1848 wrote to memory of 400	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	150
PID 1848 wrote to memory of 2368	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	151
PID 1848 wrote to memory of 2368	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	151
PID 1848 wrote to memory of 2128	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	152
PID 1848 wrote to memory of 2128	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	152
PID 1848 wrote to memory of 316	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	154
PID 1848 wrote to memory of 316	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	154
PID 1848 wrote to memory of 636	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	165
PID 1848 wrote to memory of 636	1848	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe	165
PID 636 wrote to memory of 5028	636	sppsvc.exe	167
PID 636 wrote to memory of 5028	636	sppsvc.exe	167
PID 636 wrote to memory of 776	636	sppsvc.exe	168
PID 636 wrote to memory of 776	636	sppsvc.exe	168
PID 5028 wrote to memory of 1564	5028	WScript.exe	169
PID 5028 wrote to memory of 1564	5028	WScript.exe	169
PID 1564 wrote to memory of 2504	1564	sppsvc.exe	171
PID 1564 wrote to memory of 2504	1564	sppsvc.exe	171
PID 1564 wrote to memory of 1848	1564	sppsvc.exe	172
PID 1564 wrote to memory of 1848	1564	sppsvc.exe	172
PID 2504 wrote to memory of 1608	2504	WScript.exe	173
PID 2504 wrote to memory of 1608	2504	WScript.exe	173
PID 1608 wrote to memory of 5396	1608	sppsvc.exe	174
PID 1608 wrote to memory of 5396	1608	sppsvc.exe	174
PID 1608 wrote to memory of 1788	1608	sppsvc.exe	175
PID 1608 wrote to memory of 1788	1608	sppsvc.exe	175
PID 5396 wrote to memory of 6128	5396	WScript.exe	182
PID 5396 wrote to memory of 6128	5396	WScript.exe	182
PID 6128 wrote to memory of 4916	6128	sppsvc.exe	183
PID 6128 wrote to memory of 4916	6128	sppsvc.exe	183
PID 6128 wrote to memory of 1188	6128	sppsvc.exe	184
PID 6128 wrote to memory of 1188	6128	sppsvc.exe	184

System policy modification 1 TTPs 15 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe
"C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/4d7dcf6448637544ea7e961be1ad/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/4fc20efa2b2ad5aa4b35f8fcca90f7df/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:316
- C:\Program Files\Windows Media Player\it-IT\sppsvc.exe
  "C:\Program Files\Windows Media Player\it-IT\sppsvc.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:636
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e920aaf-2d28-4db8-8c57-20b01a64ccd1.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Program Files\Windows Media Player\it-IT\sppsvc.exe
      "C:\Program Files\Windows Media Player\it-IT\sppsvc.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1564
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b8a4abf-acc7-4fd4-9897-c468b0519d40.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2504
      - C:\Program Files\Windows Media Player\it-IT\sppsvc.exe
        
        "C:\Program Files\Windows Media Player\it-IT\sppsvc.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73264ea4-08f2-4f30-981c-2a72705d32c6.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5396
        
        C:\Program Files\Windows Media Player\it-IT\sppsvc.exe
        
        "C:\Program Files\Windows Media Player\it-IT\sppsvc.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:6128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d288c75-a642-4201-bac7-d8299702582b.vbs"
        9⤵
        
        PID:4916
        
        C:\Program Files\Windows Media Player\it-IT\sppsvc.exe
        
        "C:\Program Files\Windows Media Player\it-IT\sppsvc.exe"
        10⤵
        
        PID:2224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a265beb2-ff6d-4517-8be1-d0689a132954.vbs"
        9⤵
        
        PID:1188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bb12026-5f72-4af6-8d4d-edc895fd7efe.vbs"
        7⤵
        
        PID:1788
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29f02882-59c6-4905-9be8-1a5fbbfa042c.vbs"
        5⤵
        
        PID:1848
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f05bf25-4175-4d9d-a0bc-6d7df99ed6db.vbs"
    3⤵
    PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\it-IT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\4d7dcf6448637544ea7e961be1ad\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\4d7dcf6448637544ea7e961be1ad\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Local Settings\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Local Settings\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\LiveKernelReports\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca1" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca1" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Videos\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Videos\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe

Filesize
5.9MB

MD5
2510e74d6604e16f5eb602abbe3ec2f3

SHA1
85322b8268e420cf92511c74c4cda6c30a49cc5c

SHA256
10040b110aee3f822ebe61d6438dd44e31ee928e3a04d5cc7247c4cfbdd08f07

SHA512
1c1583940210f54fbe05b4d33f9519fadd47200bec775cec88a9e04af4d692a061be7bb9b2a6f02c8a914bfa68a3c080958a1ba31b0045fdac0ab69ccf1dc5a7

Download Submit
C:\4d7dcf6448637544ea7e961be1ad\upfc.exe

Filesize
5.9MB

MD5
518e21ada29ef9b6dcfa8710b76ef169

SHA1
613c59e1ed18c8a50df59a5d7496cc74b3a36d2f

SHA256
2525437093b8cea2cf0081eb98d9286dc198973a004d9ffa2d721a8873ce0b5d

SHA512
d1f13c1e9317d20b14ab1434ca1fcf9bbc93d95ba24dfe744fec14cdbd60f324bdc8fdb6eefe1bb7b9df3c119eab58a7b249d71bfea8c19b70cad94acaf93f57

Download Submit
C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe

Filesize
5.9MB

MD5
5d8505501b7faa4c7e541b0a32467a58

SHA1
ed0b9de10c38774af49d9279e25a8958817f33a7

SHA256
1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca

SHA512
a1fb110b16700001f75d4f74d93746349b5e2e78d4a5dde84c00ffe4eeed914cf7a3702de507c9a287f6df54a4cc0a4010a6bc28e4b641e8d5dcf20db6a302d9

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe

Filesize
5.9MB

MD5
3aee48e5bac720b0806f714256fef029

SHA1
89afdba09b16adcfec9279bcf65dbe94396e3a01

SHA256
a670ea7da08b60c94f7e9f70d850514e2a2cdfbdc187276a1f6a78f86763fcf3

SHA512
1cccb4b1fbae5366d3b1023bbe4685a800c67380b2057dec7e459d11054b0a5701b705cea088f4a66750ec734baa9365795b3994a8da27d9e36bf3ea27735377

Download Submit
C:\Program Files\Windows Media Player\it-IT\sppsvc.exe

Filesize
342KB

MD5
6d8c32b1ff296b5d9173cb53bc91ff7e

SHA1
068c277b4593782dec08c219a8717b456efa0d64

SHA256
e5a9ccb7b29dbc011ac5c74216f97e9dd0ec58e001f668998480562800beaea5

SHA512
e4c2fe5be5b747d056858aeef26ace2db9ba45ebbd6db23d226e82a040ac4e41676c33880d16ed8112960b0024b552562581cde9a6e86b3c02f1ddf738a1abd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
750e4be22a6fdadd7778a388198a9ee3

SHA1
8feb2054d8a3767833dd972535df54f0c3ab6648

SHA256
26209c196c9c45202d27468ea707b2b46f375bb612d50271924a28f9210df6a1

SHA512
b0415087dfc32908b449b876b395a607698b0f7b72031916b6fe7c002e4b163ba318b7e85c8ce41f007429e666974c04967bc14345e3f4614e34d94f5c8ae804

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

Filesize
1KB

MD5
229da4b4256a6a948830de7ee5f9b298

SHA1
8118b8ddc115689ca9dc2fe8c244350333c5ba8b

SHA256
3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

SHA512
3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2044ef36c414ed6e6c991e5fbe7d5bf1

SHA1
0dbd4be869af1290a771fa295db969dc14b2a1fc

SHA256
1b508c6beaa65e0936d9b64f352c2fb87392666d3a96e6e67cb2ba162302b6c6

SHA512
304045461390f2c001bd141036f0d195845508d78ddd52c8e0132e625566e2f1dc0ae982b58323ad2f08c4d1f9d1771d19eb50ec9405eb991c485a4ab7d55b32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
82da496008a09abc336bf9adbe6453dd

SHA1
a57df6c2432c6bf7ab549a4333e636f9d9dfebd2

SHA256
69def38d01c34269e4e7be79130fc62befb01815c783fef6d4dc116672306810

SHA512
86d1efaf512d5ffc0af6a4508e63ffaa646971192762461957c0a544e77f9f24bbd0576927a6a996a87f147bcd6562bdc27a57caac6aad64354f485a7a7a7197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9ec1de5af22ee94e2a00a91da98957bd

SHA1
0ade5098be757a47adb6d5d0dbf576bcf41d6253

SHA256
540ab5c28d94cbbe9c9bf5334eb8dd7e203b7c4aa5c6f195f95fe64965f1ed76

SHA512
8c2242c22a8c2baa92e2ec47fd29447caa709093ed4ff6ee459f8f438c193bc0cb9f5baaf113696c63227f7a67462214236703569689f50272a6f37f5f63452b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c9a06205efb4ec6b1ca25ba605f9f6d

SHA1
53f4cbc7a0b1f493e53f99d49c08c56c2ac912f8

SHA256
4ef4ffb0f743afc2ee1bb8edcc10ec450439a82dbbbb9cbdebeee633db4cc61a

SHA512
e936041f7fe2278a939290bc2b5409a01ae070abc58df4e4bb938e4a406d0c96b19a1fa4db21b9f158efcfbe956f3ddbd97cb670215f2d6f2c1328fa4e455657

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3fe089fecc1a7897c40a12707d788ca9

SHA1
97f8ab9020333729ec191b3dbd044c57227b84fc

SHA256
70d80df3a3a68fa45dd114205f58cc05df07e22940ec0f0f6172abfccf671e7c

SHA512
4e4feebea709ed3bbfd82ed507d04566593e9cb7bb02ca1056d8ecb6cbcd3b5118be5dee4ee80bf158565a009c05b217bd4c885fb1e01c7d61f5e3d430c940cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd95e4475b8798a58a9e9d19409c1eac

SHA1
571d070dd6315847c4ba334670beffd245a35c45

SHA256
d33812e9c83075812c904e8ea736f744d614cb597e4c7aa4420021e492390729

SHA512
1ad95b0411ffbdeff090c3c71000377027095ecbc8ad27d9b4c8b7b469e669f7d76cd13f7ab2012779b6ac12c5ff2671f4e44fa8d1f2aefae3824ed74a9fa7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7cd541695b3cebb31ad4b3e131bfb4d5

SHA1
16d8085de66ff920f6028c282afb3183bed8865a

SHA256
dc0ae36677b455e1b5c66859b5b2cac1b3a29aabd281f52ac682cc4b99b84fe3

SHA512
f90fa2d9c231a0a00579deafce7b74c2f043485d560c4377c2591a37dad4c79638b30025adb896107a3cb9b5f21f24289f1fe1f3bb73dcd16e346ab95b7bd56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f05bf25-4175-4d9d-a0bc-6d7df99ed6db.vbs

Filesize
506B

MD5
dcbc79a4588cd89330cc36d040f6c9af

SHA1
f05ddbed99b87e8594b839c40975480850fafe8a

SHA256
3e5a0baca9290c80c3c485c38a88f210345f123256909e9c6d9208e26d666163

SHA512
30b5ae2b1db63d99e07de4a2a1f9f45861207a00254347cc0c5a115edafe3c1796f47b1eff004ac3f9c49531233b99a5c95445d24cd851e906d0a4e76290b9f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d288c75-a642-4201-bac7-d8299702582b.vbs

Filesize
730B

MD5
4545d8505c580f7aeccc4f2b5c946f66

SHA1
7d990b1e419ad8a53b82c8791a29914f745288e0

SHA256
b4ab2470e506cd7afccd50846b9109d23dc1cce3ba483fb55ea12540bb905c58

SHA512
f0c5531ae967755114a706670862348ca2685c310289f17594cffe7203484f961ad9a258e190d6b340076fdc90dc4a0dbf4f52430bb8c760e6df601d5982bc25

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e920aaf-2d28-4db8-8c57-20b01a64ccd1.vbs

Filesize
729B

MD5
197c6140b55931d6be1f67211634df79

SHA1
1173948c21a0cac43e3f903e0c3915bd52d4feb5

SHA256
91067df273f0921deca2c478f14c95eb647dac0995d3822dd48b30f10cff3ccf

SHA512
2c8c41934eed43dfb134ec71cad8027d8157c71ae13e61ba63c0508995536135861bf724867d912b14a2742edee50ccef33db815a947efa96f3638c382c927da

Download Submit
C:\Users\Admin\AppData\Local\Temp\73264ea4-08f2-4f30-981c-2a72705d32c6.vbs

Filesize
730B

MD5
6e58ec49de3166bf3b933a9eb67fe100

SHA1
881812fde1d30c561cbc1e5ba5b21008712ac4be

SHA256
c6c87ffb295dd04d2b34d1ee127f19aaed607c48d5791a984ae89014e4eb18ba

SHA512
3d043b6981e0142c9ea8c589ef74ff001b5eba402ab220b4b43ac3223d3cb97ccee67497be5ca57472e092043b27962bf1c7bdfc1da13e83ef9097d79616f6de

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b8a4abf-acc7-4fd4-9897-c468b0519d40.vbs

Filesize
730B

MD5
03a6bb911504abf0eb13554c3e264e2d

SHA1
e67a07eb09667099f037c003337dd5361cbc4380

SHA256
63f5c3fce4135308bb3339c6aeaaacacd0dc83328618cacd67445c95af3acf64

SHA512
a4e712684fa4901516e1a8111aa92148376e1a19800ca8089bfc1e93700cd160b0652e61d99cf40720a2ed968a5933a690b36718497fb82625f2fe4646659f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iyrohzq0.b5e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1608-479-0x000000001BDE0000-0x000000001BDF2000-memory.dmp

Filesize
72KB

Download
memory/1772-301-0x000001F7251F0000-0x000001F725212000-memory.dmp

Filesize
136KB

Download
memory/1848-36-0x000000001D2F0000-0x000000001D2FE000-memory.dmp

Filesize
56KB

Download
memory/1848-212-0x00007FF91ECC0000-0x00007FF91F781000-memory.dmp

Filesize
10.8MB

Download
memory/1848-35-0x000000001D2E0000-0x000000001D2E8000-memory.dmp

Filesize
32KB

Download
memory/1848-34-0x000000001D2D0000-0x000000001D2DE000-memory.dmp

Filesize
56KB

Download
memory/1848-33-0x000000001D2C0000-0x000000001D2CA000-memory.dmp

Filesize
40KB

Download
memory/1848-32-0x000000001D350000-0x000000001D35C000-memory.dmp

Filesize
48KB

Download
memory/1848-31-0x000000001D330000-0x000000001D338000-memory.dmp

Filesize
32KB

Download
memory/1848-28-0x000000001D090000-0x000000001D098000-memory.dmp

Filesize
32KB

Download
memory/1848-27-0x000000001D080000-0x000000001D08C000-memory.dmp

Filesize
48KB

Download
memory/1848-25-0x000000001D5A0000-0x000000001DAC8000-memory.dmp

Filesize
5.2MB

Download
memory/1848-22-0x000000001D030000-0x000000001D038000-memory.dmp

Filesize
32KB

Download
memory/1848-20-0x000000001D010000-0x000000001D018000-memory.dmp

Filesize
32KB

Download
memory/1848-19-0x000000001D000000-0x000000001D00C000-memory.dmp

Filesize
48KB

Download
memory/1848-14-0x000000001CE20000-0x000000001CE2C000-memory.dmp

Filesize
48KB

Download
memory/1848-12-0x000000001CE00000-0x000000001CE08000-memory.dmp

Filesize
32KB

Download
memory/1848-11-0x000000001CDE0000-0x000000001CDF6000-memory.dmp

Filesize
88KB

Download
memory/1848-10-0x000000001B610000-0x000000001B620000-memory.dmp

Filesize
64KB

Download
memory/1848-9-0x000000001B5F0000-0x000000001B5F8000-memory.dmp

Filesize
32KB

Download
memory/1848-8-0x000000001CE30000-0x000000001CE80000-memory.dmp

Filesize
320KB

Download
memory/1848-7-0x000000001B5D0000-0x000000001B5EC000-memory.dmp

Filesize
112KB

Download
memory/1848-6-0x000000001B5C0000-0x000000001B5C8000-memory.dmp

Filesize
32KB

Download
memory/1848-38-0x000000001D310000-0x000000001D31C000-memory.dmp

Filesize
48KB

Download
memory/1848-188-0x00007FF91ECC3000-0x00007FF91ECC5000-memory.dmp

Filesize
8KB

Download
memory/1848-37-0x000000001D300000-0x000000001D308000-memory.dmp

Filesize
32KB

Download
memory/1848-39-0x000000001D320000-0x000000001D328000-memory.dmp

Filesize
32KB

Download
memory/1848-41-0x000000001D360000-0x000000001D36C000-memory.dmp

Filesize
48KB

Download
memory/1848-40-0x000000001D340000-0x000000001D34A000-memory.dmp

Filesize
40KB

Download
memory/1848-425-0x00007FF91ECC0000-0x00007FF91F781000-memory.dmp

Filesize
10.8MB

Download
memory/1848-0-0x00007FF91ECC3000-0x00007FF91ECC5000-memory.dmp

Filesize
8KB

Download
memory/1848-30-0x000000001D0B0000-0x000000001D0BC000-memory.dmp

Filesize
48KB

Download
memory/1848-29-0x000000001D0A0000-0x000000001D0AC000-memory.dmp

Filesize
48KB

Download
memory/1848-26-0x000000001D070000-0x000000001D07C000-memory.dmp

Filesize
48KB

Download
memory/1848-24-0x000000001D040000-0x000000001D052000-memory.dmp

Filesize
72KB

Download
memory/1848-21-0x000000001D020000-0x000000001D02C000-memory.dmp

Filesize
48KB

Download
memory/1848-18-0x000000001CFB0000-0x000000001D006000-memory.dmp

Filesize
344KB

Download
memory/1848-17-0x000000001CFA0000-0x000000001CFAA000-memory.dmp

Filesize
40KB

Download
memory/1848-15-0x000000001CE10000-0x000000001CE18000-memory.dmp

Filesize
32KB

Download
memory/1848-16-0x000000001CF90000-0x000000001CFA0000-memory.dmp

Filesize
64KB

Download
memory/1848-13-0x000000001CF80000-0x000000001CF92000-memory.dmp

Filesize
72KB

Download
memory/1848-5-0x0000000002A40000-0x0000000002A4E000-memory.dmp

Filesize
56KB

Download
memory/1848-4-0x0000000002A30000-0x0000000002A3E000-memory.dmp

Filesize
56KB

Download
memory/1848-3-0x00007FF91ECC0000-0x00007FF91F781000-memory.dmp

Filesize
10.8MB

Download
memory/1848-1-0x00000000000B0000-0x00000000009A8000-memory.dmp

Filesize
9.0MB

Download
memory/1848-2-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/6128-492-0x000000001B6C0000-0x000000001B6D2000-memory.dmp

Filesize
72KB

Download