dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
Size

1.6MB
MD5

7fbc72dcc67b2b7366c90f81051bd68a
SHA1

bdd22f70686afb5bf32d638eee6fdd0891ec3248
SHA256

1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82
SHA512

e06c18cc9823741d8eea0ff78ad38ae88125fb5c795661107f09aaf977786fe420323d5be0990bc9cb1138e1cbe21d7cb21ce826f6e18df71354e710836b7025
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5436	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5980	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5772	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5488	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5516	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6088	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3496	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5428	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5592	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5268	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5464	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6112	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5936	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6036	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	4368	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	4368	schtasks.exe	86

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral18/memory/5616-1-0x0000000000FF0000-0x0000000001192000-memory.dmp	dcrat
behavioral18/files/0x000700000002429c-26.dat	dcrat
behavioral18/files/0x000800000002428e-68.dat	dcrat
behavioral18/files/0x0008000000024298-92.dat	dcrat
behavioral18/files/0x000f0000000242bb-187.dat	dcrat
behavioral18/memory/1064-388-0x0000000000ED0000-0x0000000001072000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3780	powershell.exe
3592	powershell.exe
2836	powershell.exe
5868	powershell.exe
3668	powershell.exe
4024	powershell.exe
4848	powershell.exe
4076	powershell.exe
1068	powershell.exe
3648	powershell.exe
3036	powershell.exe
3764	powershell.exe
1832	powershell.exe
3576	powershell.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	winlogon.exe

Executes dropped EXE 11 IoCs

pid	Process
1064	winlogon.exe
2400	winlogon.exe
4996	winlogon.exe
3832	winlogon.exe
2836	winlogon.exe
4780	winlogon.exe
3328	winlogon.exe
4400	winlogon.exe
5764	winlogon.exe
4100	winlogon.exe
3444	winlogon.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\5b884080fd4f94	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX8831.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX8842.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\RCX951E.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\sihost.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\sihost.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\66fc9ff0ee96c2	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\RCX951F.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	winlogon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5428	schtasks.exe
3892	schtasks.exe
5464	schtasks.exe
4648	schtasks.exe
4660	schtasks.exe
3496	schtasks.exe
4812	schtasks.exe
6036	schtasks.exe
2232	schtasks.exe
408	schtasks.exe
5772	schtasks.exe
4792	schtasks.exe
4744	schtasks.exe
5488	schtasks.exe
4488	schtasks.exe
5056	schtasks.exe
4772	schtasks.exe
6088	schtasks.exe
5268	schtasks.exe
2444	schtasks.exe
5436	schtasks.exe
4704	schtasks.exe
4768	schtasks.exe
5592	schtasks.exe
5936	schtasks.exe
4736	schtasks.exe
3384	schtasks.exe
2172	schtasks.exe
1996	schtasks.exe
4944	schtasks.exe
6112	schtasks.exe
1200	schtasks.exe
760	schtasks.exe
2840	schtasks.exe
1112	schtasks.exe
1380	schtasks.exe
5980	schtasks.exe
4468	schtasks.exe
5516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
3648	powershell.exe
3648	powershell.exe
1832	powershell.exe
1832	powershell.exe
4076	powershell.exe
4076	powershell.exe
5868	powershell.exe
5868	powershell.exe
3780	powershell.exe
2836	powershell.exe
2836	powershell.exe
3780	powershell.exe
3576	powershell.exe
3576	powershell.exe
1068	powershell.exe
1068	powershell.exe
3668	powershell.exe
3668	powershell.exe
4024	powershell.exe
4024	powershell.exe
3592	powershell.exe
3592	powershell.exe
4848	powershell.exe
4848	powershell.exe
3036	powershell.exe
3036	powershell.exe
3764	powershell.exe
3764	powershell.exe
3668	powershell.exe
3780	powershell.exe
4848	powershell.exe
3648	powershell.exe
3036	powershell.exe
1832	powershell.exe
4076	powershell.exe
5868	powershell.exe
1068	powershell.exe
2836	powershell.exe
4024	powershell.exe
3576	powershell.exe
3592	powershell.exe
3764	powershell.exe
1064	winlogon.exe
1064	winlogon.exe
2400	winlogon.exe
4996	winlogon.exe
3832	winlogon.exe
2836	winlogon.exe
4780	winlogon.exe
4780	winlogon.exe
3328	winlogon.exe
3328	winlogon.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	3648	powershell.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	5868	powershell.exe
Token: SeDebugPrivilege	3780	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	3576	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	3668	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	3764	powershell.exe
Token: SeDebugPrivilege	1064	winlogon.exe
Token: SeDebugPrivilege	2400	winlogon.exe
Token: SeDebugPrivilege	4996	winlogon.exe
Token: SeDebugPrivilege	3832	winlogon.exe
Token: SeDebugPrivilege	2836	winlogon.exe
Token: SeDebugPrivilege	4780	winlogon.exe
Token: SeDebugPrivilege	3328	winlogon.exe
Token: SeDebugPrivilege	4400	winlogon.exe
Token: SeDebugPrivilege	5764	winlogon.exe
Token: SeDebugPrivilege	4100	winlogon.exe
Token: SeDebugPrivilege	3444	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5616 wrote to memory of 3764	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	127
PID 5616 wrote to memory of 3764	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	127
PID 5616 wrote to memory of 5868	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	128
PID 5616 wrote to memory of 5868	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	128
PID 5616 wrote to memory of 1832	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	129
PID 5616 wrote to memory of 1832	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	129
PID 5616 wrote to memory of 3668	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	130
PID 5616 wrote to memory of 3668	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	130
PID 5616 wrote to memory of 4024	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	131
PID 5616 wrote to memory of 4024	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	131
PID 5616 wrote to memory of 4848	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	132
PID 5616 wrote to memory of 4848	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	132
PID 5616 wrote to memory of 3576	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	133
PID 5616 wrote to memory of 3576	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	133
PID 5616 wrote to memory of 4076	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	134
PID 5616 wrote to memory of 4076	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	134
PID 5616 wrote to memory of 2836	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	135
PID 5616 wrote to memory of 2836	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	135
PID 5616 wrote to memory of 3592	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	136
PID 5616 wrote to memory of 3592	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	136
PID 5616 wrote to memory of 3036	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	137
PID 5616 wrote to memory of 3036	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	137
PID 5616 wrote to memory of 3648	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	138
PID 5616 wrote to memory of 3648	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	138
PID 5616 wrote to memory of 1068	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	140
PID 5616 wrote to memory of 1068	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	140
PID 5616 wrote to memory of 3780	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	141
PID 5616 wrote to memory of 3780	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	141
PID 5616 wrote to memory of 1064	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	155
PID 5616 wrote to memory of 1064	5616	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	155
PID 1064 wrote to memory of 2308	1064	winlogon.exe	156
PID 1064 wrote to memory of 2308	1064	winlogon.exe	156
PID 1064 wrote to memory of 1080	1064	winlogon.exe	157
PID 1064 wrote to memory of 1080	1064	winlogon.exe	157
PID 2308 wrote to memory of 2400	2308	WScript.exe	158
PID 2308 wrote to memory of 2400	2308	WScript.exe	158
PID 2400 wrote to memory of 6052	2400	winlogon.exe	162
PID 2400 wrote to memory of 6052	2400	winlogon.exe	162
PID 2400 wrote to memory of 440	2400	winlogon.exe	163
PID 2400 wrote to memory of 440	2400	winlogon.exe	163
PID 6052 wrote to memory of 4996	6052	WScript.exe	167
PID 6052 wrote to memory of 4996	6052	WScript.exe	167
PID 4996 wrote to memory of 324	4996	winlogon.exe	168
PID 4996 wrote to memory of 324	4996	winlogon.exe	168
PID 4996 wrote to memory of 1412	4996	winlogon.exe	169
PID 4996 wrote to memory of 1412	4996	winlogon.exe	169
PID 324 wrote to memory of 3832	324	WScript.exe	171
PID 324 wrote to memory of 3832	324	WScript.exe	171
PID 3832 wrote to memory of 3580	3832	winlogon.exe	172
PID 3832 wrote to memory of 3580	3832	winlogon.exe	172
PID 3832 wrote to memory of 4120	3832	winlogon.exe	173
PID 3832 wrote to memory of 4120	3832	winlogon.exe	173
PID 3580 wrote to memory of 2836	3580	WScript.exe	175
PID 3580 wrote to memory of 2836	3580	WScript.exe	175
PID 2836 wrote to memory of 5160	2836	winlogon.exe	177
PID 2836 wrote to memory of 5160	2836	winlogon.exe	177
PID 2836 wrote to memory of 2404	2836	winlogon.exe	178
PID 2836 wrote to memory of 2404	2836	winlogon.exe	178
PID 5160 wrote to memory of 4780	5160	WScript.exe	179
PID 5160 wrote to memory of 4780	5160	WScript.exe	179
PID 4780 wrote to memory of 2248	4780	winlogon.exe	180
PID 4780 wrote to memory of 2248	4780	winlogon.exe	180
PID 4780 wrote to memory of 2648	4780	winlogon.exe	181
PID 4780 wrote to memory of 2648	4780	winlogon.exe	181

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
"C:\Users\Admin\AppData\Local\Temp\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\900323d723f1dd1206\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\900323d723f1dd1206\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\900323d723f1dd1206\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\setup\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\60739cf6f660743813\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3780
- C:\Users\Public\Desktop\winlogon.exe
  "C:\Users\Public\Desktop\winlogon.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01bb701c-5a2d-4ed1-9d8d-f1fdededa2f3.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Users\Public\Desktop\winlogon.exe
      C:\Users\Public\Desktop\winlogon.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2400
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\486de828-ebdd-4017-a9f2-0c2575a2ece0.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:6052
      - C:\Users\Public\Desktop\winlogon.exe
        
        C:\Users\Public\Desktop\winlogon.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\473601c7-fd49-4f4e-a697-2cc8db34bf4f.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Users\Public\Desktop\winlogon.exe
        
        C:\Users\Public\Desktop\winlogon.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df554fc8-84bd-4e54-866e-55c5e2c90b72.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Users\Public\Desktop\winlogon.exe
        
        C:\Users\Public\Desktop\winlogon.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdf26a3a-1797-43c6-a969-57c2a20f4751.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5160
        
        C:\Users\Public\Desktop\winlogon.exe
        
        C:\Users\Public\Desktop\winlogon.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8ad8225-4042-4d63-9946-b65a938f6cdb.vbs"
        13⤵
        
        PID:2248
        
        C:\Users\Public\Desktop\winlogon.exe
        
        C:\Users\Public\Desktop\winlogon.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a8ae0c2-8191-4245-be4c-dad40c78bd0a.vbs"
        15⤵
        
        PID:5096
        
        C:\Users\Public\Desktop\winlogon.exe
        
        C:\Users\Public\Desktop\winlogon.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53bce10a-c469-46cd-aaf3-d29bc835931d.vbs"
        17⤵
        
        PID:5500
        
        C:\Users\Public\Desktop\winlogon.exe
        
        C:\Users\Public\Desktop\winlogon.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15e42a6a-0323-4ecf-aba1-9471b8bce4da.vbs"
        19⤵
        
        PID:6052
        
        C:\Users\Public\Desktop\winlogon.exe
        
        C:\Users\Public\Desktop\winlogon.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5b70c29-0325-4624-b0b5-a699011bbd8c.vbs"
        21⤵
        
        PID:3256
        
        C:\Users\Public\Desktop\winlogon.exe
        
        C:\Users\Public\Desktop\winlogon.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88e07b8f-b240-47b7-9a15-099371b9ad57.vbs"
        23⤵
        
        PID:5808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bd29471-4145-4ceb-9492-e474c49516c9.vbs"
        23⤵
        
        PID:4116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e575cf8-bb84-4139-ba21-471b9f04d0f9.vbs"
        21⤵
        
        PID:3428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa5abe3f-ba38-4a80-beb2-9b94943543a3.vbs"
        19⤵
        
        PID:1792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\859f7920-278e-426f-afa6-4cc47bf16072.vbs"
        17⤵
        
        PID:1704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\651a133b-2749-4fe4-9493-1133505aab1f.vbs"
        15⤵
        
        PID:3380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41f99491-9fe3-417b-b91a-05045e1650c2.vbs"
        13⤵
        
        PID:2648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11240d35-f509-4514-94ff-1dffafa6b011.vbs"
        11⤵
        
        PID:2404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9348d45a-a312-4908-b3ad-3ff9d7d7bd95.vbs"
        9⤵
        
        PID:4120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9778f66b-fe6c-46aa-8ddf-b904db251e9d.vbs"
        7⤵
        
        PID:1412
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08fa889b-30c2-45b3-97a8-9efd9b0c40ce.vbs"
        5⤵
        
        PID:440
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ba47e2d-4a43-476a-aef7-ecf385bb35e6.vbs"
    3⤵
    PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\900323d723f1dd1206\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\900323d723f1dd1206\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\900323d723f1dd1206\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\900323d723f1dd1206\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\900323d723f1dd1206\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\900323d723f1dd1206\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\900323d723f1dd1206\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\900323d723f1dd1206\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\900323d723f1dd1206\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\60739cf6f660743813\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\60739cf6f660743813\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\60739cf6f660743813\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee821" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82" /sc ONLOGON /tr "'C:\Users\Default User\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee821" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee821" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee821" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\900323d723f1dd1206\RCX8AD4.tmp

Filesize
1.6MB

MD5
2633625f355ccd93e543e9bec9788661

SHA1
dd761b7bfc90487e19d655c2678c40a57ebf7193

SHA256
e5d87656a9a242ec63f68f37b24336dcc91b8a79631fa6043ee11aa776aba91b

SHA512
31caffc5924953ab9deba62647344edec86869ba7f9645ade9e0db871919a18564dc54e5ef15d3a55234a859d7159f68e47d71d593c7dd72e3c333550b850a84

Download Submit
C:\900323d723f1dd1206\backgroundTaskHost.exe

Filesize
1.6MB

MD5
45b6571c79cf4618124ba450eb6d577b

SHA1
d96ca369ef7bc9ae1a98086933cf9230fb72a0f8

SHA256
011d72f56313903378a95f6e4d188a5995eaae8081efae68f0b002146d36f09d

SHA512
01bdf2e06b16d051da78e0921ada10d9b26579ce3d68b96dc0160e970b977147fa0ead4ab6bf7be86d0375f09bae7b4906f14f3d633e59fce2b8084bd3c3cf29

Download Submit
C:\ProgramData\Microsoft OneDrive\setup\sihost.exe

Filesize
1.6MB

MD5
7fbc72dcc67b2b7366c90f81051bd68a

SHA1
bdd22f70686afb5bf32d638eee6fdd0891ec3248

SHA256
1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82

SHA512
e06c18cc9823741d8eea0ff78ad38ae88125fb5c795661107f09aaf977786fe420323d5be0990bc9cb1138e1cbe21d7cb21ce826f6e18df71354e710836b7025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
30552f7617959d837dbc5167ec0a3824

SHA1
a471b8d31983b3885cee92ead3f3f2b6621c1ebe

SHA256
c8f05399999cda0a1d159d9be58d5d7e39b783290d57a238cfdb22c000301c18

SHA512
37af8e93814f95ea8773b093803ca74475fcc2f0006bcbbd0ecc28d6ab6acb742afed81d5b859f6429128761b440a355f2b35fe38242fae9d8069c8ab23c84b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c667bc406c30dedf08683212c4a204b5

SHA1
4d713119a8483f32461a45e8291a2b8dc1fc4e7d

SHA256
0789d8328acb13062de330425e072019c1d81bea70923d5ef5428f9604d969cf

SHA512
1f6b49f11baf3b4289677d8b27537e016896fc878d14af3d8c132d6800a591a632b31203edd570f3f8b90e7c0047a4f4ecd938c10520832d2df55ba35a53bd48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaf0080989fabad865a080216418fbf2

SHA1
935075309ff07f95b5c2ff643661fef989526e15

SHA256
86e6ca8dc0b47aadbc45bbb2a31b758ec729e69998ababdb1a4350924621de9c

SHA512
21721722c94447b4f0d20f03856ea1171c774eb59a8fd239809480ead6c5b7c5a3e43d1e79dfd1bd1dbdadb65269595e9376b3053c1bd6a54bac91e04536e676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
68bf9e6d0adb2ef3481ca14096fb649c

SHA1
16ca4ae4e06b787cb7ce84d9520fe27d09800063

SHA256
f450abac163b8b6e1390084d47356b54bfcde6c0411924907d24c727e964025e

SHA512
3dee6b307cb014ada181e92e2358f40eebfd3c7e19ee3f33ffbe7a600f4052a73a8120d64eb51639ae23d64c94ad7fc60fda740f6c7487ff8285602dd24a024c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
efd2dfedf7e67764ce4dc0c1475d5543

SHA1
be775a500ecf6c234153afad0b8ec07e56ad74fa

SHA256
662c4f869810ea7f43ce3ccbeccc5b80c443161c56a346fb9054fb1fa613a7ad

SHA512
b167fa92f6d63b18e6247445b1c532a2a229a0fc6dcd26c9d1526749f80c7ec01524b7ce497ab94a3df814f9ce4b7394d872d85555323ddcd08798d565f3211e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae19674c4dd6a419a8ce8bc65e65167

SHA1
8b3f7e010483412b803e756c850fecd29cf9fb8a

SHA256
f4a34d2ff32e49df841e87405dab2661bcae83c20ee781a13fbe73924fd672cd

SHA512
9865dd43b4494081bb625844fcedb56dfc335b5f2cadd5c4094f0848df07ab5fa40faeb3adbbb91e1355ed436dfbf44ff4ae9ad39cdbd5fbfdef4d1813f3ee74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6c8fd95453fe0d2e0f6d8e5ac03994b1

SHA1
d9811cf9d2b0d0ce3387fd79462cd592b005a634

SHA256
232dac927d663f4ed67a4f005da093bc9865c323767c29c3b4a21797f4a60e58

SHA512
f334216c706e96e85910bc14e7eeec0da3e6f4e9a8620108c938d997266939170aabfdfddd9830f454a34d0db503f8f0bbe63c910007bfd03f294f8a34945810

Download Submit
C:\Users\Admin\AppData\Local\Temp\01bb701c-5a2d-4ed1-9d8d-f1fdededa2f3.vbs

Filesize
712B

MD5
3e60088aabcf1024e58becd150559d6a

SHA1
b952083cb3bc1a6d75d8cba16a0f5f9396d4941b

SHA256
51c1008e634b38d03ef2bc2cf5ad1e98ef80b2b0bda673e880c1e21ec191bb6f

SHA512
cdeec47229fee6097f157fd581f5579139abb23cf31c1d0b6d376dad17909cd7b5ac6a3923b96085aa71d1786c58c94885b665cc6bd577277d7ff6b8e3e09d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\15e42a6a-0323-4ecf-aba1-9471b8bce4da.vbs

Filesize
712B

MD5
92dadf3b1b8f27fcffaead6ee05496fc

SHA1
80ad47a0c519ee18eb829e834d43ff6891435bac

SHA256
54a6e67c5e276c7085e1c41c77d51405d58ce21e7e7376927f870fd5a19a0361

SHA512
b9de1a6804d92dc4bb548a7a30be94650fd401801c79f62b390979e09fa70819d45e7c5b2e1a9984a829808e660470f392424b8ace7dbc009fe3a6c7a040943a

Download Submit
C:\Users\Admin\AppData\Local\Temp\473601c7-fd49-4f4e-a697-2cc8db34bf4f.vbs

Filesize
712B

MD5
4cbae2560bd7cfac36161efec9aec4ba

SHA1
9efd733ca7afd9bdd79fb66b726da4a50ca57488

SHA256
56b5f97da1939ce24e5db5768bf6e90b9251b211a6a0e408a17fad8556944851

SHA512
49906f9b91aa7a9215da7b461fcdea4615041b3dbe4dea7ced130ac5a567a57800b19f14f854fa61c402eda36a9708507f395ffb84d53aaa3c4fa28796a23569

Download Submit
C:\Users\Admin\AppData\Local\Temp\486de828-ebdd-4017-a9f2-0c2575a2ece0.vbs

Filesize
712B

MD5
3cc5da3e1a6216451a2cd399d83030fd

SHA1
50d881a52cb8f348c3d1efeec949672acbf76954

SHA256
8e410abc0cbde3898800df6503ab3984d6d4860a2788b4706cb2c5a1cf6c8ae5

SHA512
63663dbb81fdded24b94ebad27b06f49e19fc5e704946bd15d985d465d6694d9dd12455aaa426d6349569fc15ea8e0ea592d811c5e69a9486577007de6d67ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\53bce10a-c469-46cd-aaf3-d29bc835931d.vbs

Filesize
712B

MD5
7bfb19d5778f23eb2c230de5dc3f9222

SHA1
c5d8a862e149c3ffe15bc05a75f2dbab6b9c2929

SHA256
6859845ee9e3ef3a3f359b3ec082b506171dd877445dfb24fbe2116a503b275b

SHA512
f8588ec8f8b3268b6588474fb48b4771dd8af18ee59ed1d4b330c7623070eba32e281c789bd26e889bb86422a6d71c8f3dc8f3cd8992672be897116aa23ab823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ba47e2d-4a43-476a-aef7-ecf385bb35e6.vbs

Filesize
488B

MD5
5f58d3740a168b3da6b125a4eb92ede5

SHA1
d7c0d3229d1f7b6f4dc5c5d033f0339aaeb52b47

SHA256
feca3710bcfe997876f30448b6d3ac75e67b43c4c00370dbd27cceeec9d8cc61

SHA512
c3fa0a2e690a289fba8320814663aed00fc570b66a6c1301832478063565499f9841bd5f538aa487f36c4eb3e39ba42fadb65a84eb7a7404aef14a80e32fb685

Download Submit
C:\Users\Admin\AppData\Local\Temp\88e07b8f-b240-47b7-9a15-099371b9ad57.vbs

Filesize
712B

MD5
46a62fa45ad1faa2c38fcfb54819b412

SHA1
5767a093323d75b454f111fe63148be08be3cfd0

SHA256
e4648aca765d38a09abe8412e1bd2223481a89695e998f1ef78ea767e8ff9317

SHA512
54ff67d5e3108b65da67c08cf2fdd8a0de98199fafa7b8de751dfd6cd4a20006c17230939053aa225c4a0f3ca89a25d0e57476c579348544d57f72c29db4414f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a8ae0c2-8191-4245-be4c-dad40c78bd0a.vbs

Filesize
712B

MD5
98e58d4065613793d6dec4b1436d1f55

SHA1
6aa264e11e94dfe03abdec60f0de796f766827cd

SHA256
a1ae70d4b5b631eff431d3696a007b2053c0476102b8a0bf5ea8a2f976665242

SHA512
7c19ab1dac927ee9016aef4ea53fa4ef11bc73adfddcf5248a01fd2763257e46d263402b18120c1e4b3a74e6dd3e10393693808eb07eaed7b33fa70891a75994

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l12z1d5v.dgz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8ad8225-4042-4d63-9946-b65a938f6cdb.vbs

Filesize
712B

MD5
b9803abf88c52c9598474ff96bf9752a

SHA1
04c7d5f324aa2a0a0ae45bce483085cc4d0881e2

SHA256
dee40a6923bc8c7683b38cfe1c21ce44d462819a5e914ab7c9a87044476134d9

SHA512
21e93b57d67c57fd27e13c1ed945be7078ea5aef37faaca17d64eb241b926ae72d067858600a14159d429164bc5362467498493e3f5ae54a5f214303baf55df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf26a3a-1797-43c6-a969-57c2a20f4751.vbs

Filesize
712B

MD5
f4a36a4622279e37c8fca7f62b09ceac

SHA1
f3db0edc86fe48465240c9c0e42738c253e5c2f2

SHA256
e3677a9badab25a645be10b745d5d68eef956c2b3e1f6944b3d14e5c9ced44d0

SHA512
d9e27571f5f30f4e5a68428f5e7773807e103ae345d0f1c6b07feb8c5929d2a7e2ed865e9bd775f918c5b2b93f8b5a334661d4b4c64111b1958c3e144e9b6d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\df554fc8-84bd-4e54-866e-55c5e2c90b72.vbs

Filesize
712B

MD5
9787d0d5f74e2cd27b60097224ce0555

SHA1
bfc468db0c361acd5af64dc9034ba81cd8eed0f2

SHA256
f92681e13905d3ad84f899f3ae1de1baf67423192b52ce6f8447c3bb454c0793

SHA512
fb35d27bf060dd94a2a35139558e16ffda9923277c0dd68a236099c3035fb21bbb865d8bd95fa8f91b286c87e607d914f0fe8538bace7292dc2ea24388437deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5b70c29-0325-4624-b0b5-a699011bbd8c.vbs

Filesize
712B

MD5
cd9f266b03ee00ab6fdffa6bf3450acb

SHA1
c73a48d49772b8db4e218c05ac057e074735352a

SHA256
25fc3e4eefb32de5f189fbb866d0b3dadfc2044fb97ae496d74fa6035c7e6499

SHA512
56744a391cc9fbc619d5fc42cf69e7fe752c6868f737608a48b4b81c6d8fcae4bdb445349abc114d767badb86ffc46932a4525591fe25b253c0d3ccec2bd8e54

Download Submit
C:\Users\Public\Desktop\winlogon.exe

Filesize
1.6MB

MD5
608d42fd922bcd93e643247f7cfe70a3

SHA1
f11b3292c9a5365b3c92877e21eca4610ca473cf

SHA256
d00d5a6041b5cd941008d8b9fd78a3f61670f3794eeffb02433f12850a86228a

SHA512
37c97492fff437fc3062b5732afa180ef685f8ee230783f62a479b4702cc36d511f0f17985caab7dadfe6cd5559e4f207cc6985fa14add50947d57000789b489

Download Submit
memory/1064-388-0x0000000000ED0000-0x0000000001072000-memory.dmp

Filesize
1.6MB

Download
memory/3648-255-0x000001BF77590000-0x000001BF775B2000-memory.dmp

Filesize
136KB

Download
memory/5616-17-0x000000001C690000-0x000000001C69C000-memory.dmp

Filesize
48KB

Download
memory/5616-6-0x0000000003500000-0x0000000003516000-memory.dmp

Filesize
88KB

Download
memory/5616-15-0x000000001C470000-0x000000001C478000-memory.dmp

Filesize
32KB

Download
memory/5616-16-0x000000001C480000-0x000000001C48A000-memory.dmp

Filesize
40KB

Download
memory/5616-13-0x000000001C450000-0x000000001C45E000-memory.dmp

Filesize
56KB

Download
memory/5616-12-0x000000001C440000-0x000000001C44A000-memory.dmp

Filesize
40KB

Download
memory/5616-11-0x000000001BE20000-0x000000001BE2C000-memory.dmp

Filesize
48KB

Download
memory/5616-9-0x000000001BE00000-0x000000001BE08000-memory.dmp

Filesize
32KB

Download
memory/5616-10-0x000000001BE10000-0x000000001BE1C000-memory.dmp

Filesize
48KB

Download
memory/5616-8-0x000000001BDF0000-0x000000001BE00000-memory.dmp

Filesize
64KB

Download
memory/5616-7-0x00000000034E0000-0x00000000034E8000-memory.dmp

Filesize
32KB

Download
memory/5616-14-0x000000001C460000-0x000000001C468000-memory.dmp

Filesize
32KB

Download
memory/5616-5-0x00000000034D0000-0x00000000034E0000-memory.dmp

Filesize
64KB

Download
memory/5616-184-0x00007FFAB90D3000-0x00007FFAB90D5000-memory.dmp

Filesize
8KB

Download
memory/5616-389-0x00007FFAB90D0000-0x00007FFAB9B91000-memory.dmp

Filesize
10.8MB

Download
memory/5616-0-0x00007FFAB90D3000-0x00007FFAB90D5000-memory.dmp

Filesize
8KB

Download
memory/5616-4-0x000000001C490000-0x000000001C4E0000-memory.dmp

Filesize
320KB

Download
memory/5616-3-0x00000000034B0000-0x00000000034CC000-memory.dmp

Filesize
112KB

Download
memory/5616-2-0x00007FFAB90D0000-0x00007FFAB9B91000-memory.dmp

Filesize
10.8MB

Download
memory/5616-200-0x00007FFAB90D0000-0x00007FFAB9B91000-memory.dmp

Filesize
10.8MB

Download
memory/5616-1-0x0000000000FF0000-0x0000000001192000-memory.dmp

Filesize
1.6MB

Download