dcrat | b8c5e2c8477706f3f54e152443718dcec270889002289aa1730eabc5ba3f312f

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
Size

1.6MB
MD5

f088c5388663eeeed395b7263d1f4993
SHA1

698d5eaabf3b5ce145f89f810311a0b42dade120
SHA256

279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819
SHA512

c9d946db7a10abed675d764436f3af3482b5259589fa976758b28bcd7c5b380bde9e338783611cbc5925cfdabbe0c9ba930bdb85aec7e6190d935b678b5dbba6
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5912	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5420	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5500	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5772	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5304	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5800	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5312	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6116	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5956	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6044	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5568	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6092	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5488	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1924	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	1924	schtasks.exe	88

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral22/memory/4092-1-0x0000000000E40000-0x0000000000FE2000-memory.dmp	dcrat
behavioral22/files/0x000700000002429b-26.dat	dcrat
behavioral22/files/0x000c00000001e6bc-92.dat	dcrat
behavioral22/files/0x000500000001e6ef-114.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 25 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3152	powershell.exe
2960	powershell.exe
3400	powershell.exe
5944	powershell.exe
452	powershell.exe
1472	powershell.exe
2496	powershell.exe
3484	powershell.exe
5904	powershell.exe
4120	powershell.exe
2940	powershell.exe
2304	powershell.exe
2156	powershell.exe
408	powershell.exe
5164	powershell.exe
3080	powershell.exe
3492	powershell.exe
5916	powershell.exe
4204	powershell.exe
5028	powershell.exe
5232	powershell.exe
4368	powershell.exe
3924	powershell.exe
864	powershell.exe
3048	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	conhost.exe

Executes dropped EXE 14 IoCs

pid	Process
5876	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
5400	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
5652	conhost.exe
4728	conhost.exe
2368	conhost.exe
4692	conhost.exe
4980	conhost.exe
3816	conhost.exe
3840	conhost.exe
712	conhost.exe
5736	conhost.exe
5344	conhost.exe
2612	conhost.exe
5328	conhost.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Multimedia Platform\6203df4a6bafc7	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\powershell.exe	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File created	C:\Program Files\Windows Multimedia Platform\lsass.exe	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCX61C3.tmp	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCX61C4.tmp	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\lsass.exe	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\6ccacd8608530f	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File created	C:\Program Files\edge_BITS_4588_921617627\explorer.exe	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File created	C:\Program Files\edge_BITS_4588_921617627\7a0fd90576e088	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File opened for modification	C:\Program Files\edge_BITS_4588_921617627\explorer.exe	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\e978f868350d50	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\TextInputHost.exe	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\powershell.exe	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\cc11b995f2a76d	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File created	C:\Windows\en-US\55b276f4edf653	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File opened for modification	C:\Windows\en-US\StartMenuExperienceHost.exe	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File created	C:\Windows\Globalization\Sorting\explorer.exe	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File created	C:\Windows\Globalization\Sorting\7a0fd90576e088	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File created	C:\Windows\servicing\InboxFodMetadataCache\metadata\System.exe	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File created	C:\Windows\PolicyDefinitions\9e8d7a4ca61bd9	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File opened for modification	C:\Windows\PolicyDefinitions\RuntimeBroker.exe	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File created	C:\Windows\de-DE\winlogon.exe	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File created	C:\Windows\en-US\StartMenuExperienceHost.exe	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File opened for modification	C:\Windows\de-DE\winlogon.exe	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File opened for modification	C:\Windows\Globalization\Sorting\explorer.exe	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
File created	C:\Windows\PolicyDefinitions\RuntimeBroker.exe	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	conhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5800	schtasks.exe
6092	schtasks.exe
2036	schtasks.exe
4852	schtasks.exe
1564	schtasks.exe
1500	schtasks.exe
4856	schtasks.exe
1108	schtasks.exe
2216	schtasks.exe
1948	schtasks.exe
1240	schtasks.exe
5304	schtasks.exe
1304	schtasks.exe
1948	schtasks.exe
4784	schtasks.exe
5488	schtasks.exe
4528	schtasks.exe
2616	schtasks.exe
4864	schtasks.exe
5956	schtasks.exe
908	schtasks.exe
4716	schtasks.exe
3392	schtasks.exe
2364	schtasks.exe
1828	schtasks.exe
2092	schtasks.exe
4924	schtasks.exe
5772	schtasks.exe
3164	schtasks.exe
2460	schtasks.exe
5912	schtasks.exe
5312	schtasks.exe
4696	schtasks.exe
1208	schtasks.exe
4876	schtasks.exe
1940	schtasks.exe
4696	schtasks.exe
3296	schtasks.exe
2864	schtasks.exe
2880	schtasks.exe
4692	schtasks.exe
1524	schtasks.exe
4992	schtasks.exe
1092	schtasks.exe
4724	schtasks.exe
4864	schtasks.exe
5420	schtasks.exe
3944	schtasks.exe
4756	schtasks.exe
1456	schtasks.exe
2800	schtasks.exe
6116	schtasks.exe
6044	schtasks.exe
5568	schtasks.exe
1940	schtasks.exe
5500	schtasks.exe
680	schtasks.exe
4956	schtasks.exe
2952	schtasks.exe
5556	schtasks.exe
4888	schtasks.exe
2460	schtasks.exe
1340	schtasks.exe
4888	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
3492	powershell.exe
3492	powershell.exe
5944	powershell.exe
5944	powershell.exe
3400	powershell.exe
3400	powershell.exe
4204	powershell.exe
4204	powershell.exe
864	powershell.exe
5916	powershell.exe
864	powershell.exe
5916	powershell.exe
452	powershell.exe
452	powershell.exe
5904	powershell.exe
5904	powershell.exe
5904	powershell.exe
3492	powershell.exe
4204	powershell.exe
3400	powershell.exe
5944	powershell.exe
452	powershell.exe
864	powershell.exe
5916	powershell.exe
5876	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
5028	powershell.exe
5028	powershell.exe
3080	powershell.exe
3080	powershell.exe
1472	powershell.exe
1472	powershell.exe
2940	powershell.exe
2940	powershell.exe
3048	powershell.exe
3048	powershell.exe
5232	powershell.exe
5232	powershell.exe
2304	powershell.exe
2304	powershell.exe
2496	powershell.exe
2496	powershell.exe
4120	powershell.exe
4120	powershell.exe
5028	powershell.exe
2156	powershell.exe
2156	powershell.exe
1472	powershell.exe
3080	powershell.exe
5232	powershell.exe
3048	powershell.exe
2940	powershell.exe
2304	powershell.exe
2496	powershell.exe
4120	powershell.exe
2156	powershell.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeDebugPrivilege	4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
Token: SeDebugPrivilege	3492	powershell.exe
Token: SeDebugPrivilege	5944	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	5916	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	5904	powershell.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeDebugPrivilege	5876	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	5232	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	5400	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	3924	powershell.exe
Token: SeDebugPrivilege	5164	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	5652	conhost.exe
Token: SeDebugPrivilege	4728	conhost.exe
Token: SeDebugPrivilege	2368	conhost.exe
Token: SeDebugPrivilege	4692	conhost.exe
Token: SeDebugPrivilege	4980	conhost.exe
Token: SeDebugPrivilege	3816	conhost.exe
Token: SeDebugPrivilege	3840	conhost.exe
Token: SeDebugPrivilege	712	conhost.exe
Token: SeDebugPrivilege	5736	conhost.exe
Token: SeDebugPrivilege	5344	conhost.exe
Token: SeDebugPrivilege	2612	conhost.exe
Token: SeDebugPrivilege	5328	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 3400	4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	113
PID 4092 wrote to memory of 3400	4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	113
PID 4092 wrote to memory of 3492	4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	114
PID 4092 wrote to memory of 3492	4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	114
PID 4092 wrote to memory of 5944	4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	115
PID 4092 wrote to memory of 5944	4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	115
PID 4092 wrote to memory of 5916	4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	116
PID 4092 wrote to memory of 5916	4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	116
PID 4092 wrote to memory of 864	4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	117
PID 4092 wrote to memory of 864	4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	117
PID 4092 wrote to memory of 5904	4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	118
PID 4092 wrote to memory of 5904	4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	118
PID 4092 wrote to memory of 4204	4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	119
PID 4092 wrote to memory of 4204	4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	119
PID 4092 wrote to memory of 452	4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	120
PID 4092 wrote to memory of 452	4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	120
PID 4092 wrote to memory of 2296	4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	129
PID 4092 wrote to memory of 2296	4092	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	129
PID 2296 wrote to memory of 3996	2296	cmd.exe	131
PID 2296 wrote to memory of 3996	2296	cmd.exe	131
PID 2296 wrote to memory of 5876	2296	cmd.exe	132
PID 2296 wrote to memory of 5876	2296	cmd.exe	132
PID 5876 wrote to memory of 1472	5876	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	164
PID 5876 wrote to memory of 1472	5876	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	164
PID 5876 wrote to memory of 5028	5876	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	165
PID 5876 wrote to memory of 5028	5876	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	165
PID 5876 wrote to memory of 4120	5876	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	166
PID 5876 wrote to memory of 4120	5876	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	166
PID 5876 wrote to memory of 3048	5876	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	167
PID 5876 wrote to memory of 3048	5876	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	167
PID 5876 wrote to memory of 2940	5876	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	168
PID 5876 wrote to memory of 2940	5876	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	168
PID 5876 wrote to memory of 3080	5876	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	169
PID 5876 wrote to memory of 3080	5876	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	169
PID 5876 wrote to memory of 5232	5876	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	170
PID 5876 wrote to memory of 5232	5876	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	170
PID 5876 wrote to memory of 2496	5876	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	171
PID 5876 wrote to memory of 2496	5876	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	171
PID 5876 wrote to memory of 2304	5876	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	172
PID 5876 wrote to memory of 2304	5876	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	172
PID 5876 wrote to memory of 2156	5876	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	173
PID 5876 wrote to memory of 2156	5876	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	173
PID 5876 wrote to memory of 5400	5876	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	184
PID 5876 wrote to memory of 5400	5876	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	184
PID 5400 wrote to memory of 4368	5400	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	204
PID 5400 wrote to memory of 4368	5400	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	204
PID 5400 wrote to memory of 3152	5400	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	205
PID 5400 wrote to memory of 3152	5400	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	205
PID 5400 wrote to memory of 3484	5400	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	206
PID 5400 wrote to memory of 3484	5400	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	206
PID 5400 wrote to memory of 3924	5400	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	207
PID 5400 wrote to memory of 3924	5400	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	207
PID 5400 wrote to memory of 5164	5400	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	208
PID 5400 wrote to memory of 5164	5400	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	208
PID 5400 wrote to memory of 2960	5400	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	209
PID 5400 wrote to memory of 2960	5400	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	209
PID 5400 wrote to memory of 408	5400	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	210
PID 5400 wrote to memory of 408	5400	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	210
PID 5400 wrote to memory of 5652	5400	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	218
PID 5400 wrote to memory of 5652	5400	279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe	218
PID 5652 wrote to memory of 5148	5652	conhost.exe	219
PID 5652 wrote to memory of 5148	5652	conhost.exe	219
PID 5652 wrote to memory of 4580	5652	conhost.exe	220
PID 5652 wrote to memory of 4580	5652	conhost.exe	220

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
"C:\Users\Admin\AppData\Local\Temp\279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p9fcHvtXvX.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3996
- - C:\Users\Admin\AppData\Local\Temp\279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
    "C:\Users\Admin\AppData\Local\Temp\279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5876
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\Sorting\explorer.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4120
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4588_921617627\explorer.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Music\dwm.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\spoolsv.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\RuntimeBroker.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2304
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\StartMenuExperienceHost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
      "C:\Users\Admin\AppData\Local\Temp\279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\backgroundTaskHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\powershell.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\StartMenuExperienceHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
    - - C:\Recovery\WindowsRE\conhost.exe
        
        "C:\Recovery\WindowsRE\conhost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5652
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f135711f-aa27-4ffe-a125-5fdc5741b168.vbs"
        6⤵
        
        PID:5148
        
        C:\Recovery\WindowsRE\conhost.exe
        
        C:\Recovery\WindowsRE\conhost.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d17b991-1dd2-42d3-ac6a-bd2bd8da86b8.vbs"
        8⤵
        
        PID:2412
        
        C:\Recovery\WindowsRE\conhost.exe
        
        C:\Recovery\WindowsRE\conhost.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbae57ff-0494-4c9e-9785-0f759503e641.vbs"
        10⤵
        
        PID:4176
        
        C:\Recovery\WindowsRE\conhost.exe
        
        C:\Recovery\WindowsRE\conhost.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88e442e9-aeb4-49ab-aba1-ed9c65f3064b.vbs"
        12⤵
        
        PID:4624
        
        C:\Recovery\WindowsRE\conhost.exe
        
        C:\Recovery\WindowsRE\conhost.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2334386-215a-4e3f-a7bb-a804495c6e28.vbs"
        14⤵
        
        PID:2224
        
        C:\Recovery\WindowsRE\conhost.exe
        
        C:\Recovery\WindowsRE\conhost.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6e7df58-0eea-48b8-bb31-e5c4f75762bf.vbs"
        16⤵
        
        PID:2920
        
        C:\Recovery\WindowsRE\conhost.exe
        
        C:\Recovery\WindowsRE\conhost.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85dca654-91d7-4bc7-83d7-13b096013549.vbs"
        18⤵
        
        PID:620
        
        C:\Recovery\WindowsRE\conhost.exe
        
        C:\Recovery\WindowsRE\conhost.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1267ec5-e2a4-4b53-9200-b86834932bc0.vbs"
        20⤵
        
        PID:4460
        
        C:\Recovery\WindowsRE\conhost.exe
        
        C:\Recovery\WindowsRE\conhost.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a7ca23f-ad08-4aad-9a22-20c0f5331997.vbs"
        22⤵
        
        PID:3960
        
        C:\Recovery\WindowsRE\conhost.exe
        
        C:\Recovery\WindowsRE\conhost.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42fae230-a200-4545-b569-6e22f7cb70ab.vbs"
        24⤵
        
        PID:1196
        
        C:\Recovery\WindowsRE\conhost.exe
        
        C:\Recovery\WindowsRE\conhost.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89fb4eac-e7cb-47c7-9b68-97eb4f3b6f1b.vbs"
        26⤵
        
        PID:5048
        
        C:\Recovery\WindowsRE\conhost.exe
        
        C:\Recovery\WindowsRE\conhost.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\135a334c-da2e-45eb-a668-78b87a2b4934.vbs"
        28⤵
        
        PID:4880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\545ae666-50ba-47fb-bacb-669e224e3712.vbs"
        28⤵
        
        PID:5312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5348c6d9-911f-4ff7-8ec6-471b727b547f.vbs"
        26⤵
        
        PID:3608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76fdc02b-e4c4-405f-8a24-e1ddb1627372.vbs"
        24⤵
        
        PID:3876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc6e71b1-f855-4023-af5b-c7524add7b1a.vbs"
        22⤵
        
        PID:1612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95020b67-90bc-48a4-880d-2aad99f5f104.vbs"
        20⤵
        
        PID:376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8888b8b-9e20-4319-a29f-332357f594ed.vbs"
        18⤵
        
        PID:1716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7063eba-dd37-4e3f-b732-04c28568493f.vbs"
        16⤵
        
        PID:4300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9908bf14-ca88-49f8-a28a-0df6ee94b04f.vbs"
        14⤵
        
        PID:6048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc483280-f899-4979-ad71-7ac86ea0f88b.vbs"
        12⤵
        
        PID:2548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee9311d4-786f-442a-97c6-d4a32723518a.vbs"
        10⤵
        
        PID:3604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcf9c3f3-829e-4c3a-a117-e6919ab5a223.vbs"
        8⤵
        
        PID:880
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ea3d4de-6f7d-4479-be62-c5d7bb764526.vbs"
        6⤵
        
        PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\7e20f84d5244aba7145631d4073af8\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\7e20f84d5244aba7145631d4073af8\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\7e20f84d5244aba7145631d4073af8\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\7e20f84d5244aba7145631d4073af8\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\d25f591a00514bc9ba8441\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\d25f591a00514bc9ba8441\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Globalization\Sorting\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\Sorting\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\edge_BITS_4588_921617627\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4588_921617627\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\edge_BITS_4588_921617627\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Music\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Music\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\d25f591a00514bc9ba8441\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\d25f591a00514bc9ba8441\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\PolicyDefinitions\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\PolicyDefinitions\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\d25f591a00514bc9ba8441\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\d25f591a00514bc9ba8441\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\d25f591a00514bc9ba8441\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\d25f591a00514bc9ba8441\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\en-US\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Windows\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\9e8d7a4ca61bd9

Filesize
932B

MD5
ab02b88d57ab1606e123f6c7cf0a4346

SHA1
3d47dade58a86141eafe2b9f63e014f7fb9358e1

SHA256
eedb36a4a60c270f95450158739680ecb6559b871d0ee5a8509086830868852a

SHA512
f0ed7c4a379d5da26e43d3d0f3bf0ab780ec69b9eddf6789c86990b0172b4de9a23b137f26f0896d1bff7a482293e082f16a6aabb7bcf382ea33db29619e7727

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd1e1eb6a048e036091c96bdc35a80f2

SHA1
647970199ff6cf12e9d62f5d42030b50ec2fd319

SHA256
f2a37d987731acdcd4887580e12dc5adef0f76c2f8566b071124973ccc49a5fa

SHA512
17571b418a955ac9349b99b03a11560f35a05633cb6146b4ac2b6854e72a215b8cbae9528e1634ac3fafc96f25bffc81c84719305b53cf6e01a97e6669cc05f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3f0db2be09ea50e93f81f83a58fdc049

SHA1
862883227880dde307538079454109d35f39723e

SHA256
b747c644e6479e6e921d09626c68d2df0d33d2a707f9432e5fc1b138e6c9387d

SHA512
a7f4644e8f4a0dd59f47645ba7afe312c9e714f923019add5cddf6491f3466731abd66c854bdaa497c0f162c1ae08df5c6506e2171ec9d74ae5c9ffcd69f0773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
16e669660431a76b6985bae6a3e0ca0f

SHA1
55aead2478e085cc4fa52035dc6d3e9ceb856485

SHA256
df0d9b2a6f0538cdf02e7f2a69db35dbf92a48fb81fcf58c12f1f0ad2ea13fe2

SHA512
ba3a159eca907f8cd6bce2a66b334250e1c6a3b60f14e2cd1ab8dbd0baf33b7b385d834ed1aa3ccb013711cbaf7607d51e7107f1f1783f46595a99a15d5a7d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5d7d84a994df407b45490027d1612f49

SHA1
9f22036fe3c9358da3eabd190a220bfa08f62718

SHA256
e607522b5d77da294a31952705d11b5695fea11106565684616582659d8af895

SHA512
d04684f622730856b67800acf437ad16db02505f0c42f8d7439cf2855a7a294160a7b77691582eb22971bf286041d869eda3fe7d0f3aca3d40fa29be8b6046b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9a11fe13e934b62f540150a89a9013e5

SHA1
ff9e29f2b00148f9b66027322b2e55398d6cedfb

SHA256
e46c7fc9135b63b477fb7d965188086d9b78db42f4017ebf227a5c5b25cca3aa

SHA512
b194c538c5306719d85ca662169f35e97cff9040078d6393b0bbf7cfcd97dba9511a9aabaf0e44ec463876e626fe6cabd096563688d08474c66e819adf90858e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
816d03b14553d8d2cd19771bf135873f

SHA1
3efdd566ca724299705e7c30d4cbb84349b7a1ae

SHA256
70d3acdba0037de3d175aca44a86daf8392b2350f6f8b026b7accb02f95a9304

SHA512
365ac792e05619e5ef42b40f1e4dd5d1ebb18a5a409be9c5428e52be7896f4b18eef2a93a4e0f5e1930996bf70798fe45fc5b6d829687d975191015944dbbdbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b740f7616c3c3d006afd7e1586758eeb

SHA1
c465af4c07ecb9e3de239c410d3b2ed5de93cdde

SHA256
c11b84252afa74e4f323fcbae853cb45217a65d70ac44dea182f9ec872bd9872

SHA512
d4dd7531d48a9f6d6432fe0d55cefc76139566c54514ba722d76e5bd4371bfca0e491939795883de21901eac98b1af7236ea83281a7dde8befe16719993f185e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fec78ebbd765e6f8d91ff70218cfeb45

SHA1
11018ec3fa5d64501496c37f8687b773da21e68e

SHA256
29086aafe3d9aa700651b295c0007d7832d7ac4fca9e02702706566b7d42f20d

SHA512
3534898dc42185a99c3be830121870ab99e9ff1857cb165ce50f45fe205c4f3cef708e42f914fba573d88e31ac9f719d101d4ddd5b94b848440ef2d6dbcf4942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6019bc03fe1dc3367a67c76d08b55399

SHA1
3d0b6d4d99b6b8e49829a3992072c3d9df7ad672

SHA256
7f88db7b83b11cd8ea233efc3a1498635b68771482658255750df564a065f7d0

SHA512
6b5409780a23e977b0bbe463e351f1d474539100aeaa01b0b7fe72aa6dbfb3c0fec64fe9db65b63d188a279b65eae7f31ef0b6880c67ada9ab175da419f595eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
085e0a3b869f290afea5688a8ac4e7c5

SHA1
0fedef5057708908bcca9e7572be8f46cef4f3ca

SHA256
1fed2c9bc05b3fcb93f493124dbf1680c6445f67e3d49680257183132514509c

SHA512
bbac0555a05dbe83154a90caa44a653c8a05c87594a211548b165c5b1d231e3818830e754c0b6de3e5cb64dba3a5ad18bebae05cb9157e1dd46bce2a86d18ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
36c0eb4cc9fdffc5d2d368d7231ad514

SHA1
ce52fda315ce5c60a0af506f87edb0c2b3fdebcc

SHA256
f6efe796606c4be6422dfd070d8c8e1bcda5852520633e3ef071541ff29f359b

SHA512
4ad7de3b286152386c4cfecb07d004d9ee3976c4e397d6a13b1ddee6524c4cb78b1c4bc9c2f984f321082f6ed6da2a2cd93f9954fd378b46f24fbf19bd15fb54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e59140d6693b6a0f6a8617b45bdef9fe

SHA1
7157a22b2533d10fe8ed91d2c5782b44c79bbcde

SHA256
baeb07292d7c8d7ba665a29178999ea08d4b26e8d05bb29c6dee8b8dad8de27e

SHA512
117494cb9415e968827ec38ff11fe6eb4781a76476a2a580f08c5f2d5d4f7ccac425dfd81c16536342a32b42a7b3dffdf471dd2666b1a11ded9f57108c6df7b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dd0716df5ff6e2ed8bfa08e271d64dd8

SHA1
c342bbe936058ea27843d5dbe5eb434f926612f7

SHA256
15ea3598b422f0d7705405688a174b98789b623154d4ccf3f3148f7c10bafdd8

SHA512
7e6dc8f9ad269ca3969e7b1284399f16f59559d5a4232537147fb7edcba86932474eff26921c09472894d55ee045dd3e371dcfce65d358785166742582e0b8a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d17b991-1dd2-42d3-ac6a-bd2bd8da86b8.vbs

Filesize
709B

MD5
4f483ee3f9417fa59dfe30d51377e920

SHA1
97d5820148ef98113e09c9c9df3bbcb25e27753f

SHA256
bdeb16664673d8b808fa26a7cb24b197615e40bedbdbfe833b0968730674c195

SHA512
32f1ed6b408a3adc6fe22979210ae301f8fa22758c54042194dfdeecf565ff7061d9682b677ed869f3ca6d73acc22b96f02948d9b00411b35f52931623d8f17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ea3d4de-6f7d-4479-be62-c5d7bb764526.vbs

Filesize
485B

MD5
6ea617b1fee86659c15279480a41c29a

SHA1
9535d236ed7bcdd03e460f9f83d8d3d61eaf19c0

SHA256
28a6695dd6cb3add5e160feaf24a6256c9033f92b32e878dddfc941c78698add

SHA512
0685243e5d2058364cac2d8c51afcc3a58f8fddec79a1f964ac3978522f28d438a7121ebbccb4f6f339d5ae321c00db4348662c2ee44709568ac11bd8f19b586

Download Submit
C:\Users\Admin\AppData\Local\Temp\85dca654-91d7-4bc7-83d7-13b096013549.vbs

Filesize
709B

MD5
3f6fdedf565368c7b46ee75b2a2a753f

SHA1
7392d0b7e9891159b6ace3fd47fec41a85afc358

SHA256
a8f78d07b736635aa922aadfa3a9093e86f15b9f2946a17f7925ce5975e19412

SHA512
ac7c5f1a5bd98f13f59f0c89039222beebbb1c1a746efa7171963aac62281bf31e4d142e0f615a65673a31af8f4915eca62a0b7457486e2fe6d528b7f1f3b864

Download Submit
C:\Users\Admin\AppData\Local\Temp\88e442e9-aeb4-49ab-aba1-ed9c65f3064b.vbs

Filesize
709B

MD5
22a81c2f8eac73f745165592c815389c

SHA1
578615670010d6ca92f3a8a9ac63b11ffbd1559b

SHA256
d007c7eb943f1d99b8ab7dadb608faecfd4ad3851d58cdeadd54381c9fe6bb12

SHA512
858802ece593b4ba11ddeaa2884cc1df75d53c9e094b573fd77802b58e8bbcba177579fee2cbc614d6fefe0027fff12f2572c4ae247514fbdf5ecc60ca48a269

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rclvsndg.zrz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6e7df58-0eea-48b8-bb31-e5c4f75762bf.vbs

Filesize
709B

MD5
3c56a81d042378fccf96ff36f8a9bd4c

SHA1
c1e585a394d551898696266b7438718f67465c79

SHA256
7076303c374e5f45b7c933e1c6fdc0d3e8c0806302c4a5603699f5dce2e357e8

SHA512
5fea8e3f643ebc87fd08193b95fd45712b56874dcff46c924c1aa3637aa850853c4c18517b1aa738af9ff68f97c1948084ec051ac158b26fcef5c76c601d4fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1267ec5-e2a4-4b53-9200-b86834932bc0.vbs

Filesize
708B

MD5
5375c42a0abab0df812d21ff14b4f315

SHA1
90a882b02fcda45c1e056ba619f9275d7657479a

SHA256
5eab2cc6e1194c32c23c1bb8fc3a1f698d0670f37f570aacac9c6675c51795e5

SHA512
3b50163764e6bc4a971775efe82d41d6052b125ee2b2152978e33eb022ac1c7b009cf1a2109ec713d8ef26f9be086159b650f4a09ec4f97443762a6997402a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f135711f-aa27-4ffe-a125-5fdc5741b168.vbs

Filesize
709B

MD5
58db88e2373a4861e999e58dc4331ccd

SHA1
fcb4888ac96bf07f5a40f579e92d99404c9d081a

SHA256
7642f70b89e105e1ef06e1eeba638cf497fb67d05c2b2069513f565a4c9e8e24

SHA512
aad8d5420d3b7be73c2f8015e1d391b91878e50709ac8875c1d57f364729fd75a64bb3dc9f22a4b9ef2ad23d75eae0e7f7c3e3269d308b39dc6122e109a994a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2334386-215a-4e3f-a7bb-a804495c6e28.vbs

Filesize
709B

MD5
07f69d9fad2404eb0a713de2fe1acb86

SHA1
cdcbc85d930c64d4800a13f1bc0556eeb9ce9f75

SHA256
7a388c86db342edd05cec6070c94f071ec536ef9faff7f8b28757460a34d3ddd

SHA512
afecdbcc7677fc5bc8e5ad88de97727c65d08145df26145dad67ca6559177fb0916f4e5f11fbf0d335f8be6d99b3c1db3e745278a75ff11b21aea986dcde71d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbae57ff-0494-4c9e-9785-0f759503e641.vbs

Filesize
709B

MD5
eee7d9c2f3ff98c67c3f2fa3ebe3fec0

SHA1
58528dc9f0c86c5d92787b4d8f9c3523f94ba05b

SHA256
2b21fee78d82497ddddcc134b1050e270fab2166d8b37e20133da60956630ccf

SHA512
4c21adfd539f8ec94748aef0eac3d7acd8530a1d1af5d1901dc3eeb6a8de16db94f9e88ef900cce54f03cb21f883c09326f00db721478aa00c1f80759dcd8c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\p9fcHvtXvX.bat

Filesize
267B

MD5
0b8160cdda6d2703c4aacd57b0f56007

SHA1
04eb018775cbf58e31cc90f86be1da3b2016d882

SHA256
361296987f3537cdfa8fc6f041c7ddf2da6c5f717b69cc2e83b8f14d1c087398

SHA512
407cf829568fa432f2d4fca38c9c2fb92a972debd4b8d2e89a3f07a51b8c6dfcfb58ec168fb734cc45807224514cc3d879b59a7617bfd04e11ec30aaddfb871d

Download Submit
C:\Users\Public\Desktop\RuntimeBroker.exe

Filesize
1.6MB

MD5
f088c5388663eeeed395b7263d1f4993

SHA1
698d5eaabf3b5ce145f89f810311a0b42dade120

SHA256
279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819

SHA512
c9d946db7a10abed675d764436f3af3482b5259589fa976758b28bcd7c5b380bde9e338783611cbc5925cfdabbe0c9ba930bdb85aec7e6190d935b678b5dbba6

Download Submit
C:\Users\Public\Desktop\RuntimeBroker.exe

Filesize
1.6MB

MD5
8b0a28dad7f7806a56110877d5c0c266

SHA1
dc56ce21d2c8186b6ecaefa31350e150e8eaefb5

SHA256
8f1f31d7db7a4031fb590a751ff583dce3dadad6db195715823abf223cd690b7

SHA512
729d8208317ccb3792adfbcf6a8806a41f639bd58eb2ff7ad81aef285ec934f4880b65ea10749eb92aa6b08b906d9d78c47c8b95694b829fbc697ca6d8a4b0ef

Download Submit
C:\d25f591a00514bc9ba8441\upfc.exe

Filesize
1.6MB

MD5
5c629e93a0b7017b7957349c1e61bb94

SHA1
9306ebc8c41e6db9d6982087248387f6d058381f

SHA256
4624e6e65a1f5d458efe2513f6e3746b09ccc61f7c38d87e40d14a4419e70f6a

SHA512
2828ab06c9d3676c6ca93f07df2f502507303cb7bf7c304674b0e42c73617e57769cba015b1708850daeb92ef5f689159d6eccc67a8d0e7e68ab42f3be39cdc5

Download Submit
memory/2612-633-0x000000001BD30000-0x000000001BE32000-memory.dmp

Filesize
1.0MB

Download
memory/2612-634-0x000000001BD30000-0x000000001BE32000-memory.dmp

Filesize
1.0MB

Download
memory/3492-132-0x00000193F9580000-0x00000193F95A2000-memory.dmp

Filesize
136KB

Download
memory/4092-8-0x000000001BB40000-0x000000001BB50000-memory.dmp

Filesize
64KB

Download
memory/4092-1-0x0000000000E40000-0x0000000000FE2000-memory.dmp

Filesize
1.6MB

Download
memory/4092-4-0x000000001BB50000-0x000000001BBA0000-memory.dmp

Filesize
320KB

Download
memory/4092-3-0x00000000031F0000-0x000000000320C000-memory.dmp

Filesize
112KB

Download
memory/4092-2-0x00007FFD5F270000-0x00007FFD5FD31000-memory.dmp

Filesize
10.8MB

Download
memory/4092-0-0x00007FFD5F273000-0x00007FFD5F275000-memory.dmp

Filesize
8KB

Download
memory/4092-16-0x000000001BC80000-0x000000001BC8A000-memory.dmp

Filesize
40KB

Download
memory/4092-7-0x000000001BB20000-0x000000001BB28000-memory.dmp

Filesize
32KB

Download
memory/4092-6-0x000000001BB00000-0x000000001BB16000-memory.dmp

Filesize
88KB

Download
memory/4092-5-0x0000000003210000-0x0000000003220000-memory.dmp

Filesize
64KB

Download
memory/4092-9-0x000000001BB30000-0x000000001BB38000-memory.dmp

Filesize
32KB

Download
memory/4092-10-0x000000001BBA0000-0x000000001BBAC000-memory.dmp

Filesize
48KB

Download
memory/4092-11-0x000000001BBB0000-0x000000001BBBC000-memory.dmp

Filesize
48KB

Download
memory/4092-15-0x000000001BC70000-0x000000001BC78000-memory.dmp

Filesize
32KB

Download
memory/4092-14-0x000000001BC60000-0x000000001BC68000-memory.dmp

Filesize
32KB

Download
memory/4092-13-0x000000001BBD0000-0x000000001BBDE000-memory.dmp

Filesize
56KB

Download
memory/4092-12-0x000000001BBC0000-0x000000001BBCA000-memory.dmp

Filesize
40KB

Download
memory/4092-157-0x00007FFD5F270000-0x00007FFD5FD31000-memory.dmp

Filesize
10.8MB

Download
memory/4092-17-0x000000001BC90000-0x000000001BC9C000-memory.dmp

Filesize
48KB

Download