dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
Size

1.6MB
MD5

c87ae2c7c0c0a77294bdf61219b952f5
SHA1

009d29952e3cec0966402de8b8ffeb264c78a956
SHA256

85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f
SHA512

b7477f968f2356dd08991668b6feb01bb878bad59a6b3857b0a226b1e246852ba0c40214c502e757b01bbd9fc130f9e0cad033a12ada3f1c6f42767b9b813c7c
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5280	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5596	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5456	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	5164	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	5164	schtasks.exe	88

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral14/memory/4020-1-0x0000000000FC0000-0x0000000001162000-memory.dmp	dcrat
behavioral14/files/0x0007000000024319-26.dat	dcrat
behavioral14/files/0x000a000000024316-119.dat	dcrat
behavioral14/files/0x0008000000024333-200.dat	dcrat
behavioral14/files/0x0009000000024338-211.dat	dcrat
behavioral14/files/0x0009000000024323-435.dat	dcrat
behavioral14/memory/6008-437-0x0000000000B90000-0x0000000000D32000-memory.dmp	dcrat
behavioral14/files/0x0017000000024356-453.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4432	powershell.exe
1016	powershell.exe
4772	powershell.exe
5496	powershell.exe
116	powershell.exe
228	powershell.exe
5288	powershell.exe
4720	powershell.exe
5540	powershell.exe
3320	powershell.exe
4440	powershell.exe
4304	powershell.exe
2868	powershell.exe
1096	powershell.exe
1932	powershell.exe
460	powershell.exe
2584	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Idle.exe

Executes dropped EXE 14 IoCs

pid	Process
6008	Idle.exe
2728	Idle.exe
4860	Idle.exe
4580	Idle.exe
5128	Idle.exe
3728	Idle.exe
880	Idle.exe
4848	Idle.exe
1432	Idle.exe
6068	Idle.exe
1988	Idle.exe
3752	Idle.exe
5488	Idle.exe
4496	Idle.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files\edge_BITS_4640_429131714\c5b4cb5e9653cc	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCX93E8.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXB16B.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files\Crashpad\attachments\29c1c3cc0f7685	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files\Crashpad\attachments\f3b6ecef712a24	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\backgroundTaskHost.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCX93E7.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\edge_BITS_4488_100422714\RuntimeBroker.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXB0ED.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCXB5F3.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files (x86)\Windows Mail\e6c9b481da804f	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCXABE9.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\eddb19405b7ce1	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files\edge_BITS_4664_660643336\fontdrvhost.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files\edge_BITS_4640_429131714\services.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\edge_BITS_4664_660643336\fontdrvhost.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\edge_BITS_4488_100422714\RCX9F6B.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\edge_BITS_4488_100422714\RCX9FD9.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\edge_BITS_4640_429131714\RCXA460.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\Crashpad\attachments\unsecapp.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\edge_BITS_4640_429131714\services.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\Crashpad\attachments\spoolsv.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCXB5F4.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files\edge_BITS_4488_100422714\9e8d7a4ca61bd9	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files\Crashpad\attachments\spoolsv.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\edge_BITS_4664_660643336\RCX9AB4.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files\Crashpad\attachments\unsecapp.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files\edge_BITS_4664_660643336\5b884080fd4f94	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\edge_BITS_4664_660643336\RCX9AC4.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCXABE8.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\backgroundTaskHost.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\edge_BITS_4640_429131714\RCXA461.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files\edge_BITS_4488_100422714\RuntimeBroker.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\RCXA966.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Windows\appcompat\encapsulation\RCXB371.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Windows\appcompat\encapsulation\spoolsv.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Windows\Tasks\smss.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Windows\Tasks\69ddcba757bf72	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Windows\Tasks\RCXA967.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Windows\Tasks\smss.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Windows\appcompat\encapsulation\RCXB370.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Windows\CbsTemp\6ccacd8608530f	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Windows\appcompat\encapsulation\f3b6ecef712a24	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Windows\CbsTemp\Idle.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Windows\CbsTemp\Idle.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Windows\appcompat\encapsulation\spoolsv.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Windows\CbsTemp\RCXA1DE.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Windows\CbsTemp\RCXA25C.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Idle.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4580	schtasks.exe
856	schtasks.exe
3380	schtasks.exe
4476	schtasks.exe
4508	schtasks.exe
4684	schtasks.exe
4576	schtasks.exe
3088	schtasks.exe
4852	schtasks.exe
2456	schtasks.exe
3648	schtasks.exe
4820	schtasks.exe
2724	schtasks.exe
1432	schtasks.exe
4944	schtasks.exe
4876	schtasks.exe
4808	schtasks.exe
3652	schtasks.exe
5280	schtasks.exe
2204	schtasks.exe
4544	schtasks.exe
4388	schtasks.exe
4208	schtasks.exe
3024	schtasks.exe
2912	schtasks.exe
5596	schtasks.exe
2488	schtasks.exe
4360	schtasks.exe
4624	schtasks.exe
4688	schtasks.exe
4784	schtasks.exe
1004	schtasks.exe
560	schtasks.exe
4744	schtasks.exe
4700	schtasks.exe
2664	schtasks.exe
1964	schtasks.exe
1424	schtasks.exe
3100	schtasks.exe
4892	schtasks.exe
3000	schtasks.exe
4152	schtasks.exe
1120	schtasks.exe
2296	schtasks.exe
4568	schtasks.exe
5456	schtasks.exe
4904	schtasks.exe
2716	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
116	powershell.exe
116	powershell.exe
1932	powershell.exe
1932	powershell.exe
3320	powershell.exe
3320	powershell.exe
4432	powershell.exe
4432	powershell.exe
1096	powershell.exe
1096	powershell.exe
4304	powershell.exe
4304	powershell.exe
5288	powershell.exe
5288	powershell.exe
4720	powershell.exe
4720	powershell.exe
228	powershell.exe
228	powershell.exe
5540	powershell.exe
5540	powershell.exe
2584	powershell.exe
2584	powershell.exe
4440	powershell.exe
4440	powershell.exe
4772	powershell.exe
4772	powershell.exe
5496	powershell.exe
5496	powershell.exe
1016	powershell.exe
1016	powershell.exe
2868	powershell.exe
2868	powershell.exe
460	powershell.exe
460	powershell.exe
460	powershell.exe
116	powershell.exe
116	powershell.exe
1932	powershell.exe
1932	powershell.exe
4432	powershell.exe
1096	powershell.exe
4304	powershell.exe
2584	powershell.exe
3320	powershell.exe
3320	powershell.exe
4720	powershell.exe
5288	powershell.exe
5288	powershell.exe
228	powershell.exe
4772	powershell.exe
4440	powershell.exe
5540	powershell.exe
1016	powershell.exe
5496	powershell.exe
2868	powershell.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
Token: SeDebugPrivilege	116	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeDebugPrivilege	4432	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	5288	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	5540	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	460	powershell.exe
Token: SeDebugPrivilege	5496	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	6008	Idle.exe
Token: SeDebugPrivilege	2728	Idle.exe
Token: SeDebugPrivilege	4860	Idle.exe
Token: SeDebugPrivilege	4580	Idle.exe
Token: SeDebugPrivilege	5128	Idle.exe
Token: SeDebugPrivilege	3728	Idle.exe
Token: SeDebugPrivilege	880	Idle.exe
Token: SeDebugPrivilege	4848	Idle.exe
Token: SeDebugPrivilege	1432	Idle.exe
Token: SeDebugPrivilege	6068	Idle.exe
Token: SeDebugPrivilege	1988	Idle.exe
Token: SeDebugPrivilege	3752	Idle.exe
Token: SeDebugPrivilege	5488	Idle.exe
Token: SeDebugPrivilege	4496	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 5288	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	143
PID 4020 wrote to memory of 5288	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	143
PID 4020 wrote to memory of 1096	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	144
PID 4020 wrote to memory of 1096	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	144
PID 4020 wrote to memory of 1932	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	145
PID 4020 wrote to memory of 1932	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	145
PID 4020 wrote to memory of 4432	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	146
PID 4020 wrote to memory of 4432	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	146
PID 4020 wrote to memory of 4440	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	147
PID 4020 wrote to memory of 4440	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	147
PID 4020 wrote to memory of 4720	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	148
PID 4020 wrote to memory of 4720	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	148
PID 4020 wrote to memory of 460	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	149
PID 4020 wrote to memory of 460	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	149
PID 4020 wrote to memory of 4304	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	150
PID 4020 wrote to memory of 4304	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	150
PID 4020 wrote to memory of 1016	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	151
PID 4020 wrote to memory of 1016	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	151
PID 4020 wrote to memory of 4772	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	152
PID 4020 wrote to memory of 4772	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	152
PID 4020 wrote to memory of 5540	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	153
PID 4020 wrote to memory of 5540	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	153
PID 4020 wrote to memory of 2868	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	154
PID 4020 wrote to memory of 2868	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	154
PID 4020 wrote to memory of 3320	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	155
PID 4020 wrote to memory of 3320	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	155
PID 4020 wrote to memory of 5496	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	156
PID 4020 wrote to memory of 5496	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	156
PID 4020 wrote to memory of 116	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	157
PID 4020 wrote to memory of 116	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	157
PID 4020 wrote to memory of 2584	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	158
PID 4020 wrote to memory of 2584	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	158
PID 4020 wrote to memory of 228	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	159
PID 4020 wrote to memory of 228	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	159
PID 4020 wrote to memory of 2972	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	177
PID 4020 wrote to memory of 2972	4020	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	177
PID 2972 wrote to memory of 3624	2972	cmd.exe	179
PID 2972 wrote to memory of 3624	2972	cmd.exe	179
PID 2972 wrote to memory of 6008	2972	cmd.exe	180
PID 2972 wrote to memory of 6008	2972	cmd.exe	180
PID 6008 wrote to memory of 5364	6008	Idle.exe	181
PID 6008 wrote to memory of 5364	6008	Idle.exe	181
PID 6008 wrote to memory of 4844	6008	Idle.exe	182
PID 6008 wrote to memory of 4844	6008	Idle.exe	182
PID 5364 wrote to memory of 2728	5364	WScript.exe	184
PID 5364 wrote to memory of 2728	5364	WScript.exe	184
PID 2728 wrote to memory of 4112	2728	Idle.exe	186
PID 2728 wrote to memory of 4112	2728	Idle.exe	186
PID 2728 wrote to memory of 1700	2728	Idle.exe	187
PID 2728 wrote to memory of 1700	2728	Idle.exe	187
PID 4112 wrote to memory of 4860	4112	WScript.exe	195
PID 4112 wrote to memory of 4860	4112	WScript.exe	195
PID 4860 wrote to memory of 5928	4860	Idle.exe	196
PID 4860 wrote to memory of 5928	4860	Idle.exe	196
PID 4860 wrote to memory of 5968	4860	Idle.exe	197
PID 4860 wrote to memory of 5968	4860	Idle.exe	197
PID 5928 wrote to memory of 4580	5928	WScript.exe	198
PID 5928 wrote to memory of 4580	5928	WScript.exe	198
PID 4580 wrote to memory of 4656	4580	Idle.exe	199
PID 4580 wrote to memory of 4656	4580	Idle.exe	199
PID 4580 wrote to memory of 1876	4580	Idle.exe	200
PID 4580 wrote to memory of 1876	4580	Idle.exe	200
PID 4656 wrote to memory of 5128	4656	WScript.exe	201
PID 4656 wrote to memory of 5128	4656	WScript.exe	201

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
"C:\Users\Admin\AppData\Local\Temp\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\attachments\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4664_660643336\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4488_100422714\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4640_429131714\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\attachments\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\appcompat\encapsulation\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bwgxNhVOs1.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3624
- - C:\Windows\CbsTemp\Idle.exe
    "C:\Windows\CbsTemp\Idle.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:6008
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fbcd628-b766-4ccc-bd25-1a0f5817a687.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5364
    - - C:\Windows\CbsTemp\Idle.exe
        
        C:\Windows\CbsTemp\Idle.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30e58c4f-ab53-490d-bb21-99d6b1fcd784.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\CbsTemp\Idle.exe
        
        C:\Windows\CbsTemp\Idle.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4e5a6e9-758c-4cf4-8f4d-dae3d8a51339.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5928
        
        C:\Windows\CbsTemp\Idle.exe
        
        C:\Windows\CbsTemp\Idle.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16252403-2df4-4be1-860b-f5a4702a2444.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\CbsTemp\Idle.exe
        
        C:\Windows\CbsTemp\Idle.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60006999-4499-4639-8369-e67bec4c1906.vbs"
        12⤵
        
        PID:2368
        
        C:\Windows\CbsTemp\Idle.exe
        
        C:\Windows\CbsTemp\Idle.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64bd5401-28f3-46ec-8228-08f2bddf73c7.vbs"
        14⤵
        
        PID:3312
        
        C:\Windows\CbsTemp\Idle.exe
        
        C:\Windows\CbsTemp\Idle.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aad48840-b07b-4dec-bea4-8cbbe9aca3ce.vbs"
        16⤵
        
        PID:4444
        
        C:\Windows\CbsTemp\Idle.exe
        
        C:\Windows\CbsTemp\Idle.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0aaf3823-65b7-4241-81ca-922cb8bd9106.vbs"
        18⤵
        
        PID:3168
        
        C:\Windows\CbsTemp\Idle.exe
        
        C:\Windows\CbsTemp\Idle.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfdcb1d5-2992-488d-acc2-11b757dec6a8.vbs"
        20⤵
        
        PID:5368
        
        C:\Windows\CbsTemp\Idle.exe
        
        C:\Windows\CbsTemp\Idle.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b24ad7a-4ee9-4219-8ab2-c6ca67db6341.vbs"
        22⤵
        
        PID:4584
        
        C:\Windows\CbsTemp\Idle.exe
        
        C:\Windows\CbsTemp\Idle.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5f3d5bd-30f2-4160-bb07-e55fea949292.vbs"
        24⤵
        
        PID:5540
        
        C:\Windows\CbsTemp\Idle.exe
        
        C:\Windows\CbsTemp\Idle.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b419db12-55d1-4531-a9f3-79f154fd443a.vbs"
        26⤵
        
        PID:1180
        
        C:\Windows\CbsTemp\Idle.exe
        
        C:\Windows\CbsTemp\Idle.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98f23c32-1232-4a62-bbb5-046be2c142f5.vbs"
        28⤵
        
        PID:3272
        
        C:\Windows\CbsTemp\Idle.exe
        
        C:\Windows\CbsTemp\Idle.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f274ffef-bb7f-41c5-ab07-05ea54309c37.vbs"
        30⤵
        
        PID:32
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc5bea5e-5356-445a-b47d-4678d082f158.vbs"
        30⤵
        
        PID:1884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36902cc4-a80a-4d1a-9e1d-ac7449352b76.vbs"
        28⤵
        
        PID:5316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\278459fe-652b-4a2f-9376-75de016936e3.vbs"
        26⤵
        
        PID:5592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a22bb5f-30f1-4c26-a836-ffbc58d435b7.vbs"
        24⤵
        
        PID:5344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\253d7174-b8c5-43ba-83ce-5f3af1f50677.vbs"
        22⤵
        
        PID:956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a667119f-5cef-4403-889a-78b5c355abb6.vbs"
        20⤵
        
        PID:3132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7c25086-53f0-4841-9ed9-899a7d7ec3bd.vbs"
        18⤵
        
        PID:1400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21af45a6-f525-422a-b046-b3d285ad2c2a.vbs"
        16⤵
        
        PID:2752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a63b251a-99da-4057-856b-af9aea427039.vbs"
        14⤵
        
        PID:3076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17cec5c6-d515-4777-8b87-24a73c360a60.vbs"
        12⤵
        
        PID:4240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d35f1ecb-6f29-4aa7-abfd-af74396ebc61.vbs"
        10⤵
        
        PID:1876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88c7cbe0-444b-44b3-b020-13c8b4d15fef.vbs"
        8⤵
        
        PID:5968
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80ac35be-8484-478c-8636-2b74a3da4a0b.vbs"
        6⤵
        
        PID:1700
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b66a2091-dbdd-4dba-9a6f-3aead7fd54f2.vbs"
      4⤵
      PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\4d7dcf6448637544ea7e961be1ad\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\4d7dcf6448637544ea7e961be1ad\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Crashpad\attachments\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Crashpad\attachments\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Pictures\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4664_660643336\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4664_660643336\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\edge_BITS_4664_660643336\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Start Menu\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Start Menu\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\edge_BITS_4488_100422714\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4488_100422714\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4488_100422714\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\CbsTemp\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\CbsTemp\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\CbsTemp\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\edge_BITS_4640_429131714\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4640_429131714\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\edge_BITS_4640_429131714\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Recent\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Recent\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Recent\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Tasks\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\attachments\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Crashpad\attachments\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\appcompat\encapsulation\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\appcompat\encapsulation\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\sppsvc.exe

Filesize
1.6MB

MD5
693a08409d064581e213318d7a0f9820

SHA1
61d126abcc38b2e25220979888d7767dea2fa37d

SHA256
e7e5d6e928cc540b5d9954cfef7e5f1103fb5f0f0fff8e406153b114907ef98c

SHA512
22a864e5dba4c431454fe71f586eb506ce7661476c86b5c362343ab98fc1e3a9e5c2d2c74ef21344d6fda4a85143e6dbdb5e54b9470ce2ba14c1e594db7b112e

Download Submit
C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe

Filesize
1.6MB

MD5
ab20c95f188a276bfa0c81c6707f4c35

SHA1
9fac4d1158d6c99d3d27fbb1af637a62dc4494f9

SHA256
f052c026254ae6fe28de680fdda0ea82843eaa9083ecf35c28048bb051abe589

SHA512
28f32fb8a45470b7b9dfab51f092aa01fa2b9be7f93d919075e692f03a390ed340600f6a5550f9bf3deb5e0b09cd165a295f223635faa106dc2be4f84e3a25a7

Download Submit
C:\Program Files\edge_BITS_4664_660643336\fontdrvhost.exe

Filesize
1.6MB

MD5
c87ae2c7c0c0a77294bdf61219b952f5

SHA1
009d29952e3cec0966402de8b8ffeb264c78a956

SHA256
85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f

SHA512
b7477f968f2356dd08991668b6feb01bb878bad59a6b3857b0a226b1e246852ba0c40214c502e757b01bbd9fc130f9e0cad033a12ada3f1c6f42767b9b813c7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
30a3d26182cecee39c4d71c88abeb93d

SHA1
7473af4fdd97dbaa00630a70b003b89ee5dd2410

SHA256
e987e43bbf07dc1c39447f43824d44ee3834306441a3ab751949671ea7900fda

SHA512
59bae5495a22e5816b39f9a5e16e4352d68bbf402a8b1ca0e43afd3a8fe9c8e72908520b99d066ff23ccc68fb8cf064b07caaafd075fd970cc2d62d132f396c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2749a36c2b278075380f504683bd5cee

SHA1
b9a979f925fb1eca0e9ae2d1d534e405b50fc76c

SHA256
2b98324b3679bdfc3c56f4c73452bd66683bd453e1f49e1bdde9c5c3fcc9472e

SHA512
995068fe85262ab552fa273f0b8302bdbadf1e1bbf16b21f416977f33f5f6f1a66b07a5de464ff77cf8a3f078bf22023f6a9db32a520a127ed098c3c7c4f8ffe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ae16a918424e097a7381a2ccf705660f

SHA1
9dc31ecbed1a208c46ad3486a8cf2052fa2cf6e8

SHA256
1135a17413b8c2db64197b347d56634bfff703ab9de03a511703e3c94486655b

SHA512
b03f69c77c944d66f37fe8d03bdb5bbc11345746608fbc135f5f77df4f0840b1a0a26ee127dd338e2f61f81d592121458bffd134b1fb9f55a4f8b62e7a4d67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
241a30ee59b4b06c007874e90fe80d6d

SHA1
5f1ba41ebc6984909a65725c2e686c6012bd32c6

SHA256
91b63fc7449595695b9e0ee26704ea721dc66d7da9e99b38c66962f6d93e65bb

SHA512
61f9ce6d433cc8efe06587ddcb4921a1bf6516fcd3c36ad79a2583acf1122202bf9565ccd5e8c28430b0fd09b1564b2a17b97f7a6c9e6ffe5a0ea76400fbaaf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a0a5a1b68ad6facd1636fe5f5e1c4359

SHA1
e4fee6d6a2476904d9ba14d9045341df3616ca4a

SHA256
7257de23847d0c2fa79bbae208df603b1f29406f486cdcafdaedc54846b18c7a

SHA512
1b843eb6273034c6798379cf217ddb58004db776243daffba33020e5aa0ef8fc440e202b9cd6454521e7b608158891edb979165aa9353d3ea32fae74815e97d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e912b11f067dfdc49fa5eec88bfb74dd

SHA1
9eb1e129867c685d0c6c3ca18e677a6da2eb3c0d

SHA256
16b497f7b55339f9dbed02d0c4a7eccd490335a253cf41ebb611e7867c35f4a5

SHA512
b2e3bdd21857af9d568b7a87c088f6ab07eac8366fbeaaa27c6bebed7e90eaa024214cfb29d1f1379ad806bb63c06b61bd7c9c4ea53636d78914ae47c09950d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
338ef9553dc690ee2c7901d5a2a84524

SHA1
567527fab3a6eb2f9b8e4e4d150d87a3c9791818

SHA256
19604e125bd0620bfdeb6fabb0914c8b10a657c3c4f6f82e3ad8a78126203a5c

SHA512
c0b976e90ff894b7867817057c5d91be26bfb862da2d666c2b8c442226ac3098b4c0f914a82b42605359767b13c7b96991bbc49c3ba94a79e4893fd9c240c67f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
316c42ca95cd0ccbfd60996129f65adc

SHA1
e80bc56d3e28fc9081faae6a735d262fb0a8bbb1

SHA256
2cc6c0e6fc4690b21a7d1e699a487e22845a85933bab71638df535bb668e2d2f

SHA512
7be9772d74adec60087a0d18ef2a7ce837e7755f59077f311c4e52727184057774d279a508fb2407560f7a0b79f5c9a48fab8aff3f629bf2d967218816384242

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c9a06205efb4ec6b1ca25ba605f9f6d

SHA1
53f4cbc7a0b1f493e53f99d49c08c56c2ac912f8

SHA256
4ef4ffb0f743afc2ee1bb8edcc10ec450439a82dbbbb9cbdebeee633db4cc61a

SHA512
e936041f7fe2278a939290bc2b5409a01ae070abc58df4e4bb938e4a406d0c96b19a1fa4db21b9f158efcfbe956f3ddbd97cb670215f2d6f2c1328fa4e455657

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eea647cd60240158e39a00f564408842

SHA1
a7952b76bfc207c901be4f71cbfbd1815623aa08

SHA256
363878a064423f637603628cc9a0d4d541944bd10fd1df6f68b7b3b322ca0c12

SHA512
773ec72f8eebfd21c4844da039f28e6ea2b5a8276f38a57b890f090d745c566844072e151168cc9b0af61ffb058af15c4230e36b524af1305750221d98312a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0aaf3823-65b7-4241-81ca-922cb8bd9106.vbs

Filesize
703B

MD5
2f8edac273972fa90bd416813bdff342

SHA1
7e058120cd3c7c1e5fffe98ffdb6071a48f5efa3

SHA256
3dddc931c90f5ff69aaa3e1920a19eceac2eff1d717ec133e206dae3c0db41a3

SHA512
eed05e023b59a50106898f5a2b1e80649c2a8155f1efd0531e1f385d0daa0f10c73612f5bb853a89bcb59168ee8f8e9215a75ebdcf8429b5770ec0752adbe883

Download Submit
C:\Users\Admin\AppData\Local\Temp\16252403-2df4-4be1-860b-f5a4702a2444.vbs

Filesize
703B

MD5
8aea0ec1d20ebf76bebd64ea55a354d6

SHA1
de6057db2e112bd75a64eebea34e79d4ee4a892c

SHA256
fb596fb0640c631bb144f872de4d4f43b3cabd1208a2c4e0827c20ca616262c0

SHA512
685c467d279972ed71cc429dd0e79c2e0218929e076424cb4748942523640442bc3f5b4f7cb5976c504e1c484f9704c3c510c83764b82064be8d286e32a55c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b24ad7a-4ee9-4219-8ab2-c6ca67db6341.vbs

Filesize
703B

MD5
ed609a8995830d696ea876d67fac675e

SHA1
f3384f3caee1038a867809ff49eff0bd9c504607

SHA256
8b31e10926a9cc346ce2ef5c969d6197b0cfa3281eb08dba5c8eaa981275935f

SHA512
3c8fb03bda484eb91e38cb241d2f86570ff5ff754f6433a80a300c1f4414078c979a45477323d6b19d20fcbabaf465894b3c4858f80a6d257bb5d70cf44e251d

Download Submit
C:\Users\Admin\AppData\Local\Temp\30e58c4f-ab53-490d-bb21-99d6b1fcd784.vbs

Filesize
703B

MD5
1b38cc36418b333051e320620e0f8ad6

SHA1
cd1b92044e2ffcbc7d3af75631d40e3a273152a8

SHA256
ca07fb373a9e861137599d8517bb0daa06ca4eb97f14511ffae53bcac86cde05

SHA512
9c3259268625e3ec223cf00ece19be1f417849c3e5f3772e24152eab426726590fc0d6418b419b8399991f3b93a9854e43749284255df1f62575e11215cb7fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fbcd628-b766-4ccc-bd25-1a0f5817a687.vbs

Filesize
703B

MD5
216b3b9bae49485fd4be0eabb9189749

SHA1
2df137967940943614b1bd14e51ff216b895038f

SHA256
4efc1c8479ec165f6e8b1e56fccb2f79dae098fe4aae397a3bc7bf4b767fcdfc

SHA512
953390bcde8e8cd4888ff6e38eef6eab41de5c2af94c20b14af705f668861f0876ce7b35a6a0f96a0e983306b72b7725de76e9aae88afa1bb7a8dee809b13c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\60006999-4499-4639-8369-e67bec4c1906.vbs

Filesize
703B

MD5
7252893030ef65bb4635f81d4e756683

SHA1
e033e1fc21d882cb53d888964305acdf481b13b9

SHA256
7c2f98e0d382908aa99064519829b60207ae72d3c323ccd4a4a6ae3afb607f55

SHA512
28854cfec242b0bb8e3a8bc5c8c7a7624fa709351b5ffb6b9acc9e248f314c1b3e4bb34a967b686b54d4bc6277d08e42bebe597a63f6bd92b3628c3ec1d7bfb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\64bd5401-28f3-46ec-8228-08f2bddf73c7.vbs

Filesize
703B

MD5
3b70d15657a74837ee2a0a4e673d06e8

SHA1
fdc4498f76f5b8f0c5a35ff285522f69ef1f45d5

SHA256
0efed14254aecbdccea6512ff673f35bb7c8368083ed6b9bac25e9764a794473

SHA512
20a7a135c69d7d1c912c14d779b1ba007d7662730c43870dd3bf3f42ec46e745acb44282a44c1a217a609dd92addc0a0b4bed74c65066af9f207ed8759ee0017

Download Submit
C:\Users\Admin\AppData\Local\Temp\70637d2caef85698756d15591ba0b2984e772f68.exe

Filesize
1.6MB

MD5
b618967c89ff9c38097c2325833b21f3

SHA1
1008102d1f0c1fa36e26e8b39f2b7c217625e82a

SHA256
82114a2e2b01a9912f182f84f3acebcd137b30c36c427d3a9c2d903c32da282e

SHA512
5cb62a32716d1cbcc7e198104a6eebdb7546b7f7abe472ca9b8a71d7031ee4b5d1412b65e399649d13a54194a790d5e4c92aa0965a14b528dab816bbff537939

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3fpuo1bu.fwx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aad48840-b07b-4dec-bea4-8cbbe9aca3ce.vbs

Filesize
702B

MD5
43bded4d903fe90a9fbe169fe2014811

SHA1
a05abf62e56dbb62738911da8c37c0121cbd3bfb

SHA256
656adb6c8c09e84c77164c8f5d3f8755321691a88df20e7ec00c877d2aed50b3

SHA512
52373b23a99a0f2657cbe4f4c1b1096e2b9e298977f21acd5554aedbc71a52d1887ba9c589dda340a0f4e304cf620906547c345212798d10a8c623f9225c0f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4e5a6e9-758c-4cf4-8f4d-dae3d8a51339.vbs

Filesize
703B

MD5
3a400e2eca499cb0ca644614ed4ea5bd

SHA1
bebc26b7e955a46acdaea6982cb9ba8b2b31b43d

SHA256
7edbb5788d44d6fe767a5a4397cda61a4174e4c7d13e262a08383d3c47f23030

SHA512
59a9eedbc37c636115f31175d61d08ab8e82257f52bb6de7ee36e892164403f259f6c30cb48c27f2fd6a08ecc46b030b5fe9d40c772fc8c41a96a224e85284f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\b66a2091-dbdd-4dba-9a6f-3aead7fd54f2.vbs

Filesize
479B

MD5
325b8e06f80a02188c78a0c74c82221b

SHA1
bd15c7456349270f73f4f7683bdb3a28a79e2f39

SHA256
6e13150969340ff6563c95a24692a7d0f21b60f314d0f5ef19d47228bfcfdfae

SHA512
04333a76c4db01ac9b54e27bed1b73d9926414bbbb745acc3313e06294cbe0617f8e9d981ba277189be11a7ad9adebfb79bb1079eb3d890652e4e9e7cdbc7c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwgxNhVOs1.bat

Filesize
192B

MD5
7d79f9e3c0828fac4152149d2a5db0bd

SHA1
bffd4745644bea029cc2bd407951952d81269a31

SHA256
8c766083c7ccb8f78a7dfb9f0caa2372fca1949b1140ca450f2c3aab27e89020

SHA512
aef5043efdc81266bc8b68f178e6bf16f739dce0c50c03e353ac88c9bdde6de46c66b65464708c20982786c6dd677b25ae69950678f8b1c495069aae155921d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5f3d5bd-30f2-4160-bb07-e55fea949292.vbs

Filesize
703B

MD5
cd30ade684f0925567bd517635980fef

SHA1
6bd20d7175a063ad0d1a8827dddf85d7a16edb93

SHA256
dc6932c1b5d3e944cf225a85a3000b324cce5dd17999d3810969b394628b8d0e

SHA512
19ea6c5bb20fa668cf80bd9838edec08a0b242f4d56acadcdfa81463f31a6dfedb8509cbd194fd7391fc145e5266fc43debc234561edde12cd3823de9979286c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfdcb1d5-2992-488d-acc2-11b757dec6a8.vbs

Filesize
703B

MD5
5db8d9374b34b27687ae61ccab498266

SHA1
d4c65a86ba513418f8545456ba2160af2010ea70

SHA256
2e84a3152ddd66b3d39cf71f56d169dfb3cc0025ba58b7c5ee532f88fcf2f0be

SHA512
b887b0dd127e6fa4e5ad4f354fd95b19f5a112e4e62523834be923b49bfbec3e0525ea2b1503fb99acab97ab1b5f1ed9f532208d2d202be90c207653ee542652

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\sppsvc.exe

Filesize
1.6MB

MD5
870260913e1b424a7c1071ec1e0a7ee8

SHA1
f49fb31b6cfff104e2e4d04249d1cc38dfbb858d

SHA256
dc46f9011bab34ea5ecd26358609641469fe3ace59c5687f313349c3a64a36d8

SHA512
279ac037dc65e75c8b2aaa9b85c81177920f87989dded15406fde225531b83089c90dfd7d8e075fac211c0af9c7eedad8433a6c46ff24dc6179e513f1d25b480

Download Submit
C:\Windows\CbsTemp\Idle.exe

Filesize
1.6MB

MD5
5c0765058197428a47d5de4363536f39

SHA1
482404f317c46760675e4f751ada3bab4b3ccdd0

SHA256
794b835372791fc7d462cb8f1046c86b18ca643194e729706eeb5fea5eac92a6

SHA512
7487cfcfa31c566b03eca7534bad99e671de0b456eb527c42a80656b3ff32685567d5f78c211ed0d578474336a135535b3a1a19b6c513ed344c18ec5c3965a87

Download Submit
memory/116-250-0x0000013897520000-0x0000013897542000-memory.dmp

Filesize
136KB

Download
memory/4020-12-0x000000001C410000-0x000000001C41A000-memory.dmp

Filesize
40KB

Download
memory/4020-9-0x00000000032F0000-0x00000000032F8000-memory.dmp

Filesize
32KB

Download
memory/4020-179-0x00007FF814FA3000-0x00007FF814FA5000-memory.dmp

Filesize
8KB

Download
memory/4020-14-0x000000001C430000-0x000000001C438000-memory.dmp

Filesize
32KB

Download
memory/4020-15-0x000000001C640000-0x000000001C648000-memory.dmp

Filesize
32KB

Download
memory/4020-16-0x000000001C650000-0x000000001C65A000-memory.dmp

Filesize
40KB

Download
memory/4020-0-0x00007FF814FA3000-0x00007FF814FA5000-memory.dmp

Filesize
8KB

Download
memory/4020-1-0x0000000000FC0000-0x0000000001162000-memory.dmp

Filesize
1.6MB

Download
memory/4020-17-0x000000001C660000-0x000000001C66C000-memory.dmp

Filesize
48KB

Download
memory/4020-11-0x000000001C400000-0x000000001C40C000-memory.dmp

Filesize
48KB

Download
memory/4020-197-0x00007FF814FA0000-0x00007FF815A61000-memory.dmp

Filesize
10.8MB

Download
memory/4020-13-0x000000001C420000-0x000000001C42E000-memory.dmp

Filesize
56KB

Download
memory/4020-243-0x00007FF814FA0000-0x00007FF815A61000-memory.dmp

Filesize
10.8MB

Download
memory/4020-10-0x000000001C3F0000-0x000000001C3FC000-memory.dmp

Filesize
48KB

Download
memory/4020-8-0x00000000032E0000-0x00000000032F0000-memory.dmp

Filesize
64KB

Download
memory/4020-6-0x00000000032C0000-0x00000000032D6000-memory.dmp

Filesize
88KB

Download
memory/4020-7-0x00000000032A0000-0x00000000032A8000-memory.dmp

Filesize
32KB

Download
memory/4020-5-0x0000000003290000-0x00000000032A0000-memory.dmp

Filesize
64KB

Download
memory/4020-4-0x000000001C440000-0x000000001C490000-memory.dmp

Filesize
320KB

Download
memory/4020-3-0x0000000001820000-0x000000000183C000-memory.dmp

Filesize
112KB

Download
memory/4020-2-0x00007FF814FA0000-0x00007FF815A61000-memory.dmp

Filesize
10.8MB

Download
memory/6008-437-0x0000000000B90000-0x0000000000D32000-memory.dmp

Filesize
1.6MB

Download