dcrat | 545403ae8941712ac4f021d5867ac8df35a554d5754192c54da66f7b2a2d4e5f

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
Size

1.6MB
MD5

c86673bf3955f4820c9d706e1724c4ac
SHA1

73a227f97cfe0ecd848e57cbf9d026b34ac9c6bf
SHA256

682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27
SHA512

9010711d04d87d92cdfed6f1dc56d022fc9d5529b45443dcf9ad3fc0040a3e1695784525d81f5617b78bb7472c4293a1cc9599b388d1c5c9dc23d6b8b191b0f9
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5700	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5328	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5564	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3832	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5684	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5932	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	5552	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	5552	schtasks.exe	87

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral12/memory/6016-1-0x0000000000890000-0x0000000000A32000-memory.dmp	dcrat
behavioral12/files/0x000700000002430c-26.dat	dcrat
behavioral12/files/0x0008000000024333-63.dat	dcrat
behavioral12/files/0x000b000000024337-133.dat	dcrat
behavioral12/files/0x000a000000024313-154.dat	dcrat
behavioral12/files/0x000a000000024339-192.dat	dcrat
behavioral12/memory/2928-445-0x0000000000750000-0x00000000008F2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5652	powershell.exe
4584	powershell.exe
2436	powershell.exe
2028	powershell.exe
5796	powershell.exe
4732	powershell.exe
5112	powershell.exe
4280	powershell.exe
5860	powershell.exe
4000	powershell.exe
4960	powershell.exe
1692	powershell.exe
1112	powershell.exe
5744	powershell.exe
1264	powershell.exe
2964	powershell.exe
3888	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	taskhostw.exe

Executes dropped EXE 14 IoCs

pid	Process
2928	taskhostw.exe
4912	taskhostw.exe
4048	taskhostw.exe
3256	taskhostw.exe
4524	taskhostw.exe
448	taskhostw.exe
4840	taskhostw.exe
1276	taskhostw.exe
4940	taskhostw.exe
5928	taskhostw.exe
5500	taskhostw.exe
1584	taskhostw.exe
6024	taskhostw.exe
1260	taskhostw.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\sysmon.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Program Files\edge_BITS_4400_1445670292\RCXBA90.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\9e8d7a4ca61bd9	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\ea1d8f6d871115	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXCA6D.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\sysmon.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\upfc.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCXB617.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Program Files\edge_BITS_4400_1445670292\RCXBA91.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXCADB.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\upfc.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\RCXD408.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\RCXD486.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Program Files\edge_BITS_4400_1445670292\backgroundTaskHost.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Program Files\edge_BITS_4400_1445670292\backgroundTaskHost.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Program Files\edge_BITS_4400_1445670292\eddb19405b7ce1	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\121e5b5079f7c0	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCXB666.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\RCXC857.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Windows\Downloaded Program Files\wininit.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCXBCA5.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCXBD13.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Windows\Registration\CRMLog\56085415360792	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Windows\Provisioning\Packages\StartMenuExperienceHost.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Windows\Provisioning\Packages\55b276f4edf653	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Windows\Registration\CRMLog\wininit.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCXC858.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Windows\Downloaded Program Files\wininit.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Windows\Provisioning\Packages\StartMenuExperienceHost.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Windows\Registration\CRMLog\wininit.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Windows\Downloaded Program Files\56085415360792	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Windows\Provisioning\Packages\RCXC642.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Windows\Provisioning\Packages\RCXC643.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	taskhostw.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4728	schtasks.exe
4712	schtasks.exe
1316	schtasks.exe
400	schtasks.exe
4804	schtasks.exe
4952	schtasks.exe
2516	schtasks.exe
4908	schtasks.exe
3832	schtasks.exe
5932	schtasks.exe
1084	schtasks.exe
3396	schtasks.exe
3848	schtasks.exe
4784	schtasks.exe
2460	schtasks.exe
3472	schtasks.exe
512	schtasks.exe
3976	schtasks.exe
4816	schtasks.exe
5056	schtasks.exe
4544	schtasks.exe
3432	schtasks.exe
4856	schtasks.exe
1032	schtasks.exe
5328	schtasks.exe
4156	schtasks.exe
4028	schtasks.exe
1500	schtasks.exe
4396	schtasks.exe
4416	schtasks.exe
4488	schtasks.exe
4800	schtasks.exe
3576	schtasks.exe
4432	schtasks.exe
4644	schtasks.exe
4504	schtasks.exe
2928	schtasks.exe
4920	schtasks.exe
1432	schtasks.exe
1096	schtasks.exe
4328	schtasks.exe
4676	schtasks.exe
4796	schtasks.exe
5564	schtasks.exe
5684	schtasks.exe
4692	schtasks.exe
5700	schtasks.exe
2296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
3888	powershell.exe
3888	powershell.exe
2436	powershell.exe
2436	powershell.exe
5796	powershell.exe
5796	powershell.exe
1112	powershell.exe
1112	powershell.exe
2964	powershell.exe
2964	powershell.exe
4584	powershell.exe
4584	powershell.exe
5112	powershell.exe
5112	powershell.exe
1264	powershell.exe
1264	powershell.exe
5652	powershell.exe
5652	powershell.exe
1692	powershell.exe
1692	powershell.exe
2028	powershell.exe
2028	powershell.exe
4280	powershell.exe
4280	powershell.exe
4960	powershell.exe
4960	powershell.exe
5860	powershell.exe
5860	powershell.exe
4732	powershell.exe
4732	powershell.exe
4000	powershell.exe
4000	powershell.exe
5744	powershell.exe
5744	powershell.exe
5744	powershell.exe
3888	powershell.exe
3888	powershell.exe
4584	powershell.exe
2028	powershell.exe
5796	powershell.exe
5796	powershell.exe
5860	powershell.exe
2436	powershell.exe
2436	powershell.exe
4960	powershell.exe
4280	powershell.exe
2964	powershell.exe
5112	powershell.exe
1264	powershell.exe
4732	powershell.exe
1112	powershell.exe
1112	powershell.exe
5652	powershell.exe
4000	powershell.exe
1692	powershell.exe
2928	taskhostw.exe
2928	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
Token: SeDebugPrivilege	3888	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	5796	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	5860	powershell.exe
Token: SeDebugPrivilege	5652	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	5744	powershell.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	2928	taskhostw.exe
Token: SeDebugPrivilege	4912	taskhostw.exe
Token: SeDebugPrivilege	4048	taskhostw.exe
Token: SeDebugPrivilege	3256	taskhostw.exe
Token: SeDebugPrivilege	4524	taskhostw.exe
Token: SeDebugPrivilege	448	taskhostw.exe
Token: SeDebugPrivilege	4840	taskhostw.exe
Token: SeDebugPrivilege	1276	taskhostw.exe
Token: SeDebugPrivilege	4940	taskhostw.exe
Token: SeDebugPrivilege	5928	taskhostw.exe
Token: SeDebugPrivilege	5500	taskhostw.exe
Token: SeDebugPrivilege	1584	taskhostw.exe
Token: SeDebugPrivilege	6024	taskhostw.exe
Token: SeDebugPrivilege	1260	taskhostw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6016 wrote to memory of 2436	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	141
PID 6016 wrote to memory of 2436	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	141
PID 6016 wrote to memory of 3888	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	142
PID 6016 wrote to memory of 3888	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	142
PID 6016 wrote to memory of 2964	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	143
PID 6016 wrote to memory of 2964	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	143
PID 6016 wrote to memory of 4280	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	144
PID 6016 wrote to memory of 4280	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	144
PID 6016 wrote to memory of 5112	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	145
PID 6016 wrote to memory of 5112	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	145
PID 6016 wrote to memory of 4584	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	146
PID 6016 wrote to memory of 4584	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	146
PID 6016 wrote to memory of 4732	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	148
PID 6016 wrote to memory of 4732	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	148
PID 6016 wrote to memory of 1264	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	149
PID 6016 wrote to memory of 1264	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	149
PID 6016 wrote to memory of 5796	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	151
PID 6016 wrote to memory of 5796	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	151
PID 6016 wrote to memory of 5652	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	153
PID 6016 wrote to memory of 5652	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	153
PID 6016 wrote to memory of 4960	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	155
PID 6016 wrote to memory of 4960	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	155
PID 6016 wrote to memory of 4000	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	156
PID 6016 wrote to memory of 4000	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	156
PID 6016 wrote to memory of 5744	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	157
PID 6016 wrote to memory of 5744	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	157
PID 6016 wrote to memory of 2028	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	158
PID 6016 wrote to memory of 2028	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	158
PID 6016 wrote to memory of 1112	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	160
PID 6016 wrote to memory of 1112	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	160
PID 6016 wrote to memory of 5860	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	162
PID 6016 wrote to memory of 5860	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	162
PID 6016 wrote to memory of 1692	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	163
PID 6016 wrote to memory of 1692	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	163
PID 6016 wrote to memory of 2928	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	175
PID 6016 wrote to memory of 2928	6016	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	175
PID 2928 wrote to memory of 4864	2928	taskhostw.exe	177
PID 2928 wrote to memory of 4864	2928	taskhostw.exe	177
PID 2928 wrote to memory of 2136	2928	taskhostw.exe	178
PID 2928 wrote to memory of 2136	2928	taskhostw.exe	178
PID 4864 wrote to memory of 4912	4864	WScript.exe	179
PID 4864 wrote to memory of 4912	4864	WScript.exe	179
PID 4912 wrote to memory of 5460	4912	taskhostw.exe	180
PID 4912 wrote to memory of 5460	4912	taskhostw.exe	180
PID 4912 wrote to memory of 3872	4912	taskhostw.exe	181
PID 4912 wrote to memory of 3872	4912	taskhostw.exe	181
PID 5460 wrote to memory of 4048	5460	WScript.exe	183
PID 5460 wrote to memory of 4048	5460	WScript.exe	183
PID 4048 wrote to memory of 2444	4048	taskhostw.exe	185
PID 4048 wrote to memory of 2444	4048	taskhostw.exe	185
PID 4048 wrote to memory of 548	4048	taskhostw.exe	186
PID 4048 wrote to memory of 548	4048	taskhostw.exe	186
PID 2444 wrote to memory of 3256	2444	WScript.exe	189
PID 2444 wrote to memory of 3256	2444	WScript.exe	189
PID 3256 wrote to memory of 4748	3256	taskhostw.exe	190
PID 3256 wrote to memory of 4748	3256	taskhostw.exe	190
PID 3256 wrote to memory of 4660	3256	taskhostw.exe	191
PID 3256 wrote to memory of 4660	3256	taskhostw.exe	191
PID 4748 wrote to memory of 4524	4748	WScript.exe	192
PID 4748 wrote to memory of 4524	4748	WScript.exe	192
PID 4524 wrote to memory of 1372	4524	taskhostw.exe	193
PID 4524 wrote to memory of 1372	4524	taskhostw.exe	193
PID 4524 wrote to memory of 4428	4524	taskhostw.exe	194
PID 4524 wrote to memory of 4428	4524	taskhostw.exe	194

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
"C:\Users\Admin\AppData\Local\Temp\682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f170d29a37c9c9775251\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4400_1445670292\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f170d29a37c9c9775251\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\Packages\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f170d29a37c9c9775251\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f170d29a37c9c9775251\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\ja-JP\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\f170d29a37c9c9775251\taskhostw.exe
  "C:\f170d29a37c9c9775251\taskhostw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\008a6d76-4f2a-4a0d-80a2-c31d739fdca8.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\f170d29a37c9c9775251\taskhostw.exe
      C:\f170d29a37c9c9775251\taskhostw.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4912
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba34fa96-cd7c-425c-af9a-7ee1d696f5e2.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5460
      - C:\f170d29a37c9c9775251\taskhostw.exe
        
        C:\f170d29a37c9c9775251\taskhostw.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4df3be7e-b02f-4300-9903-88dfd27c59b0.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\f170d29a37c9c9775251\taskhostw.exe
        
        C:\f170d29a37c9c9775251\taskhostw.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ec408d4-c260-4041-8cdd-81c898b12352.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\f170d29a37c9c9775251\taskhostw.exe
        
        C:\f170d29a37c9c9775251\taskhostw.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f8fd632-24a4-4444-bc72-72290290d784.vbs"
        11⤵
        
        PID:1372
        
        C:\f170d29a37c9c9775251\taskhostw.exe
        
        C:\f170d29a37c9c9775251\taskhostw.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed0b30ef-fdfb-4503-9ed0-f83370fe89fa.vbs"
        13⤵
        
        PID:3944
        
        C:\f170d29a37c9c9775251\taskhostw.exe
        
        C:\f170d29a37c9c9775251\taskhostw.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ca517a9-2f83-49df-9779-cef1ca26dbba.vbs"
        15⤵
        
        PID:5788
        
        C:\f170d29a37c9c9775251\taskhostw.exe
        
        C:\f170d29a37c9c9775251\taskhostw.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f7fc9bd-8d8c-42c9-8e8e-4fffd8377d7c.vbs"
        17⤵
        
        PID:1104
        
        C:\f170d29a37c9c9775251\taskhostw.exe
        
        C:\f170d29a37c9c9775251\taskhostw.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c047d3d-e688-4fe7-83ea-8df702268eaf.vbs"
        19⤵
        
        PID:4680
        
        C:\f170d29a37c9c9775251\taskhostw.exe
        
        C:\f170d29a37c9c9775251\taskhostw.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aef904ab-5c3d-40dc-bd5f-957bf84c5680.vbs"
        21⤵
        
        PID:3140
        
        C:\f170d29a37c9c9775251\taskhostw.exe
        
        C:\f170d29a37c9c9775251\taskhostw.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ebc1c44-9698-4029-88ca-28c4fc8b897e.vbs"
        23⤵
        
        PID:1200
        
        C:\f170d29a37c9c9775251\taskhostw.exe
        
        C:\f170d29a37c9c9775251\taskhostw.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\891f42a9-e510-4c7d-9acd-33c8dea653a8.vbs"
        25⤵
        
        PID:1372
        
        C:\f170d29a37c9c9775251\taskhostw.exe
        
        C:\f170d29a37c9c9775251\taskhostw.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abb95d58-884f-4d4e-a761-390d0925d1ee.vbs"
        27⤵
        
        PID:3972
        
        C:\f170d29a37c9c9775251\taskhostw.exe
        
        C:\f170d29a37c9c9775251\taskhostw.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9712c820-eb59-4fa6-9083-75541eb89b96.vbs"
        29⤵
        
        PID:6136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1e12030-ed67-49f6-8cd6-16a1be1b528c.vbs"
        29⤵
        
        PID:5960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5f80da7-1a25-456f-80d2-be14df3b798a.vbs"
        27⤵
        
        PID:5300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b29cd30b-9620-4323-bba7-7fb88c39a64a.vbs"
        25⤵
        
        PID:448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bed20e7-fb52-4a87-8436-823329ffa6da.vbs"
        23⤵
        
        PID:1008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4f7b6c1-b06b-4097-a486-0cc2a0674917.vbs"
        21⤵
        
        PID:5868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68e30a55-172e-4215-87a3-f400e3830eda.vbs"
        19⤵
        
        PID:3320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99885706-833c-4675-b2c8-dc40045f9fd5.vbs"
        17⤵
        
        PID:2016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9bd8a32-0589-4d82-9b5a-f6dd6a39b0e1.vbs"
        15⤵
        
        PID:3912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d7c0c46-d019-4c78-8a6b-0e30b94e693d.vbs"
        13⤵
        
        PID:3672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f387919-44fe-4a6c-b988-659554fe76b8.vbs"
        11⤵
        
        PID:4428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b765174a-6751-41a9-9044-c2a386e84504.vbs"
        9⤵
        
        PID:4660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53804006-06a5-418a-a130-02655a513809.vbs"
        7⤵
        
        PID:548
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15f50246-1934-4325-9d37-1b4dc4ede9ae.vbs"
        5⤵
        
        PID:3872
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebca5530-77db-4ca0-87a0-a7bd6448445f.vbs"
    3⤵
    PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\f170d29a37c9c9775251\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\f170d29a37c9c9775251\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\7330c8a20692d0b35002ea5a\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\7330c8a20692d0b35002ea5a\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files\edge_BITS_4400_1445670292\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4400_1445670292\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files\edge_BITS_4400_1445670292\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\Registration\CRMLog\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Registration\CRMLog\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Videos\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Videos\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Videos\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\f170d29a37c9c9775251\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\f170d29a37c9c9775251\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Windows\Provisioning\Packages\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Provisioning\Packages\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\Provisioning\Packages\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\7330c8a20692d0b35002ea5a\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\7330c8a20692d0b35002ea5a\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\f170d29a37c9c9775251\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\f170d29a37c9c9775251\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\f170d29a37c9c9775251\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\f170d29a37c9c9775251\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\upfc.exe

Filesize
1.6MB

MD5
f579e01f4f38bfa7261a5b6cf1e24199

SHA1
1ca99514cb1d3ae496b7019c8d4ade8aaa9a1c5b

SHA256
3da5ebd94bf1031e2333f869d22a2c3cb8aee510487b618ceaba4b1a3bc78c7a

SHA512
ebbe77257762fdac8391b727d07ac852b577be1dbd34532931c0cdcf44dc13d4b5a1fac4ff19db9d150e3fcf9e8f45348fecf049ef79a7b9cdb42d169129fc36

Download Submit
C:\Program Files\edge_BITS_4400_1445670292\backgroundTaskHost.exe

Filesize
1.6MB

MD5
c86673bf3955f4820c9d706e1724c4ac

SHA1
73a227f97cfe0ecd848e57cbf9d026b34ac9c6bf

SHA256
682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27

SHA512
9010711d04d87d92cdfed6f1dc56d022fc9d5529b45443dcf9ad3fc0040a3e1695784525d81f5617b78bb7472c4293a1cc9599b388d1c5c9dc23d6b8b191b0f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskhostw.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eacd6f21bd79c66ba1cac51b32c2b6ee

SHA1
bb7cb9c7f52a7684be8d6f542ff0ac82efe7ca90

SHA256
cbcee0ee9ea9cc8a4890866756ce5156648ea08b753b7e63862115976a33a08d

SHA512
2de49f28a9c78cce7b963e347048202595359958816a1f9b54cc6b1dde93b92f8bfa6e9c234712f624cc8d34b5178e69206e7c3758497f7530708cf4729f5c97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
79a11bc629c54beffe541507473ca6c5

SHA1
7d1d78c10bfdb5e338ae4831f32a571a1362e3f6

SHA256
b75463c0765737425c2000412d88de89e64c69594cdbf48914b7973b32d4d919

SHA512
dcdf2dcfd3063a72096e3486bdd11b6a76a126320e3fc859543cac30e4d628b6bb873367d9c537657494d84ed3531cff355373a51af1ccda0c9be7b23356770a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
57a97b6c8c4cecbbaca70e7453397c5e

SHA1
89aaaa12386a9b191b7570c942b6c302bce1b218

SHA256
61104d386ede610e31af0f4532e78f309a907a100b7de7f6bd362ba758b1372f

SHA512
0b475f771633930a90ccc9fcf3b823f7ba0aa8d1c1c984eed37d8844f01988740f1974c3536a690e033b7861018e1e25a46d8ef86abd5fa24db02e1f6a07ffa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1b2770b6e93963548483b9857a191b12

SHA1
da1f36e92f6f116ea4d6300b279be899ed6413a8

SHA256
4c2f150efa24585d81d212c3d1618af0777e007596cf7bd76cbf660db384b00b

SHA512
6fe8388503b09ec12528e982fea548c271d5687163db05ede832a0814a0fad6fa7c4ff32ed0cfa48f90c9b2980e2613be1d673fa47eaa2a9ea9540add473b4ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
625c689ea160aa0287791e224e6dddf0

SHA1
daa4f06fbce11392bd6b7d137b938763683c8d55

SHA256
ff05cb1ccb64347598efa189167c7bfd407def795d0124e444f0d31e3ef98e27

SHA512
fe2df4b8a8ad16653f2ec87e9229fc27bfb596c50e490e1d0f71da7f8b535aad08ccb709d691f4f0e8f8e4759e322728ccf8fa179300fb5d74995e0d0ac6a6a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7938c861057b14c21d9552c21672c7b3

SHA1
0c2f61f4baa89252436464dc22329d9b08b8a169

SHA256
ba5961737f6f02662b47844665664e24ef4db06111f3eb01b48cde8bcaeedcc0

SHA512
82fb507b135571dd799f665f0ee4e9ff82a355d1e06ed585f266ae04d1555bbe43838123667e4ee07536a98d785d33cc62cb68ccc9b0170a45bfd4357558a6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\008a6d76-4f2a-4a0d-80a2-c31d739fdca8.vbs

Filesize
713B

MD5
28a15724f1d1e10e63865695267c714a

SHA1
1435df1a54b4822198c569c26520ee607c08a13b

SHA256
964cf78e43054fbd7cbcded4cc5c48109ee3164c18b87d1b816c44a5f3f26551

SHA512
00691c358d4ef570465e55f9429eb48c1e2cfa84badcb3f0227f3e4e3461905e1560417b4616dd8c46a7193a74fd156d796b903dd033bde09c2275d84ddd7a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ca517a9-2f83-49df-9779-cef1ca26dbba.vbs

Filesize
713B

MD5
0ceef3135ea9bc564e9ff0b708eeaf08

SHA1
b5c6819123e2d865b405a545a3399bcb88c9c91b

SHA256
4de9697ed6fa7f0996e79238782da6e5d0670b360d4f5eb20a4afa2b7879224f

SHA512
96266ea68978b604e109cd6bd583af4e28f91cb47eee232c742c90a14c499663ffe1cb5aa001f4ac8f4a78972630238727c25cd3221080c3f911e4aa307c43ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ec408d4-c260-4041-8cdd-81c898b12352.vbs

Filesize
713B

MD5
53a453990fb44bdbb276ce741be82b8b

SHA1
a156d5134a3fb5e24f0d255e657f6249426535b0

SHA256
8944368edd7af63350898b4fad153bd5e354caa6025f8e9f10f612544275f205

SHA512
ae629a22cdbaaf34deb8ed1a1ca0d96346cbfc159ab80521b53db89bae1c147957cb18e88e34a3d8a9d14e11a011269abcbea8384ec93d2a1105aebc349a224d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4df3be7e-b02f-4300-9903-88dfd27c59b0.vbs

Filesize
713B

MD5
1a3b2951ce0be847d7b617199ff3ddc5

SHA1
464722fe83990ed14aabd9733427fda8376a8c29

SHA256
83b3584a190689d75a09f0507659fce18ff75d49ec063eff63aea9e35de90013

SHA512
cee305976d812d2018294e613f13e79a02c19517ef9f8c6abd148e61c804554c2e822487e77fad6cb7c3bf40176dfd5bdaa1a097844a58d6a0392babfc47914c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f7fc9bd-8d8c-42c9-8e8e-4fffd8377d7c.vbs

Filesize
713B

MD5
30145d5ca8fbaf1b65895e93b0abef2f

SHA1
951785c7736e2014668c6039a606080355937613

SHA256
3ba699b6115115a866e4610a44d7bb836d355eb1bf374ee810d272a3f19d0048

SHA512
535ef0a455284dfddda20ad7c9d439812635d12e226d35cd5b1649c005c5c14a6f6a17bb70d44e9f8e1b1caf3b1f4a52c767adaab870aa1ad57badd45ef1ea61

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f8fd632-24a4-4444-bc72-72290290d784.vbs

Filesize
713B

MD5
ba5329bafe9c990cfbf5a80aa86aa704

SHA1
9aece19c936ea997cbf9325bf3ad7800f8995e4a

SHA256
1a5dc460c9da1f780d863302ec93c2ec065df6fa204fbf08eabeb16741674ce3

SHA512
d70d030351cadb8d5642b82089617611b7c6efe9ce5bbd182e8812c5bc5e4caadc117b4e3594ca84d73cfa12c40d9f851520b841fa0ff5bbb9e8e0e0994e1a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c047d3d-e688-4fe7-83ea-8df702268eaf.vbs

Filesize
713B

MD5
bc449508b40bdda947aa297658a2bda6

SHA1
020f19d2873bd8eac47e8e8cc3f8ab34d3ce7168

SHA256
94a121b793fc7e031d20241bcf2100442f5afdf33193aa60bfb96988e488a023

SHA512
5e18b44b023a1ff43b6ad7d365c24916ee4c3aca3d3ca27ce54e75ba12ffee57ad4398cb94de07519920a3ce44e8b2e7c56067a662a92a3ab1c1b86d7cad608b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ebc1c44-9698-4029-88ca-28c4fc8b897e.vbs

Filesize
713B

MD5
922483deb411eae6ca94dbb10b2a71e5

SHA1
14e02f614bfd789019d0b0c3a1fb66fbc87bfaba

SHA256
b66047c6049bb08bcaf5d3777db5f468c3d0ef6f77b1c250b4c37463a739ae7f

SHA512
bde7642b440bc2b690ee9f0c14e54588dc6a8a86389ad0e74ed4e3ceacb92768b45a97b88b20eac3d99784960f61e93152bb28570f4fbeed80f904f400e2bb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ldzqeaaj.pwg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aef904ab-5c3d-40dc-bd5f-957bf84c5680.vbs

Filesize
713B

MD5
6e964bd32aa9cfecf42748461018deed

SHA1
e83210af12f919785d8eec0063439cfd1aa7c77b

SHA256
d922228c0c9fa3a8ce2d4fe27dccabf668b3d1f53803f505515f65d6a8541cc2

SHA512
719443c35777b7437458635570b2c6e2bc615cee6a2a235f76430085c5848bf5036d76f370fdb942ceed6e27066e226f23059936e629a7419eb65b7de5d569ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba34fa96-cd7c-425c-af9a-7ee1d696f5e2.vbs

Filesize
713B

MD5
34369d2336b4ee649465bc9dcc2a944a

SHA1
4e96e9cf2761b2c9f17fa17c67bf536b405978d2

SHA256
aec98606cb3bb8b205287408fcf8181e0abb695fae6e70a4caffa85abba0fa05

SHA512
3a26fa1c12d2fdf6ed208211f6acf8633adc1274d50357ea7682934b625a875df246868184851ae62c16be25e29c0ab94643289c04b957390b2e3c08cb607cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebca5530-77db-4ca0-87a0-a7bd6448445f.vbs

Filesize
489B

MD5
f27eb8bef78b242be00d99ca84277c20

SHA1
ccdc8ce14ae65f19336a2acbad7e6c3d389996bd

SHA256
37efc9eca7c949f97f2b82b1a9be4b70ea381b26fe1c275ce3fa89da111116a4

SHA512
b8ab2a5d412007956622b7ba66709383e1783ab74710ec297645bc8e7a2e4296b529dcd53dd0cd281f314cb87da59c902717ceee6951bcc2a1b13b9bbb1a8213

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed0b30ef-fdfb-4503-9ed0-f83370fe89fa.vbs

Filesize
712B

MD5
fd2b027e05b127dd73c08b811b7a9061

SHA1
6b9a5cd2bf38bfed4064b48aff7058f959339861

SHA256
8d523d6fc89c6a814c78a80acbf792ee7c330a171353b38c97733e6a03e99e37

SHA512
f7f31490f6e6342e6c8f35b579d34466f18651f310bebd6cae01e0e0ab0f3ebf06ae3b0701ae3b2eeb7dc5c432a19836d86c05fcf419d8871ad7228c9ca55688

Download Submit
C:\Users\Default\SearchApp.exe

Filesize
1.6MB

MD5
bb766bbe2090207d49ee05442d252eef

SHA1
557a6eabbdc9d66f87be18c09464623c86ec5758

SHA256
c0622e3f7e408736fc14a95a75f4700b480f2b57cd626aca9d386c248cf54fa3

SHA512
93296b479ec48db63090a28368861fa1f679f260a28eecb24dbe6fa2913b8ecb3ed2d7d3c885d82df99ebb37b45f9927c2c4270add0d36bc748ccdefb2cc286b

Download Submit
C:\Users\Default\Videos\sppsvc.exe

Filesize
1.6MB

MD5
ecaa8dd2497be6e966c0cb15b254015c

SHA1
3ed19c565d7daf4e8c9424de012a8f2138589af3

SHA256
24d15cf8931c39d7141ae6c68e2cfc57c7117ff3f6c8cdb6bebe2a985b674a48

SHA512
9204b1cb16857a61f4afbe6e2db8e714a9cf485b3e5dc7b602bc7c2d05a7d1cec384cbdfc03ac45c10bb081326ac4398e62f6c888de6ff1b8aa8e6a5b3a833f9

Download Submit
C:\f170d29a37c9c9775251\taskhostw.exe

Filesize
1.6MB

MD5
77528e4ca615532b293835cbff47b9eb

SHA1
c6d9109cdb72148a6b247315640094182d29555f

SHA256
208ed8c797445671a36f7ea9a9edf02eda68b5dd2b0d082d6b920d122a0a6ccd

SHA512
4a4c0717c3c2cd2044a04849c5d69d85b0001719a387b02fc0590c90ee118fafa970ed9d41673564b69747dc561fa61d6b7f2d28e33354d787188e7078850ede

Download Submit
memory/2928-445-0x0000000000750000-0x00000000008F2000-memory.dmp

Filesize
1.6MB

Download
memory/3888-285-0x000002435E990000-0x000002435E9B2000-memory.dmp

Filesize
136KB

Download
memory/6016-16-0x000000001C020000-0x000000001C02A000-memory.dmp

Filesize
40KB

Download
memory/6016-446-0x00007FFF3AB40000-0x00007FFF3B601000-memory.dmp

Filesize
10.8MB

Download
memory/6016-206-0x00007FFF3AB40000-0x00007FFF3B601000-memory.dmp

Filesize
10.8MB

Download
memory/6016-189-0x00007FFF3AB43000-0x00007FFF3AB45000-memory.dmp

Filesize
8KB

Download
memory/6016-12-0x000000001BCE0000-0x000000001BCEA000-memory.dmp

Filesize
40KB

Download
memory/6016-13-0x000000001BCF0000-0x000000001BCFE000-memory.dmp

Filesize
56KB

Download
memory/6016-14-0x000000001BD00000-0x000000001BD08000-memory.dmp

Filesize
32KB

Download
memory/6016-17-0x000000001BF20000-0x000000001BF2C000-memory.dmp

Filesize
48KB

Download
memory/6016-15-0x000000001BD10000-0x000000001BD18000-memory.dmp

Filesize
32KB

Download
memory/6016-0-0x00007FFF3AB43000-0x00007FFF3AB45000-memory.dmp

Filesize
8KB

Download
memory/6016-11-0x000000001BCD0000-0x000000001BCDC000-memory.dmp

Filesize
48KB

Download
memory/6016-10-0x000000001B690000-0x000000001B69C000-memory.dmp

Filesize
48KB

Download
memory/6016-9-0x000000001B680000-0x000000001B688000-memory.dmp

Filesize
32KB

Download
memory/6016-7-0x0000000002C30000-0x0000000002C38000-memory.dmp

Filesize
32KB

Download
memory/6016-8-0x000000001B6B0000-0x000000001B6C0000-memory.dmp

Filesize
64KB

Download
memory/6016-6-0x000000001B660000-0x000000001B676000-memory.dmp

Filesize
88KB

Download
memory/6016-5-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/6016-4-0x000000001BD20000-0x000000001BD70000-memory.dmp

Filesize
320KB

Download
memory/6016-3-0x0000000002C10000-0x0000000002C2C000-memory.dmp

Filesize
112KB

Download
memory/6016-2-0x00007FFF3AB40000-0x00007FFF3B601000-memory.dmp

Filesize
10.8MB

Download
memory/6016-1-0x0000000000890000-0x0000000000A32000-memory.dmp

Filesize
1.6MB

Download