dcrat | aff3e08b50336ce6a1cfe39c45d32d918dc6f190662aef666addb193f44d47a8

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

770f4b8c61c658b7b4e9c1bb7d087196.exe
Size

5.9MB
MD5

770f4b8c61c658b7b4e9c1bb7d087196
SHA1

61e9578c90253544c2952ee7788b7516e820f0d3
SHA256

973e19cd948b9d0136c82da54c5b9d27e3f45bf5b77d24a15bc1481537ac0073
SHA512

54b49d42a270f9ff85f25276822cf5dc78a0413e167a3817890eb4cdea0521aff6c33ac0e64ecc9f3777117f26832da33a3d2d817dd81c56a996f6bcfe97a1b4
SSDEEP

98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4S:hyeU11Rvqmu8TWKnF6N/1w7

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5740	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5332	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6088	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5776	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5372	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5224	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6064	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5440	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5836	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5924	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	808	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5476	808	schtasks.exe	89

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4648	powershell.exe
2876	powershell.exe
1900	powershell.exe
4744	powershell.exe
4712	powershell.exe
4708	powershell.exe
4908	powershell.exe
1720	powershell.exe
4268	powershell.exe
4808	powershell.exe
4728	powershell.exe
4736	powershell.exe
4828	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	770f4b8c61c658b7b4e9c1bb7d087196.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	770f4b8c61c658b7b4e9c1bb7d087196.exe

Executes dropped EXE 3 IoCs

pid	Process
4384	OfficeClickToRun.exe
6084	OfficeClickToRun.exe
4112	OfficeClickToRun.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	770f4b8c61c658b7b4e9c1bb7d087196.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
4384	OfficeClickToRun.exe
4384	OfficeClickToRun.exe
6084	OfficeClickToRun.exe
6084	OfficeClickToRun.exe
4112	OfficeClickToRun.exe
4112	OfficeClickToRun.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\attachments\RCXBAC6.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXC4E0.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXB108.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files\Crashpad\attachments\dllhost.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXC4CF.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\taskhostw.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\ea9f0e6c9e2dcd	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\7a0fd90576e088	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Program Files\Crashpad\attachments\dllhost.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\StartMenuExperienceHost.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXB119.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\StartMenuExperienceHost.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Program Files\Crashpad\attachments\5940a34987c991	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\55b276f4edf653	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\RCXAAAB.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\RCXAABC.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\taskhostw.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCXBA77.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LiveKernelReports\RCXB32D.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXB33E.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Windows\Globalization\ICU\RCXC976.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Windows\Globalization\ICU\5940a34987c991	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Windows\LiveKernelReports\dllhost.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Windows\Globalization\ICU\RCXC8F8.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Windows\Globalization\ICU\dllhost.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Windows\LiveKernelReports\dllhost.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Windows\LiveKernelReports\5940a34987c991	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Windows\Globalization\ICU\dllhost.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	770f4b8c61c658b7b4e9c1bb7d087196.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	OfficeClickToRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2252	schtasks.exe
5740	schtasks.exe
5036	schtasks.exe
552	schtasks.exe
5836	schtasks.exe
2488	schtasks.exe
2256	schtasks.exe
2496	schtasks.exe
1116	schtasks.exe
348	schtasks.exe
2712	schtasks.exe
4240	schtasks.exe
5332	schtasks.exe
4872	schtasks.exe
3244	schtasks.exe
5372	schtasks.exe
1940	schtasks.exe
5224	schtasks.exe
4668	schtasks.exe
408	schtasks.exe
3748	schtasks.exe
1300	schtasks.exe
2484	schtasks.exe
2492	schtasks.exe
228	schtasks.exe
1596	schtasks.exe
5776	schtasks.exe
6064	schtasks.exe
2664	schtasks.exe
2004	schtasks.exe
4420	schtasks.exe
1620	schtasks.exe
6088	schtasks.exe
1176	schtasks.exe
3780	schtasks.exe
3200	schtasks.exe
1420	schtasks.exe
1188	schtasks.exe
5924	schtasks.exe
4340	schtasks.exe
924	schtasks.exe
2156	schtasks.exe
4932	schtasks.exe
732	schtasks.exe
632	schtasks.exe
412	schtasks.exe
3984	schtasks.exe
2248	schtasks.exe
4896	schtasks.exe
2612	schtasks.exe
3644	schtasks.exe
5440	schtasks.exe
1336	schtasks.exe
5476	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
2904	770f4b8c61c658b7b4e9c1bb7d087196.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	4908	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	4268	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	4384	OfficeClickToRun.exe
Token: SeDebugPrivilege	6084	OfficeClickToRun.exe
Token: SeDebugPrivilege	4112	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 4708	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	150
PID 2904 wrote to memory of 4708	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	150
PID 2904 wrote to memory of 4712	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	151
PID 2904 wrote to memory of 4712	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	151
PID 2904 wrote to memory of 4828	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	152
PID 2904 wrote to memory of 4828	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	152
PID 2904 wrote to memory of 4744	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	153
PID 2904 wrote to memory of 4744	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	153
PID 2904 wrote to memory of 4736	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	154
PID 2904 wrote to memory of 4736	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	154
PID 2904 wrote to memory of 4728	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	156
PID 2904 wrote to memory of 4728	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	156
PID 2904 wrote to memory of 4808	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	157
PID 2904 wrote to memory of 4808	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	157
PID 2904 wrote to memory of 4268	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	158
PID 2904 wrote to memory of 4268	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	158
PID 2904 wrote to memory of 1720	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	159
PID 2904 wrote to memory of 1720	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	159
PID 2904 wrote to memory of 1900	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	160
PID 2904 wrote to memory of 1900	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	160
PID 2904 wrote to memory of 2876	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	161
PID 2904 wrote to memory of 2876	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	161
PID 2904 wrote to memory of 4648	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	162
PID 2904 wrote to memory of 4648	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	162
PID 2904 wrote to memory of 4908	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	163
PID 2904 wrote to memory of 4908	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	163
PID 2904 wrote to memory of 4384	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	176
PID 2904 wrote to memory of 4384	2904	770f4b8c61c658b7b4e9c1bb7d087196.exe	176
PID 4384 wrote to memory of 1776	4384	OfficeClickToRun.exe	177
PID 4384 wrote to memory of 1776	4384	OfficeClickToRun.exe	177
PID 4384 wrote to memory of 5744	4384	OfficeClickToRun.exe	178
PID 4384 wrote to memory of 5744	4384	OfficeClickToRun.exe	178
PID 1776 wrote to memory of 6084	1776	WScript.exe	188
PID 1776 wrote to memory of 6084	1776	WScript.exe	188
PID 6084 wrote to memory of 2492	6084	OfficeClickToRun.exe	189
PID 6084 wrote to memory of 2492	6084	OfficeClickToRun.exe	189
PID 6084 wrote to memory of 3192	6084	OfficeClickToRun.exe	190
PID 6084 wrote to memory of 3192	6084	OfficeClickToRun.exe	190
PID 2492 wrote to memory of 4112	2492	WScript.exe	192
PID 2492 wrote to memory of 4112	2492	WScript.exe	192
PID 4112 wrote to memory of 2704	4112	OfficeClickToRun.exe	193
PID 4112 wrote to memory of 2704	4112	OfficeClickToRun.exe	193
PID 4112 wrote to memory of 100	4112	OfficeClickToRun.exe	194
PID 4112 wrote to memory of 100	4112	OfficeClickToRun.exe	194

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\770f4b8c61c658b7b4e9c1bb7d087196.exe
"C:\Users\Admin\AppData\Local\Temp\770f4b8c61c658b7b4e9c1bb7d087196.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/4d7dcf6448637544ea7e961be1ad/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/4fc20efa2b2ad5aa4b35f8fcca90f7df/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4908
- C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\OfficeClickToRun.exe
  "C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\OfficeClickToRun.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4384
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ed11771-7a3e-42a3-8725-5bb6b1b33a98.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\OfficeClickToRun.exe
      C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\OfficeClickToRun.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:6084
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ec98893-7890-41ed-9244-3057a4ec0d21.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2492
      - C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\OfficeClickToRun.exe
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\OfficeClickToRun.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6050c9ae-d843-4298-b3b3-e5ead0c9f682.vbs"
        7⤵
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\317d1ad7-55e9-49bb-9264-c4d9072cab33.vbs"
        7⤵
        
        PID:100
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0607837-9f79-4ef0-86b4-66fde5b834a0.vbs"
        5⤵
        
        PID:3192
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e4609d5-cfec-4205-8f02-6ed1fbbcb789.vbs"
    3⤵
    PID:5744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\LiveKernelReports\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\LiveKernelReports\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Crashpad\attachments\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\attachments\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\ICU\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Globalization\ICU\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\ICU\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\4d7dcf6448637544ea7e961be1ad\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\4d7dcf6448637544ea7e961be1ad\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe

Filesize
5.9MB

MD5
35f1254d81107197019543bb3157ff19

SHA1
627dae75866d9ba954f09f207578850b91b4f70b

SHA256
8ec60d66b6009a13cc740f31b45ff22e9d2076a6dcf9738c91e1c3d9b964fcd0

SHA512
d26e6b11c1776ab9c5527f559e614520b7fa744678d27eb01e1052ad71531f7f1de1b9b32e59f3a98fbbb3cb93c63495dcedcd405419813858dd4b0715111e79

Download Submit
C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\OfficeClickToRun.exe

Filesize
5.9MB

MD5
97322a37d68a7274e7ffb0d2d7cf3fc0

SHA1
1ffaebe98c610decbbaa93eadc2bb2a81f748dea

SHA256
ceb79f0028284e61e4f627123c5e5915091332220e5b94b2b3584dbb7bcf9a68

SHA512
106794b6db3be6e7a032da8d44dc9aad5cce4660bebe6cd62813f3840ceaeb30d797a57342827a112ef2f912f7844643dddeb3644c67fe7ff86c15d43e9ad1d3

Download Submit
C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\RCXD03F.tmp

Filesize
5.9MB

MD5
6c0805e76493492c49fed329fc43b920

SHA1
a07b45d9ff2d810dab6005d7f3c3dbdfc43d144e

SHA256
972d5264ab49b7f400cc9f9d665f52a9a03045eddd729309492c834b0cd073da

SHA512
7ee43651ecb5cc04b4861ab6d2188dfa3445d0ce98f38898cc9b62ae33c21ba15615b331dc0967f69f0b399739b2c0756be461b913388d81eaa147b29c8e0d95

Download Submit
C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\taskhostw.exe

Filesize
5.9MB

MD5
b333afa93b30b198618e1ede62c87022

SHA1
45a15114948dddfad320659c5604fccb4d6483a1

SHA256
4c1fbf814fa77ccf099e0a88b2811ec598d5a3588b546ceb8e9932bdc24e787b

SHA512
9ad7915fe2f99b6085cfd9da36df7b79efbf0559063a35256c3c3b92807b6c420fcc92337679ce512b138163fc041640a2b4eeed80d0096ec55493592e540b50

Download Submit
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe

Filesize
5.9MB

MD5
770f4b8c61c658b7b4e9c1bb7d087196

SHA1
61e9578c90253544c2952ee7788b7516e820f0d3

SHA256
973e19cd948b9d0136c82da54c5b9d27e3f45bf5b77d24a15bc1481537ac0073

SHA512
54b49d42a270f9ff85f25276822cf5dc78a0413e167a3817890eb4cdea0521aff6c33ac0e64ecc9f3777117f26832da33a3d2d817dd81c56a996f6bcfe97a1b4

Download Submit
C:\Recovery\WindowsRE\dwm.exe

Filesize
5.9MB

MD5
8ac47b9455bb7135d406c00cfbde185c

SHA1
fbb75f5ea12a59113a3eea0833a62132511bf8bb

SHA256
2808e8260dc79688e154652a3e32dba3706a5a3a60a3ef7a96193f1da0ed07d9

SHA512
a59198030af656c5e189a558fefacb85e4f7bd6401f50cbffb0e7d51030c807c0cfd6d4adb8a9e281a977da702dd0add8f294b6d626a64362c6a1d991db757f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
229da4b4256a6a948830de7ee5f9b298

SHA1
8118b8ddc115689ca9dc2fe8c244350333c5ba8b

SHA256
3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

SHA512
3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0bd4bd93f744979c2ff15fb339578468

SHA1
bdf6bca364e4263812b052c4fe23e7165a737367

SHA256
6ba3fbd61850a6bf89ae2a29e3fb64fd5b669132986e82faf91cd4d9cefe6026

SHA512
5f69263775513123d2e018ca15a67e86d09f205198e5959e758e33a7155f00b066599a64349a79ad5faad24bfa214ea3632adcf9da232e8e91fa1591f7eae19e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
94256212310a547ba240e2aa86468177

SHA1
f52a751219868220e86405aba60f0504332444be

SHA256
4ff13717087ef748699f1fd75630e1ff8d92694f4d2079826c7229608639c50a

SHA512
22efada6acfff168e1d60d5fbd9ae9b504a7eb52ae30e4a5b571880e9c8a4ff4dff7fbf453d5c7281e13b5d7ab9b4269f040dc1d58e523edf6de9496b4a0dd79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cf7e78780c3c681a7891274e66bc4e06

SHA1
963b2496dafba26054b05c8a09e6a931e478c85f

SHA256
83f195f2eed6f4490ecbaf3958baf11205351bde60173eb32ad77c1c3d27e780

SHA512
e5e8dca218472f47fc45356374438b3193a5b58156833036ed474133777af6d6d2a307479865df0dbda2eb229055e80d8695401da7ef5e009f84eccd20262708

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ae16a918424e097a7381a2ccf705660f

SHA1
9dc31ecbed1a208c46ad3486a8cf2052fa2cf6e8

SHA256
1135a17413b8c2db64197b347d56634bfff703ab9de03a511703e3c94486655b

SHA512
b03f69c77c944d66f37fe8d03bdb5bbc11345746608fbc135f5f77df4f0840b1a0a26ee127dd338e2f61f81d592121458bffd134b1fb9f55a4f8b62e7a4d67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dc3171c3b52aa17359a2dd52f98ac905

SHA1
690d766c5fc3f21a91e27e4ba11513f135c640ee

SHA256
cdab093c32bd06c16808a03bef83de05f6a5ed68dc335fada9f925831215cf33

SHA512
5a069ce11527f5375ab5a8ef53602b39ce7e44a61a1e001662ec06836715c1bcdba34da441ec599648b761f1234e7231d160c4e0ccec92d9d003c3d31420d40c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
400965c5c8206c7b519873fb3aa3aebf

SHA1
0764aa4c62cc242ede7ec00e36539c20e17e5565

SHA256
e8a339e9d5f5699e83419d2fb336577a101a4cd31df7ddd8c71a88dec1593b04

SHA512
32b7c0f5745c3cbb291642e96ce907d0d71f986f0fb1f55f2c5f56dd76d9243d8ca936a7e81c0ef3962d5daf25d51bd93c5de77cdf9c3ed74101e3056e510369

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e4609d5-cfec-4205-8f02-6ed1fbbcb789.vbs

Filesize
508B

MD5
a8f586bf509927be3d06ec7d8ac034dc

SHA1
e2b3276d3de5a8a422dea901749a67c9f1e8a947

SHA256
8078ed00af1bd95a397cb1f2dc5b7d64a4601b7768217a48ef323f94083131f7

SHA512
a268715b92f94c9f9c69ece484a02740a2f3c71f6f7b1aec03b9337a6eb8cb425c285d3c665e23446b5568efa4c7b2c1bb99d39ff0804acd6e61f309e6348a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ed11771-7a3e-42a3-8725-5bb6b1b33a98.vbs

Filesize
732B

MD5
d12b4027e8f2b8f8df325127a2346f02

SHA1
a7a2b42611017f1387066988358449cea7d67eb2

SHA256
7fb7bab8a5d3766aeef1fca5ce501c2a7cee3b81afb260a57f9ac36105613643

SHA512
3c72ef3ab727cea94be249f21fc4289b3f33eaaf8ae3d1010817b3cce31cbd5d4b7ba10b0b1bf01970390e49fbef79124d617f6ee3d8894cd787d4c363c9a51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6050c9ae-d843-4298-b3b3-e5ead0c9f682.vbs

Filesize
732B

MD5
98ad2be0010420fbbe35fa61eb07c2e3

SHA1
f83b3940bc63f2027d7d43f85c6ce5e8b9f3cee8

SHA256
b059c0b019d6f3f4cae3c200a5075d47720f79d24f64a9583c87d1d81a07f3e6

SHA512
1e8355f4a49715c931e26b5eac10c7a0098c352488cc1e747d4c5f2964e83cd619b025d43b3e88410044aed9453d49ee62788b1df5e1d91825fe3aad7118881a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ec98893-7890-41ed-9244-3057a4ec0d21.vbs

Filesize
732B

MD5
7530eb545170c0d8be3d1bba38554ad6

SHA1
a2cf40e097f28c1dfd255db107a9997eff625df2

SHA256
2141d5691f4f0674ea9b4c3c7befe07e5e1c7a75c717fa55c6eaeee456b3af77

SHA512
05793f9c54c18b82f8eebbf094ea2b4d195133d56d9e76c8c599e582cc4e3d82b469ce3bc96ffbe70e124df3f70338016bcbf4123e8021283de15b889b582041

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wfet4uoc.5jf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Globalization\ICU\dllhost.exe

Filesize
5.9MB

MD5
903863d3ca8f1244fe5b3eb168b72093

SHA1
c6880c277d9453d8ad962391ac6276311ef83fc3

SHA256
9e1aa2250fe7d8951081884aa809ef0b09b202af543a7ed3cec0581b75ef92bd

SHA512
d5343afcb4176cafbb08515baaf5647b34b1ca0e9ee7bdea307993320c396485214e7b5497e7621817e317d64b297d86a1dde0c5a11cc7f84ec641c52a9ed467

Download Submit
memory/2904-39-0x000000001E180000-0x000000001E188000-memory.dmp

Filesize
32KB

Download
memory/2904-170-0x00007FFB969B0000-0x00007FFB96C79000-memory.dmp

Filesize
2.8MB

Download
memory/2904-22-0x000000001DE70000-0x000000001DE78000-memory.dmp

Filesize
32KB

Download
memory/2904-24-0x000000001DE80000-0x000000001DE92000-memory.dmp

Filesize
72KB

Download
memory/2904-25-0x000000001E3E0000-0x000000001E908000-memory.dmp

Filesize
5.2MB

Download
memory/2904-26-0x000000001DEB0000-0x000000001DEBC000-memory.dmp

Filesize
48KB

Download
memory/2904-27-0x000000001DEC0000-0x000000001DECC000-memory.dmp

Filesize
48KB

Download
memory/2904-29-0x000000001DEE0000-0x000000001DEEC000-memory.dmp

Filesize
48KB

Download
memory/2904-28-0x000000001DED0000-0x000000001DED8000-memory.dmp

Filesize
32KB

Download
memory/2904-30-0x000000001DEF0000-0x000000001DEFC000-memory.dmp

Filesize
48KB

Download
memory/2904-31-0x000000001E170000-0x000000001E178000-memory.dmp

Filesize
32KB

Download
memory/2904-32-0x000000001E000000-0x000000001E00C000-memory.dmp

Filesize
48KB

Download
memory/2904-35-0x000000001E130000-0x000000001E138000-memory.dmp

Filesize
32KB

Download
memory/2904-40-0x000000001E190000-0x000000001E19A000-memory.dmp

Filesize
40KB

Download
memory/2904-0-0x00007FFB969B0000-0x00007FFB96C79000-memory.dmp

Filesize
2.8MB

Download
memory/2904-41-0x000000001E1A0000-0x000000001E1AC000-memory.dmp

Filesize
48KB

Download
memory/2904-38-0x000000001E160000-0x000000001E16C000-memory.dmp

Filesize
48KB

Download
memory/2904-37-0x000000001E150000-0x000000001E158000-memory.dmp

Filesize
32KB

Download
memory/2904-36-0x000000001E140000-0x000000001E14E000-memory.dmp

Filesize
56KB

Download
memory/2904-34-0x000000001E020000-0x000000001E02E000-memory.dmp

Filesize
56KB

Download
memory/2904-33-0x000000001E010000-0x000000001E01A000-memory.dmp

Filesize
40KB

Download
memory/2904-20-0x000000001DE50000-0x000000001DE58000-memory.dmp

Filesize
32KB

Download
memory/2904-19-0x000000001DE40000-0x000000001DE4C000-memory.dmp

Filesize
48KB

Download
memory/2904-21-0x000000001DE60000-0x000000001DE6C000-memory.dmp

Filesize
48KB

Download
memory/2904-18-0x000000001DDF0000-0x000000001DE46000-memory.dmp

Filesize
344KB

Download
memory/2904-17-0x000000001DDE0000-0x000000001DDEA000-memory.dmp

Filesize
40KB

Download
memory/2904-208-0x00007FFB969B0000-0x00007FFB96C79000-memory.dmp

Filesize
2.8MB

Download
memory/2904-16-0x000000001DDD0000-0x000000001DDE0000-memory.dmp

Filesize
64KB

Download
memory/2904-15-0x000000001DDC0000-0x000000001DDC8000-memory.dmp

Filesize
32KB

Download
memory/2904-14-0x000000001DDB0000-0x000000001DDBC000-memory.dmp

Filesize
48KB

Download
memory/2904-1-0x0000000000EF0000-0x00000000017E8000-memory.dmp

Filesize
9.0MB

Download
memory/2904-13-0x000000001C390000-0x000000001C3A2000-memory.dmp

Filesize
72KB

Download
memory/2904-442-0x00007FFB969B0000-0x00007FFB96C79000-memory.dmp

Filesize
2.8MB

Download
memory/2904-2-0x0000000003930000-0x0000000003931000-memory.dmp

Filesize
4KB

Download
memory/2904-12-0x000000001C380000-0x000000001C388000-memory.dmp

Filesize
32KB

Download
memory/2904-11-0x000000001C360000-0x000000001C376000-memory.dmp

Filesize
88KB

Download
memory/2904-9-0x000000001C340000-0x000000001C348000-memory.dmp

Filesize
32KB

Download
memory/2904-10-0x000000001C350000-0x000000001C360000-memory.dmp

Filesize
64KB

Download
memory/2904-8-0x000000001DC60000-0x000000001DCB0000-memory.dmp

Filesize
320KB

Download
memory/2904-7-0x000000001C320000-0x000000001C33C000-memory.dmp

Filesize
112KB

Download
memory/2904-6-0x000000001C310000-0x000000001C318000-memory.dmp

Filesize
32KB

Download
memory/2904-3-0x00007FFB969B0000-0x00007FFB96C79000-memory.dmp

Filesize
2.8MB

Download
memory/2904-5-0x00000000039E0000-0x00000000039EE000-memory.dmp

Filesize
56KB

Download
memory/2904-4-0x00000000039D0000-0x00000000039DE000-memory.dmp

Filesize
56KB

Download
memory/4384-472-0x00000000036F0000-0x0000000003702000-memory.dmp

Filesize
72KB

Download
memory/4384-443-0x0000000000D40000-0x0000000001638000-memory.dmp

Filesize
9.0MB

Download
memory/4712-318-0x000002BA7CA80000-0x000002BA7CAA2000-memory.dmp

Filesize
136KB

Download
memory/6084-486-0x000000001B9F0000-0x000000001BA02000-memory.dmp

Filesize
72KB

Download