dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
55s
max time network
62s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Size

1.6MB
MD5

517861702fe0a89aa5e3af35d9f96661
SHA1

50101d8bff153320694baf54bc7b68e585720d4d
SHA256

1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4
SHA512

da7ee6a8120f6a874c3f018580c05d37412a3cf7ec4346ffcee861bd9a415937c89734864b7d9fc84f09c6262a66f7a945377cf589831a765a2b3d90a48ea488
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5452	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5356	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5188	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6116	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5408	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	3188	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	3188	schtasks.exe	87

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral12/memory/1456-1-0x00000000002B0000-0x0000000000452000-memory.dmp	dcrat
behavioral12/files/0x0007000000024310-26.dat	dcrat
behavioral12/files/0x000f000000024136-101.dat	dcrat
behavioral12/files/0x0016000000024138-158.dat	dcrat
behavioral12/files/0x000b00000002433a-195.dat	dcrat
behavioral12/files/0x0009000000024328-206.dat	dcrat
behavioral12/files/0x0009000000024330-232.dat	dcrat
behavioral12/files/0x0009000000024334-243.dat	dcrat
behavioral12/memory/5908-469-0x0000000000950000-0x0000000000AF2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5076	powershell.exe
1888	powershell.exe
6000	powershell.exe
2440	powershell.exe
1380	powershell.exe
4344	powershell.exe
2492	powershell.exe
4564	powershell.exe
1104	powershell.exe
3856	powershell.exe
2840	powershell.exe
228	powershell.exe
3720	powershell.exe
2900	powershell.exe
1200	powershell.exe
4192	powershell.exe
1984	powershell.exe
1804	powershell.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sppsvc.exe

Executes dropped EXE 5 IoCs

pid	Process
5908	sppsvc.exe
2160	sppsvc.exe
1676	sppsvc.exe
3552	sppsvc.exe
3988	sppsvc.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Security\5940a34987c991	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\66fc9ff0ee96c2	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\edge_BITS_4732_595216890\SearchApp.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\edge_BITS_4732_595216890\38384e6a620884	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\eddb19405b7ce1	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\RCXA42E.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Windows Security\RCX9956.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\edge_BITS_4732_595216890\SearchApp.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\edge_BITS_4588_921617627\RCXA8A7.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\backgroundTaskHost.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Windows Security\RCX9966.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\RCXA022.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\RCXACB1.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\Windows Security\dllhost.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\backgroundTaskHost.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\edge_BITS_4588_921617627\886983d96e3d3e	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCX9B8A.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCX9B9B.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\wininit.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\edge_BITS_4732_595216890\RCXA634.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\edge_BITS_4588_921617627\RCXA839.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\Mozilla Firefox\browser\wininit.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\edge_BITS_4588_921617627\csrss.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Windows Security\dllhost.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\edge_BITS_4732_595216890\RCXA633.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\edge_BITS_4588_921617627\csrss.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\RCXACB2.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\Mozilla Firefox\browser\56085415360792	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\RCXA023.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\RCXA42D.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\eddb19405b7ce1	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\backgroundTaskHost.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\backgroundTaskHost.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SchCache\eddb19405b7ce1	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\Cursors\RCX9DAF.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\Cursors\RCXAEB7.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\SchCache\RCX9751.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\Cursors\RCX9E1E.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Windows\SchCache\backgroundTaskHost.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Windows\Cursors\0a1fd5f707cd16	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\SchCache\RCX9741.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\Cursors\sppsvc.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Windows\Cursors\backgroundTaskHost.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Windows\Cursors\eddb19405b7ce1	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Windows\Cursors\sppsvc.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\Cursors\backgroundTaskHost.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\Cursors\RCXAF25.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\SchCache\backgroundTaskHost.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sppsvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4584	schtasks.exe
3744	schtasks.exe
1712	schtasks.exe
624	schtasks.exe
3788	schtasks.exe
412	schtasks.exe
1532	schtasks.exe
4496	schtasks.exe
2300	schtasks.exe
4804	schtasks.exe
4656	schtasks.exe
4736	schtasks.exe
512	schtasks.exe
836	schtasks.exe
2284	schtasks.exe
4072	schtasks.exe
2004	schtasks.exe
5408	schtasks.exe
4892	schtasks.exe
4680	schtasks.exe
4484	schtasks.exe
5356	schtasks.exe
4944	schtasks.exe
2916	schtasks.exe
2796	schtasks.exe
4012	schtasks.exe
3572	schtasks.exe
4776	schtasks.exe
4672	schtasks.exe
4692	schtasks.exe
4864	schtasks.exe
2112	schtasks.exe
3396	schtasks.exe
1208	schtasks.exe
4832	schtasks.exe
4840	schtasks.exe
5020	schtasks.exe
4976	schtasks.exe
3152	schtasks.exe
4884	schtasks.exe
4896	schtasks.exe
5452	schtasks.exe
3952	schtasks.exe
6116	schtasks.exe
4532	schtasks.exe
3988	schtasks.exe
3552	schtasks.exe
5188	schtasks.exe
628	schtasks.exe
4596	schtasks.exe
4548	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
6000	powershell.exe
6000	powershell.exe
1888	powershell.exe
1888	powershell.exe
1984	powershell.exe
1984	powershell.exe
1380	powershell.exe
2440	powershell.exe
1380	powershell.exe
2440	powershell.exe
1104	powershell.exe
1104	powershell.exe
2900	powershell.exe
2900	powershell.exe
1804	powershell.exe
1804	powershell.exe
4564	powershell.exe
4564	powershell.exe
4192	powershell.exe
4192	powershell.exe
1200	powershell.exe
1200	powershell.exe
2840	powershell.exe
2840	powershell.exe
5076	powershell.exe
5076	powershell.exe
6000	powershell.exe
3720	powershell.exe
3720	powershell.exe
4344	powershell.exe
4344	powershell.exe
2492	powershell.exe
2492	powershell.exe
228	powershell.exe
228	powershell.exe
3856	powershell.exe
3856	powershell.exe
4192	powershell.exe
2492	powershell.exe
1804	powershell.exe
2440	powershell.exe
1984	powershell.exe
1380	powershell.exe
1984	powershell.exe
1380	powershell.exe
5076	powershell.exe
4344	powershell.exe
2840	powershell.exe
1888	powershell.exe
1888	powershell.exe
1104	powershell.exe
1104	powershell.exe
4564	powershell.exe
2900	powershell.exe
2900	powershell.exe
228	powershell.exe
1200	powershell.exe
3720	powershell.exe
3856	powershell.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Token: SeDebugPrivilege	6000	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	5908	sppsvc.exe
Token: SeDebugPrivilege	2160	sppsvc.exe
Token: SeDebugPrivilege	1676	sppsvc.exe
Token: SeDebugPrivilege	3552	sppsvc.exe
Token: SeDebugPrivilege	3988	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1888	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	139
PID 1456 wrote to memory of 1888	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	139
PID 1456 wrote to memory of 1380	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	140
PID 1456 wrote to memory of 1380	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	140
PID 1456 wrote to memory of 1104	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	141
PID 1456 wrote to memory of 1104	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	141
PID 1456 wrote to memory of 6000	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	142
PID 1456 wrote to memory of 6000	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	142
PID 1456 wrote to memory of 4192	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	143
PID 1456 wrote to memory of 4192	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	143
PID 1456 wrote to memory of 5076	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	144
PID 1456 wrote to memory of 5076	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	144
PID 1456 wrote to memory of 3856	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	146
PID 1456 wrote to memory of 3856	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	146
PID 1456 wrote to memory of 2440	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	147
PID 1456 wrote to memory of 2440	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	147
PID 1456 wrote to memory of 1200	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	149
PID 1456 wrote to memory of 1200	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	149
PID 1456 wrote to memory of 2900	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	150
PID 1456 wrote to memory of 2900	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	150
PID 1456 wrote to memory of 1984	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	152
PID 1456 wrote to memory of 1984	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	152
PID 1456 wrote to memory of 4564	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	153
PID 1456 wrote to memory of 4564	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	153
PID 1456 wrote to memory of 3720	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	155
PID 1456 wrote to memory of 3720	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	155
PID 1456 wrote to memory of 1804	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	156
PID 1456 wrote to memory of 1804	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	156
PID 1456 wrote to memory of 228	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	157
PID 1456 wrote to memory of 228	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	157
PID 1456 wrote to memory of 2840	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	158
PID 1456 wrote to memory of 2840	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	158
PID 1456 wrote to memory of 2492	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	159
PID 1456 wrote to memory of 2492	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	159
PID 1456 wrote to memory of 4344	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	160
PID 1456 wrote to memory of 4344	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	160
PID 1456 wrote to memory of 5908	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	175
PID 1456 wrote to memory of 5908	1456	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	175
PID 5908 wrote to memory of 4300	5908	sppsvc.exe	176
PID 5908 wrote to memory of 4300	5908	sppsvc.exe	176
PID 5908 wrote to memory of 3508	5908	sppsvc.exe	177
PID 5908 wrote to memory of 3508	5908	sppsvc.exe	177
PID 4300 wrote to memory of 2160	4300	WScript.exe	183
PID 4300 wrote to memory of 2160	4300	WScript.exe	183
PID 2160 wrote to memory of 4120	2160	sppsvc.exe	185
PID 2160 wrote to memory of 4120	2160	sppsvc.exe	185
PID 2160 wrote to memory of 3008	2160	sppsvc.exe	186
PID 2160 wrote to memory of 3008	2160	sppsvc.exe	186
PID 4120 wrote to memory of 1676	4120	WScript.exe	188
PID 4120 wrote to memory of 1676	4120	WScript.exe	188
PID 1676 wrote to memory of 3328	1676	sppsvc.exe	189
PID 1676 wrote to memory of 3328	1676	sppsvc.exe	189
PID 1676 wrote to memory of 5240	1676	sppsvc.exe	190
PID 1676 wrote to memory of 5240	1676	sppsvc.exe	190
PID 3328 wrote to memory of 3552	3328	WScript.exe	195
PID 3328 wrote to memory of 3552	3328	WScript.exe	195
PID 3552 wrote to memory of 4616	3552	sppsvc.exe	196
PID 3552 wrote to memory of 4616	3552	sppsvc.exe	196
PID 3552 wrote to memory of 4572	3552	sppsvc.exe	197
PID 3552 wrote to memory of 4572	3552	sppsvc.exe	197
PID 4616 wrote to memory of 3988	4616	WScript.exe	198
PID 4616 wrote to memory of 3988	4616	WScript.exe	198
PID 3988 wrote to memory of 4788	3988	sppsvc.exe	199
PID 3988 wrote to memory of 4788	3988	sppsvc.exe	199

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
"C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\it-IT\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4732_595216890\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4588_921617627\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\de-DE\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- C:\Windows\Cursors\sppsvc.exe
  "C:\Windows\Cursors\sppsvc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5908
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\997abc44-7baa-47f7-a41c-ebe6c051f17d.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Windows\Cursors\sppsvc.exe
      C:\Windows\Cursors\sppsvc.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2160
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18518b02-e97c-4114-b237-716d5e8c3f95.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4120
      - C:\Windows\Cursors\sppsvc.exe
        
        C:\Windows\Cursors\sppsvc.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5aa920a4-bbcb-412a-b521-75aa1cc249fc.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\Cursors\sppsvc.exe
        
        C:\Windows\Cursors\sppsvc.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\890dd805-70ac-409a-b6f5-b4bbab34228e.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\Cursors\sppsvc.exe
        
        C:\Windows\Cursors\sppsvc.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5860b8c2-19a0-4af1-aaf8-c100ef78763d.vbs"
        11⤵
        
        PID:4788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46db9e05-345c-41d2-b138-e541cfe823be.vbs"
        11⤵
        
        PID:4800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74648218-f5db-4db1-a0fe-30661101e82e.vbs"
        9⤵
        
        PID:4572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\819a4588-8665-43ee-88a0-1b5255aa2e9a.vbs"
        7⤵
        
        PID:5240
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afec31a0-3948-430b-8cbd-7b7d5525c665.vbs"
        5⤵
        
        PID:3008
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0739787c-86e9-46e0-a125-c9d78bf0be41.vbs"
    3⤵
    PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\SchCache\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\SchCache\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Cursors\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Windows\Cursors\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\browser\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\browser\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files\edge_BITS_4732_595216890\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4732_595216890\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\edge_BITS_4732_595216890\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\edge_BITS_4588_921617627\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4588_921617627\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\edge_BITS_4588_921617627\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Cursors\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\d25f591a00514bc9ba8441\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\d25f591a00514bc9ba8441\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\AccountPictures\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe

Filesize
1.6MB

MD5
dd77ed238dbaaf6f32c13fae14839750

SHA1
6d8e84ffada8c9cc9cac7a9e78a3b1181140f561

SHA256
d45e056e443724c37f97d215e26fad517457d393b8248573267a1cef51e550fe

SHA512
1eceb6886c86529d79f623cfa7b4afd70fddc84fa3c676209f394bac3dc746fef8731e51b9bc44837b5d7ef7a3fd3ecbfec82401ce808bca3a10e5a53687b6bf

Download Submit
C:\Program Files (x86)\Windows Media Player\it-IT\backgroundTaskHost.exe

Filesize
1.6MB

MD5
517861702fe0a89aa5e3af35d9f96661

SHA1
50101d8bff153320694baf54bc7b68e585720d4d

SHA256
1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4

SHA512
da7ee6a8120f6a874c3f018580c05d37412a3cf7ec4346ffcee861bd9a415937c89734864b7d9fc84f09c6262a66f7a945377cf589831a765a2b3d90a48ea488

Download Submit
C:\Program Files\edge_BITS_4588_921617627\csrss.exe

Filesize
1.6MB

MD5
68c0f2fa37adcdff7b24b8e990c8b708

SHA1
7f4dbfabcbd78691907c6adc24ea4492f77b55fd

SHA256
2c184106b7c1bd9e53625109e1fc5edab20c20b14cf59c18af7961b83d630396

SHA512
0dfef787db0a4a25c97f2b6463e8c79d21cef9482116d72f693870e50254552bafbca50a9fc8d92d500f7f000b8fd95914ca99cbb43d5e23795341d93eb089c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b70364cff9735f7d75ce300231e34b76

SHA1
774a0bd71ac7c49f7362f2f172348d1a7a2fb149

SHA256
d2e89ceb2b3c76f4df5c8ff31271cb8587bb50e55c292dcef5175ebd2ac7432b

SHA512
e6de0e6bbb63042230f317b9b3c2ba09d5b3eb56281f7bbd2f5bb4a898313b9f1467bc63f88aa6dd97fbcd307198fdce6d63e8751f3b9c31811f2946b8800b93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1dcf991c3256194c67e06c85d15d0113

SHA1
37ff6579668b36ea01b38c418b4be1d75ad6271b

SHA256
eb5fc278212d10116c4988ec526a2324f7d4b7f667d4c647bf1ec3bd576f0848

SHA512
f6bcd44a98b3870fca3190c01bf47d1c5a14d0c796b6c6bbaaf1b9277fef6b7408466a0a864d2f94c10bf36fd94d550c7aca563ae2bdc0ff9a44a79c589a5c50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd3836b9dfd35d27a1995a2fd22e3d69

SHA1
db2b529de5bc342001e1345cb080a6d4e37d4bbb

SHA256
68319d7a4938108026a325379c349b37812234bcfa2d20273c3190f7858f5e5e

SHA512
76faa047525920891f6ae4c25f86ebde4861a0fa3122bd697d8c7d6d84866495bb8344af15f53ebb60bec1a39df59b81cb245b213a0788465a20e501de9387b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ae16a918424e097a7381a2ccf705660f

SHA1
9dc31ecbed1a208c46ad3486a8cf2052fa2cf6e8

SHA256
1135a17413b8c2db64197b347d56634bfff703ab9de03a511703e3c94486655b

SHA512
b03f69c77c944d66f37fe8d03bdb5bbc11345746608fbc135f5f77df4f0840b1a0a26ee127dd338e2f61f81d592121458bffd134b1fb9f55a4f8b62e7a4d67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3fe089fecc1a7897c40a12707d788ca9

SHA1
97f8ab9020333729ec191b3dbd044c57227b84fc

SHA256
70d80df3a3a68fa45dd114205f58cc05df07e22940ec0f0f6172abfccf671e7c

SHA512
4e4feebea709ed3bbfd82ed507d04566593e9cb7bb02ca1056d8ecb6cbcd3b5118be5dee4ee80bf158565a009c05b217bd4c885fb1e01c7d61f5e3d430c940cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
316c42ca95cd0ccbfd60996129f65adc

SHA1
e80bc56d3e28fc9081faae6a735d262fb0a8bbb1

SHA256
2cc6c0e6fc4690b21a7d1e699a487e22845a85933bab71638df535bb668e2d2f

SHA512
7be9772d74adec60087a0d18ef2a7ce837e7755f59077f311c4e52727184057774d279a508fb2407560f7a0b79f5c9a48fab8aff3f629bf2d967218816384242

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
866b998de2a440675992d5e0b435d66d

SHA1
ce1f8f5a204ae7b3429c743cacb20ed24de54394

SHA256
4e8db49692ec5a2e4a40bee16fb03d703794c31730112b2fbd6c82fb6fd1ad44

SHA512
54d3ee420baca65db4280a78451eba383210c09c941d096f1ffa9176cd60d68b3d650a855a42cd12699003839f4af1847e73802f2b89be44ab3a0037a1d57f16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eea647cd60240158e39a00f564408842

SHA1
a7952b76bfc207c901be4f71cbfbd1815623aa08

SHA256
363878a064423f637603628cc9a0d4d541944bd10fd1df6f68b7b3b322ca0c12

SHA512
773ec72f8eebfd21c4844da039f28e6ea2b5a8276f38a57b890f090d745c566844072e151168cc9b0af61ffb058af15c4230e36b524af1305750221d98312a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0739787c-86e9-46e0-a125-c9d78bf0be41.vbs

Filesize
481B

MD5
a386f564968b5ce6d912480f99d80a9b

SHA1
47af7c2b7c12c38b0c4cce9a0769ee79b65637a4

SHA256
335aa10b1727ee8099b9d667ef78fdf364f981e26eceb3761ece0d3d7bd2b0dc

SHA512
53b7ca237de9644d94348b3ccae10e711a5dfc8146f8af8a982b146203537d70200c52854a79d49d7bcc156b7e169181c4e66bd810aea7bb21226ce33be29101

Download Submit
C:\Users\Admin\AppData\Local\Temp\18518b02-e97c-4114-b237-716d5e8c3f95.vbs

Filesize
705B

MD5
5dad9a9550799db1c52cb7c0872b1a65

SHA1
2e7037c5b90241aa712dca57366da528bc6940da

SHA256
11d87da5e3f40d87ac4931bcf3498d84e53439dd0822f832e9ddd8c27ce9426c

SHA512
11388bb5df8ab112539e2b9c3112c3e9635009576b7f0a6253cff42f753dad44951f51dc4376ce1aa645b0d082bd2b7fe247eac332b674c1a508df8fb79ab5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5860b8c2-19a0-4af1-aaf8-c100ef78763d.vbs

Filesize
705B

MD5
9bc2084521e7cdb49af1af43fa0c0bbf

SHA1
4f97ce0438ef5e295e1738f8060fe67cf6ce0bb0

SHA256
4daf16a5754287d97c2fade77594ddc8f0a22f12cf83497fed9e1e3a5c5dd17e

SHA512
3844be2be12a92c9f76128ad3ad401a9481b86be7ae24da10ba9f5cf710eae99aa38061332020f43b81f9311e5694734a2c30720bb95de2849839e63f63ca083

Download Submit
C:\Users\Admin\AppData\Local\Temp\5aa920a4-bbcb-412a-b521-75aa1cc249fc.vbs

Filesize
705B

MD5
cca163eddc1d158bbc1aff197f24d89d

SHA1
617e00b9e5654e773cb5c58e1bfe56133db007c8

SHA256
ae6fb6d8da429fb2874800de7b3ab892dc98f6736e39a359fccced5422a3920a

SHA512
c4d1668d474c91513211e7ea534e0e1a19359d7690d0fa8e5f59ae9df8b93cbf957d6eec0db89afae727bb74c9517480b2b5946d5b67f0f32f7c272f8cf8740a

Download Submit
C:\Users\Admin\AppData\Local\Temp\890dd805-70ac-409a-b6f5-b4bbab34228e.vbs

Filesize
705B

MD5
bb0197730b25aae2e6b2aa4f785d96f6

SHA1
2a9159dffc517c3a3ce398a259b5067898a6c020

SHA256
b86e7234ee07f9a1f1ae8eb30ccf65712f84537bc3315fa0e91a0a170bc12045

SHA512
ff4c2cf523b7cdfd29d276977cf583d14afd6bc0905b6e5d88281761fa4648c860f378ce69b60354048a65bf056ce2404a4bd87b8fe424938a70597ae1c07a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\997abc44-7baa-47f7-a41c-ebe6c051f17d.vbs

Filesize
705B

MD5
8123744f686539d153bd1ada9acc8a17

SHA1
8ca58d95db887d51f64db28f88cfa6d4c8f4e210

SHA256
897e77feb530680c8e52478076945c57b2d7cfc1fde33d90b80374f06117d180

SHA512
76d6d0d5bce403a2dc230e19e652fbf009f08fa3855a10ba8d1c127d8411626adf34a272492df8f47d7de11a100e2f25412c9907c208f99767ee1d246a38beef

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b3u1sn5h.n0x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Default\dllhost.exe

Filesize
1.6MB

MD5
b0248adf4215f471dc4931ec0533e866

SHA1
41dd515ea73acc2cd09572cc8f340abf8379d7df

SHA256
d4c9819a6448f475182800e6473e85ad4d575de25e252af68ae2e4ab4d14163f

SHA512
49c60bed01916b46a8d091c36a70644ca73baf68df008be0e938782d8218a238c1220d95d897e457445ee281122afb5191062c86455749f6455db2428797fd6a

Download Submit
C:\Users\Public\AccountPictures\dllhost.exe

Filesize
1.6MB

MD5
6672553139434b26a5dec75747565cf7

SHA1
a41b5095023950b205fc6019b6c9451118337d41

SHA256
cf9d3b7589bc993bbdad7939f7d6364e340f7b777fbb999c058474d132aa37ad

SHA512
79edd9edfedbc1b8d64fb5816448174cab07b73591b23fae102e395f3524049e6b87163d9874c89bc91e359efc38c51e3eacd2aa8d83579900fe4d136574e50b

Download Submit
C:\Windows\Cursors\backgroundTaskHost.exe

Filesize
1.6MB

MD5
360beb9fedd26f154039b8e852b03a7c

SHA1
1d6f67dd2a4ca4183a6937b0daf611c90b6c887c

SHA256
a0a874b959d559f74aed2c1c9e9356cb3b03ca0251b56acb164da01f45044809

SHA512
1b5ba04853e7774ebf7d29e13496400f32e440a366efe6bfca04eb32c1068d779fc9d31f7aa7cc7be7fd6fdad7cf77425142eff53a5dc1102c974fec6cca652b

Download Submit
C:\Windows\Cursors\sppsvc.exe

Filesize
1.6MB

MD5
08ab81187fbbbfa4a169e7159945382f

SHA1
840a7721eb632ec4d2b87bf149f4081ae76c457f

SHA256
5c24530c67c92cca5e5aed49bd8b1efc0836da3dc524522f51adda9e73b352f5

SHA512
a1d4e632b4adbeb85aa9f15242c67f8c42c3afcfe7c618505c364dd9f64beefdd317f8adde052ad28313cc0963a54c04b57c23652f875a758efc8c91c1b082c8

Download Submit
memory/1456-3-0x0000000002420000-0x000000000243C000-memory.dmp

Filesize
112KB

Download
memory/1456-10-0x000000001B730000-0x000000001B73C000-memory.dmp

Filesize
48KB

Download
memory/1456-209-0x00007FFDE8183000-0x00007FFDE8185000-memory.dmp

Filesize
8KB

Download
memory/1456-15-0x000000001B930000-0x000000001B938000-memory.dmp

Filesize
32KB

Download
memory/1456-6-0x000000001AF80000-0x000000001AF96000-memory.dmp

Filesize
88KB

Download
memory/1456-14-0x000000001B920000-0x000000001B928000-memory.dmp

Filesize
32KB

Download
memory/1456-470-0x00007FFDE8180000-0x00007FFDE8C41000-memory.dmp

Filesize
10.8MB

Download
memory/1456-7-0x000000001AFA0000-0x000000001AFA8000-memory.dmp

Filesize
32KB

Download
memory/1456-8-0x000000001AFB0000-0x000000001AFC0000-memory.dmp

Filesize
64KB

Download
memory/1456-0-0x00007FFDE8183000-0x00007FFDE8185000-memory.dmp

Filesize
8KB

Download
memory/1456-9-0x000000001B720000-0x000000001B728000-memory.dmp

Filesize
32KB

Download
memory/1456-223-0x00007FFDE8180000-0x00007FFDE8C41000-memory.dmp

Filesize
10.8MB

Download
memory/1456-17-0x000000001B950000-0x000000001B95C000-memory.dmp

Filesize
48KB

Download
memory/1456-12-0x000000001B900000-0x000000001B90A000-memory.dmp

Filesize
40KB

Download
memory/1456-11-0x000000001B8F0000-0x000000001B8FC000-memory.dmp

Filesize
48KB

Download
memory/1456-4-0x000000001B6D0000-0x000000001B720000-memory.dmp

Filesize
320KB

Download
memory/1456-5-0x000000001AF70000-0x000000001AF80000-memory.dmp

Filesize
64KB

Download
memory/1456-2-0x00007FFDE8180000-0x00007FFDE8C41000-memory.dmp

Filesize
10.8MB

Download
memory/1456-1-0x00000000002B0000-0x0000000000452000-memory.dmp

Filesize
1.6MB

Download
memory/1456-13-0x000000001B910000-0x000000001B91E000-memory.dmp

Filesize
56KB

Download
memory/1456-16-0x000000001B940000-0x000000001B94A000-memory.dmp

Filesize
40KB

Download
memory/5908-469-0x0000000000950000-0x0000000000AF2000-memory.dmp

Filesize
1.6MB

Download
memory/6000-300-0x000001AB6D530000-0x000001AB6D552000-memory.dmp

Filesize
136KB

Download