dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f0343adab1970d928320ce2aa587fd3.exe
Size

1.6MB
MD5

1f0343adab1970d928320ce2aa587fd3
SHA1

e9ba72eefebbc990b9d87fdc6c900ba0ab4160b8
SHA256

9543bb2076f9b8c0d465689514dfc89f7cddc872620b5158cff2e2fa270963c4
SHA512

c6ae66f4ee2e2307da2176d9ea1e8a57ee96c59a15c633d8ca618cc4c167744063fa189d03eb134e1789ad544cef426e1b6da8c61dd1785888b204f84cdc316c
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	4716	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	4716	schtasks.exe	88

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral20/memory/3680-1-0x0000000000300000-0x00000000004A2000-memory.dmp	dcrat
behavioral20/files/0x00080000000240a8-26.dat	dcrat
behavioral20/files/0x000b0000000240eb-72.dat	dcrat
behavioral20/files/0x00090000000240d1-83.dat	dcrat
behavioral20/files/0x000500000001da7a-139.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 33 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3556	powershell.exe
4448	powershell.exe
924	powershell.exe
5072	powershell.exe
4916	powershell.exe
2872	powershell.exe
924	powershell.exe
1652	powershell.exe
4780	powershell.exe
1244	powershell.exe
3272	powershell.exe
536	powershell.exe
3264	powershell.exe
3180	powershell.exe
980	powershell.exe
2352	powershell.exe
5012	powershell.exe
3924	powershell.exe
3288	powershell.exe
3344	powershell.exe
3304	powershell.exe
2304	powershell.exe
3344	powershell.exe
3108	powershell.exe
1436	powershell.exe
824	powershell.exe
1340	powershell.exe
1644	powershell.exe
4408	powershell.exe
772	powershell.exe
2540	powershell.exe
4984	powershell.exe
1440	powershell.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	1f0343adab1970d928320ce2aa587fd3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	1f0343adab1970d928320ce2aa587fd3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	1f0343adab1970d928320ce2aa587fd3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 12 IoCs

pid	Process
3148	1f0343adab1970d928320ce2aa587fd3.exe
4308	1f0343adab1970d928320ce2aa587fd3.exe
5636	csrss.exe
3232	csrss.exe
5308	csrss.exe
3132	csrss.exe
3112	csrss.exe
5704	csrss.exe
6096	csrss.exe
5192	csrss.exe
5888	csrss.exe
2816	csrss.exe

Drops file in Program Files directory 38 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\9e8d7a4ca61bd9	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\9e8d7a4ca61bd9	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\dllhost.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fontdrvhost.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Crashpad\SearchApp.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\886983d96e3d3e	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\WindowsPowerShell\Modules\cc11b995f2a76d	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXB9AC.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Common Files\fontdrvhost.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\5940a34987c991	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Common Files\fontdrvhost.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Crashpad\RCXA859.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Common Files\5b884080fd4f94	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fontdrvhost.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Crashpad\SearchApp.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\OfficeClickToRun.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Crashpad\RCXA838.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\OfficeClickToRun.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wininit.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\RCXBCAC.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\dllhost.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Crashpad\38384e6a620884	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\e6c9b481da804f	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\WindowsPowerShell\Modules\winlogon.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXB9AB.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\RCXBC2E.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\winlogon.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wininit.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\56085415360792	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\RCXAAEA.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\RCXAAFA.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\5b884080fd4f94	1f0343adab1970d928320ce2aa587fd3.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Sun\Java\Deployment\WmiPrvSE.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\Offline Web Pages\sihost.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\Offline Web Pages\66fc9ff0ee96c2	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\Offline Web Pages\RCXB72A.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\SKB\RuntimeBroker.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\SKB\9e8d7a4ca61bd9	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\SKB\RuntimeBroker.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\CbsTemp\RuntimeBroker.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\Offline Web Pages\RCXB729.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\CbsTemp\RuntimeBroker.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\Sun\Java\Deployment\WmiPrvSE.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\schemas\VpnProfile\System.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\Offline Web Pages\sihost.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\CbsTemp\9e8d7a4ca61bd9	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\Sun\Java\Deployment\24dbde2999530e	1f0343adab1970d928320ce2aa587fd3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	1f0343adab1970d928320ce2aa587fd3.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	1f0343adab1970d928320ce2aa587fd3.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1f0343adab1970d928320ce2aa587fd3.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2928	schtasks.exe
3864	schtasks.exe
3616	schtasks.exe
684	schtasks.exe
1392	schtasks.exe
3212	schtasks.exe
4864	schtasks.exe
3276	schtasks.exe
936	schtasks.exe
640	schtasks.exe
2092	schtasks.exe
3716	schtasks.exe
2296	schtasks.exe
3684	schtasks.exe
2436	schtasks.exe
3956	schtasks.exe
816	schtasks.exe
2928	schtasks.exe
412	schtasks.exe
1676	schtasks.exe
4624	schtasks.exe
1340	schtasks.exe
4660	schtasks.exe
980	schtasks.exe
2896	schtasks.exe
4332	schtasks.exe
3056	schtasks.exe
4824	schtasks.exe
3580	schtasks.exe
1488	schtasks.exe
1244	schtasks.exe
1912	schtasks.exe
1664	schtasks.exe
2220	schtasks.exe
1908	schtasks.exe
2304	schtasks.exe
3244	schtasks.exe
1460	schtasks.exe
1012	schtasks.exe
4000	schtasks.exe
4640	schtasks.exe
1532	schtasks.exe
400	schtasks.exe
3132	schtasks.exe
3684	schtasks.exe
4992	schtasks.exe
3272	schtasks.exe
2972	schtasks.exe
3692	schtasks.exe
4472	schtasks.exe
4604	schtasks.exe
1996	schtasks.exe
2008	schtasks.exe
5000	schtasks.exe
1360	schtasks.exe
3820	schtasks.exe
1424	schtasks.exe
212	schtasks.exe
4032	schtasks.exe
1636	schtasks.exe
2872	schtasks.exe
1960	schtasks.exe
4648	schtasks.exe
2396	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3680	1f0343adab1970d928320ce2aa587fd3.exe
3680	1f0343adab1970d928320ce2aa587fd3.exe
3680	1f0343adab1970d928320ce2aa587fd3.exe
924	powershell.exe
924	powershell.exe
1244	powershell.exe
1244	powershell.exe
2304	powershell.exe
2304	powershell.exe
1436	powershell.exe
1436	powershell.exe
3288	powershell.exe
3288	powershell.exe
3304	powershell.exe
3304	powershell.exe
3344	powershell.exe
3344	powershell.exe
772	powershell.exe
772	powershell.exe
2540	powershell.exe
2540	powershell.exe
3344	powershell.exe
924	powershell.exe
2304	powershell.exe
2540	powershell.exe
2872	powershell.exe
2872	powershell.exe
2872	powershell.exe
1244	powershell.exe
1436	powershell.exe
3304	powershell.exe
772	powershell.exe
3288	powershell.exe
3148	1f0343adab1970d928320ce2aa587fd3.exe
3148	1f0343adab1970d928320ce2aa587fd3.exe
1652	powershell.exe
1652	powershell.exe
980	powershell.exe
980	powershell.exe
3272	powershell.exe
3272	powershell.exe
824	powershell.exe
824	powershell.exe
2352	powershell.exe
2352	powershell.exe
1652	powershell.exe
3272	powershell.exe
824	powershell.exe
980	powershell.exe
2352	powershell.exe
4308	1f0343adab1970d928320ce2aa587fd3.exe
4308	1f0343adab1970d928320ce2aa587fd3.exe
4308	1f0343adab1970d928320ce2aa587fd3.exe
4308	1f0343adab1970d928320ce2aa587fd3.exe
4308	1f0343adab1970d928320ce2aa587fd3.exe
4308	1f0343adab1970d928320ce2aa587fd3.exe
4308	1f0343adab1970d928320ce2aa587fd3.exe
4308	1f0343adab1970d928320ce2aa587fd3.exe
4308	1f0343adab1970d928320ce2aa587fd3.exe
4308	1f0343adab1970d928320ce2aa587fd3.exe
4308	1f0343adab1970d928320ce2aa587fd3.exe
4308	1f0343adab1970d928320ce2aa587fd3.exe
4308	1f0343adab1970d928320ce2aa587fd3.exe
4308	1f0343adab1970d928320ce2aa587fd3.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	3680	1f0343adab1970d928320ce2aa587fd3.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	3288	powershell.exe
Token: SeDebugPrivilege	3304	powershell.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	3148	1f0343adab1970d928320ce2aa587fd3.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	3272	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	4308	1f0343adab1970d928320ce2aa587fd3.exe
Token: SeDebugPrivilege	3924	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	3556	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	3264	powershell.exe
Token: SeDebugPrivilege	3180	powershell.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	5636	csrss.exe
Token: SeDebugPrivilege	3232	csrss.exe
Token: SeDebugPrivilege	5308	csrss.exe
Token: SeDebugPrivilege	3132	csrss.exe
Token: SeDebugPrivilege	3112	csrss.exe
Token: SeDebugPrivilege	5704	csrss.exe
Token: SeDebugPrivilege	6096	csrss.exe
Token: SeDebugPrivilege	5192	csrss.exe
Token: SeDebugPrivilege	5888	csrss.exe
Token: SeDebugPrivilege	2816	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 2872	3680	1f0343adab1970d928320ce2aa587fd3.exe	120
PID 3680 wrote to memory of 2872	3680	1f0343adab1970d928320ce2aa587fd3.exe	120
PID 3680 wrote to memory of 924	3680	1f0343adab1970d928320ce2aa587fd3.exe	121
PID 3680 wrote to memory of 924	3680	1f0343adab1970d928320ce2aa587fd3.exe	121
PID 3680 wrote to memory of 2540	3680	1f0343adab1970d928320ce2aa587fd3.exe	122
PID 3680 wrote to memory of 2540	3680	1f0343adab1970d928320ce2aa587fd3.exe	122
PID 3680 wrote to memory of 1436	3680	1f0343adab1970d928320ce2aa587fd3.exe	123
PID 3680 wrote to memory of 1436	3680	1f0343adab1970d928320ce2aa587fd3.exe	123
PID 3680 wrote to memory of 2304	3680	1f0343adab1970d928320ce2aa587fd3.exe	124
PID 3680 wrote to memory of 2304	3680	1f0343adab1970d928320ce2aa587fd3.exe	124
PID 3680 wrote to memory of 3304	3680	1f0343adab1970d928320ce2aa587fd3.exe	125
PID 3680 wrote to memory of 3304	3680	1f0343adab1970d928320ce2aa587fd3.exe	125
PID 3680 wrote to memory of 3344	3680	1f0343adab1970d928320ce2aa587fd3.exe	126
PID 3680 wrote to memory of 3344	3680	1f0343adab1970d928320ce2aa587fd3.exe	126
PID 3680 wrote to memory of 3288	3680	1f0343adab1970d928320ce2aa587fd3.exe	127
PID 3680 wrote to memory of 3288	3680	1f0343adab1970d928320ce2aa587fd3.exe	127
PID 3680 wrote to memory of 772	3680	1f0343adab1970d928320ce2aa587fd3.exe	128
PID 3680 wrote to memory of 772	3680	1f0343adab1970d928320ce2aa587fd3.exe	128
PID 3680 wrote to memory of 1244	3680	1f0343adab1970d928320ce2aa587fd3.exe	129
PID 3680 wrote to memory of 1244	3680	1f0343adab1970d928320ce2aa587fd3.exe	129
PID 3680 wrote to memory of 3148	3680	1f0343adab1970d928320ce2aa587fd3.exe	140
PID 3680 wrote to memory of 3148	3680	1f0343adab1970d928320ce2aa587fd3.exe	140
PID 3148 wrote to memory of 1652	3148	1f0343adab1970d928320ce2aa587fd3.exe	155
PID 3148 wrote to memory of 1652	3148	1f0343adab1970d928320ce2aa587fd3.exe	155
PID 3148 wrote to memory of 3272	3148	1f0343adab1970d928320ce2aa587fd3.exe	156
PID 3148 wrote to memory of 3272	3148	1f0343adab1970d928320ce2aa587fd3.exe	156
PID 3148 wrote to memory of 824	3148	1f0343adab1970d928320ce2aa587fd3.exe	157
PID 3148 wrote to memory of 824	3148	1f0343adab1970d928320ce2aa587fd3.exe	157
PID 3148 wrote to memory of 980	3148	1f0343adab1970d928320ce2aa587fd3.exe	158
PID 3148 wrote to memory of 980	3148	1f0343adab1970d928320ce2aa587fd3.exe	158
PID 3148 wrote to memory of 2352	3148	1f0343adab1970d928320ce2aa587fd3.exe	159
PID 3148 wrote to memory of 2352	3148	1f0343adab1970d928320ce2aa587fd3.exe	159
PID 3148 wrote to memory of 3508	3148	1f0343adab1970d928320ce2aa587fd3.exe	165
PID 3148 wrote to memory of 3508	3148	1f0343adab1970d928320ce2aa587fd3.exe	165
PID 3508 wrote to memory of 1120	3508	cmd.exe	168
PID 3508 wrote to memory of 1120	3508	cmd.exe	168
PID 3508 wrote to memory of 4308	3508	cmd.exe	170
PID 3508 wrote to memory of 4308	3508	cmd.exe	170
PID 4308 wrote to memory of 536	4308	1f0343adab1970d928320ce2aa587fd3.exe	223
PID 4308 wrote to memory of 536	4308	1f0343adab1970d928320ce2aa587fd3.exe	223
PID 4308 wrote to memory of 1340	4308	1f0343adab1970d928320ce2aa587fd3.exe	224
PID 4308 wrote to memory of 1340	4308	1f0343adab1970d928320ce2aa587fd3.exe	224
PID 4308 wrote to memory of 3264	4308	1f0343adab1970d928320ce2aa587fd3.exe	225
PID 4308 wrote to memory of 3264	4308	1f0343adab1970d928320ce2aa587fd3.exe	225
PID 4308 wrote to memory of 1644	4308	1f0343adab1970d928320ce2aa587fd3.exe	226
PID 4308 wrote to memory of 1644	4308	1f0343adab1970d928320ce2aa587fd3.exe	226
PID 4308 wrote to memory of 3556	4308	1f0343adab1970d928320ce2aa587fd3.exe	227
PID 4308 wrote to memory of 3556	4308	1f0343adab1970d928320ce2aa587fd3.exe	227
PID 4308 wrote to memory of 5012	4308	1f0343adab1970d928320ce2aa587fd3.exe	228
PID 4308 wrote to memory of 5012	4308	1f0343adab1970d928320ce2aa587fd3.exe	228
PID 4308 wrote to memory of 3180	4308	1f0343adab1970d928320ce2aa587fd3.exe	229
PID 4308 wrote to memory of 3180	4308	1f0343adab1970d928320ce2aa587fd3.exe	229
PID 4308 wrote to memory of 4984	4308	1f0343adab1970d928320ce2aa587fd3.exe	230
PID 4308 wrote to memory of 4984	4308	1f0343adab1970d928320ce2aa587fd3.exe	230
PID 4308 wrote to memory of 3344	4308	1f0343adab1970d928320ce2aa587fd3.exe	231
PID 4308 wrote to memory of 3344	4308	1f0343adab1970d928320ce2aa587fd3.exe	231
PID 4308 wrote to memory of 1440	4308	1f0343adab1970d928320ce2aa587fd3.exe	232
PID 4308 wrote to memory of 1440	4308	1f0343adab1970d928320ce2aa587fd3.exe	232
PID 4308 wrote to memory of 3924	4308	1f0343adab1970d928320ce2aa587fd3.exe	233
PID 4308 wrote to memory of 3924	4308	1f0343adab1970d928320ce2aa587fd3.exe	233
PID 4308 wrote to memory of 5072	4308	1f0343adab1970d928320ce2aa587fd3.exe	234
PID 4308 wrote to memory of 5072	4308	1f0343adab1970d928320ce2aa587fd3.exe	234
PID 4308 wrote to memory of 4780	4308	1f0343adab1970d928320ce2aa587fd3.exe	236
PID 4308 wrote to memory of 4780	4308	1f0343adab1970d928320ce2aa587fd3.exe	236

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe
"C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\a5520cf74cedd2462ce392906afc\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\c2c7c62e3dd3bcbd2ee6d4\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\c2c7c62e3dd3bcbd2ee6d4\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\a5520cf74cedd2462ce392906afc\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe
  "C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SKB\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:824
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\fontdrvhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wininit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2352
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CXlRX8JS8j.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe
      "C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\c2c7c62e3dd3bcbd2ee6d4\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\a5520cf74cedd2462ce392906afc\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\c2c7c62e3dd3bcbd2ee6d4\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\User Account Pictures\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\c2c7c62e3dd3bcbd2ee6d4\TrustedInstaller.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\a5520cf74cedd2462ce392906afc\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\c2c7c62e3dd3bcbd2ee6d4\sihost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\a5520cf74cedd2462ce392906afc\TextInputHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Sun\Java\Deployment\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4408
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t6Pc2UWtmx.bat"
        5⤵
        
        PID:3308
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:6020
      - C:\c2c7c62e3dd3bcbd2ee6d4\csrss.exe
        
        "C:\c2c7c62e3dd3bcbd2ee6d4\csrss.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14b3bbcd-6eda-4b98-bb24-02f01ad96d8e.vbs"
        7⤵
        
        PID:5836
        
        C:\c2c7c62e3dd3bcbd2ee6d4\csrss.exe
        
        C:\c2c7c62e3dd3bcbd2ee6d4\csrss.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3e485f5-00fb-4abf-b413-58774eafdf70.vbs"
        9⤵
        
        PID:5220
        
        C:\c2c7c62e3dd3bcbd2ee6d4\csrss.exe
        
        C:\c2c7c62e3dd3bcbd2ee6d4\csrss.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d759860b-47fe-49d9-8209-d8eac7b58ec7.vbs"
        11⤵
        
        PID:4448
        
        C:\c2c7c62e3dd3bcbd2ee6d4\csrss.exe
        
        C:\c2c7c62e3dd3bcbd2ee6d4\csrss.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37e4cdaf-c3a3-41d0-9aec-aeb0ee84e337.vbs"
        13⤵
        
        PID:2552
        
        C:\c2c7c62e3dd3bcbd2ee6d4\csrss.exe
        
        C:\c2c7c62e3dd3bcbd2ee6d4\csrss.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2d0a467-971b-4c27-95d6-1d6592c55bc9.vbs"
        15⤵
        
        PID:4108
        
        C:\c2c7c62e3dd3bcbd2ee6d4\csrss.exe
        
        C:\c2c7c62e3dd3bcbd2ee6d4\csrss.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6854a18b-0f7e-4f87-9349-f116bf9a4900.vbs"
        17⤵
        
        PID:5872
        
        C:\c2c7c62e3dd3bcbd2ee6d4\csrss.exe
        
        C:\c2c7c62e3dd3bcbd2ee6d4\csrss.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30121f18-2d14-448a-9a38-fee959ff093b.vbs"
        19⤵
        
        PID:4920
        
        C:\c2c7c62e3dd3bcbd2ee6d4\csrss.exe
        
        C:\c2c7c62e3dd3bcbd2ee6d4\csrss.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad5134db-068f-4577-9569-eacf7de0a424.vbs"
        21⤵
        
        PID:2944
        
        C:\c2c7c62e3dd3bcbd2ee6d4\csrss.exe
        
        C:\c2c7c62e3dd3bcbd2ee6d4\csrss.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e56f1a18-87fb-49a6-af7b-426d843b5607.vbs"
        23⤵
        
        PID:2972
        
        C:\c2c7c62e3dd3bcbd2ee6d4\csrss.exe
        
        C:\c2c7c62e3dd3bcbd2ee6d4\csrss.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d573731b-04c1-40bb-9a88-990bf5482a32.vbs"
        25⤵
        
        PID:536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3617050-f306-4369-96f6-b4d8e7c9b248.vbs"
        25⤵
        
        PID:688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd3d6c41-9234-42e6-ac15-2de608e96b7e.vbs"
        23⤵
        
        PID:1164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\541ad86f-b522-4615-87a0-182cd36f6ae1.vbs"
        21⤵
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63a51723-e036-4367-9cb6-147a0ac6b758.vbs"
        19⤵
        
        PID:4504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a5a9212-ef7a-4fbd-bd89-de40138cb098.vbs"
        17⤵
        
        PID:5700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67d6b149-cde3-41c4-afbe-f81114beccba.vbs"
        15⤵
        
        PID:5408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5dcff426-9dd1-45b7-b8ca-7d4c9a33465c.vbs"
        13⤵
        
        PID:4632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7f62312-c7b3-48b0-b894-615f64996097.vbs"
        11⤵
        
        PID:4772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbb69f62-fcc0-4475-acfa-b753fa00b060.vbs"
        9⤵
        
        PID:3508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92db1640-2317-4799-b420-a010ce1b1679.vbs"
        7⤵
        
        PID:5940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Crashpad\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Crashpad\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Crashpad\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\a5520cf74cedd2462ce392906afc\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\a5520cf74cedd2462ce392906afc\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\a5520cf74cedd2462ce392906afc\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\c2c7c62e3dd3bcbd2ee6d4\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\c2c7c62e3dd3bcbd2ee6d4\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\c2c7c62e3dd3bcbd2ee6d4\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\c2c7c62e3dd3bcbd2ee6d4\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\c2c7c62e3dd3bcbd2ee6d4\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\c2c7c62e3dd3bcbd2ee6d4\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\a5520cf74cedd2462ce392906afc\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\a5520cf74cedd2462ce392906afc\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\a5520cf74cedd2462ce392906afc\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Windows\Offline Web Pages\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Modules\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Modules\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\SKB\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SKB\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\SKB\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\c2c7c62e3dd3bcbd2ee6d4\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\c2c7c62e3dd3bcbd2ee6d4\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\c2c7c62e3dd3bcbd2ee6d4\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\a5520cf74cedd2462ce392906afc\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\a5520cf74cedd2462ce392906afc\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\a5520cf74cedd2462ce392906afc\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\c2c7c62e3dd3bcbd2ee6d4\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\c2c7c62e3dd3bcbd2ee6d4\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\c2c7c62e3dd3bcbd2ee6d4\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\User Account Pictures\upfc.exe'" /f
1⤵
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\User Account Pictures\upfc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\User Account Pictures\upfc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 14 /tr "'C:\c2c7c62e3dd3bcbd2ee6d4\TrustedInstaller.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\c2c7c62e3dd3bcbd2ee6d4\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 8 /tr "'C:\c2c7c62e3dd3bcbd2ee6d4\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\CbsTemp\RuntimeBroker.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\CbsTemp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\CbsTemp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\a5520cf74cedd2462ce392906afc\Idle.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\a5520cf74cedd2462ce392906afc\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\a5520cf74cedd2462ce392906afc\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fontdrvhost.exe'" /f
1⤵
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\c2c7c62e3dd3bcbd2ee6d4\sihost.exe'" /f
1⤵
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\c2c7c62e3dd3bcbd2ee6d4\sihost.exe'" /rl HIGHEST /f
1⤵
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\c2c7c62e3dd3bcbd2ee6d4\sihost.exe'" /rl HIGHEST /f
1⤵
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\a5520cf74cedd2462ce392906afc\TextInputHost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\a5520cf74cedd2462ce392906afc\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\a5520cf74cedd2462ce392906afc\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\Sun\Java\Deployment\WmiPrvSE.exe'" /f
1⤵
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\Sun\Java\Deployment\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WindowsPowerShell\Modules\winlogon.exe

Filesize
1.6MB

MD5
a9e321853758859ab3e14c2df74f24ef

SHA1
ca45071459dc1ed49f98c095d105956ffec221b5

SHA256
51c36dad9bf32fc18c35bd97564a5ca3425921c43364a5d05b5861ac425c05e0

SHA512
85c361677e116bceb5096ed5f11bab23624666162bafbc4499d72fa85e37be5b959f03084dea2194192dc1cf463857a307cdaf8a183fc204921cb1e0f1ca0f62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\1f0343adab1970d928320ce2aa587fd3.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c926b492b1d39d04f6e9656ec7f5877d

SHA1
c2cb3c49c5aa9b0616a7ddb11c9a1453855b352a

SHA256
b0beda1f817ee65a341d4792f15dbd70be363835d7ebc3af6302b771295bc907

SHA512
df815fe9c34f85a90c3692534993955ca3c6f57a317f46bd9366152993c5918cd6f376678f9957ae43317bb7f1f5ba65ae175dce8f5e9735749263214e1fe74e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c667bc406c30dedf08683212c4a204b5

SHA1
4d713119a8483f32461a45e8291a2b8dc1fc4e7d

SHA256
0789d8328acb13062de330425e072019c1d81bea70923d5ef5428f9604d969cf

SHA512
1f6b49f11baf3b4289677d8b27537e016896fc878d14af3d8c132d6800a591a632b31203edd570f3f8b90e7c0047a4f4ecd938c10520832d2df55ba35a53bd48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fdbc304f3d894fc63c481c99aa258017

SHA1
47cd3a7cae4dbf6bdd92532bbb69224a75221b86

SHA256
58c02d17c622f9ffc1744d26a3be409d7a95796119bcea540e54dcf687c8abb3

SHA512
18923c6b620a47d59377bdffd8dbf9717750a52980530cd67c169704649e471b1583eda2045cc7db84e560a9672759f8ea0c3a5ab45d4f328e17aa6e0ca5fae1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
80dfd43d9904cb4bdd37f6934f47ccf8

SHA1
72c0981be679ef6a22cbabbdc3e02a7e80a3eafc

SHA256
a6e60a417d8c6649d78716bcfae64c452ca60367f2280f0b41d5febac503edad

SHA512
793f081a3c5f89a88e4472be0ee26f04f47cbba6a8c5af2710fb8d09a224fc7ded64ff68924325cce0b518f330458cdd0bfafbab9f805ddcc68393aa3f179247

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
82da496008a09abc336bf9adbe6453dd

SHA1
a57df6c2432c6bf7ab549a4333e636f9d9dfebd2

SHA256
69def38d01c34269e4e7be79130fc62befb01815c783fef6d4dc116672306810

SHA512
86d1efaf512d5ffc0af6a4508e63ffaa646971192762461957c0a544e77f9f24bbd0576927a6a996a87f147bcd6562bdc27a57caac6aad64354f485a7a7a7197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7cfa57226f15f18e8c29720a8a6efc8b

SHA1
fef3b41b9715cd37a0bb9ab323fc9aa62158d55b

SHA256
53d11cfbf4bbedac6a4963cbe63d8f500f1cfd159e1b9c24149c855d3be188eb

SHA512
d6ea186fa684b2ca04eb5d9292a5d60b4d22f03205eb0bbe51c8715e1312e2179bc6da60c7763cb7663cd967fc761b9bd8d9949b009e2e6cba51883a167d1820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd95e4475b8798a58a9e9d19409c1eac

SHA1
571d070dd6315847c4ba334670beffd245a35c45

SHA256
d33812e9c83075812c904e8ea736f744d614cb597e4c7aa4420021e492390729

SHA512
1ad95b0411ffbdeff090c3c71000377027095ecbc8ad27d9b4c8b7b469e669f7d76cd13f7ab2012779b6ac12c5ff2671f4e44fa8d1f2aefae3824ed74a9fa7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0256bd284691ed0fc502ef3c8a7e58dc

SHA1
dcdf69dc8ca8bf068f65d20ef1563bbe283e2413

SHA256
e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf

SHA512
c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3b444d3f0ddea49d84cc7b3972abe0e6

SHA1
0a896b3808e68d5d72c2655621f43b0b2c65ae02

SHA256
ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74

SHA512
eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9078a011b49db705765cff4b845368b0

SHA1
533576940a2780b894e1ae46b17d2f4224051b77

SHA256
c89240e395a581db1b44d204e2bcbd5b0e7f636ac72585d8257e6b901f5a3615

SHA512
48e0896fc4818bb7e3f250c5cad70d5e4ce71d3f6a8d2d17d8becc36050c1de2a270fde8dea5bb3462f1e7f5eaf074053390934f26d0186113215a1c4e92dd1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
be67063c62a242565760a02a642a9f02

SHA1
d1043a892b44d6676f71b568f578fff947266a19

SHA256
56f158298dc5f781d6636a0b15d040f9cffb1d46cd11079aa40a26b662217f48

SHA512
90d2cbd882ff8043412ad25e74df0cf6b71d6f3fbdfa6f1efa0efc8eed86a925606c7d2e967f112a34d3f0e04f01a396898508571400dcf7e6fd69e78f406638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
059e5f0f77d3e99c8872915337444e20

SHA1
4e98080250f6e1686a56063d5c93274dee64db69

SHA256
74b4e76a16a85451ce9239d063a8edf263cd27f8ecdc77cfc6cccbcb407929cb

SHA512
f0377c8366235a167d9580106a5ef934ae86b4db01f68f6d0ced478a7490fad7a605f5ac02e73fd5130db9f33b3825c2a5ed0a0c220dcb7d7069bcf29db8b0bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
89b9b22e2cb6f0b903e7f8755f49d7be

SHA1
e13b62b19dccdbacb5fec9227e34f21e34fe5cad

SHA256
17b31393e036af7d83e6ea288a0bbad0278c404f5e0698b3a28f2fa1faa99537

SHA512
f4817348aa7f297c7c81db010bc0ce09c9193c32f0f7c2b0592df0c7731921830b5a3868486f986edfd863d7d82815e67598392b94782b9d317b7066b9fb7064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9f0b3bbfa39f2566ed59f5e594ad3848

SHA1
c9901f5d073fe6c85a4d5a52be4be6d050a7aa5c

SHA256
f4201e88a34d8a1958b81081136d6acd2edc2ae13561ad8e88c49443b76d7592

SHA512
f2590698ad5d615d68f041f8030f10469a3aeb52600303a55d6b09cb4945c673c770427abb07fa8c63725062f9efea0f7edf6da3174d3a2c08f268d51d2f75b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
08526e4d8fed0a382c243c9aa8b1fe45

SHA1
f3da4b97529aaa38230db8bfa34a345bbc211622

SHA256
b5044625d66b7835745c7c4efa14d21aaf4ee42bf971f8bbc44f04416b91441f

SHA512
cbeb569db60eabd89c13b073f1bdf7ba991b6206e75f548396a150b08a0ffed1962d88d664e069c64ac740afbb69941df2f43e81a3f138e2185934967898941d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fdf15f7d08f3f7538ae67e5b3e5d23f4

SHA1
953ff0529053ce3a1930b4f5abba2364a8befbfc

SHA256
9f4964b9cf2c6d4915a8f2b9746dc5ff73d6f327c81370f92e0e7a611b28a707

SHA512
4fee933635376d1467e0be63d12fa897f83cbbf9cdd1ac79cce30dfaa2621d47e137e991b701f1ed9910767904dbfb6b89db2a02ce32edc410c83351f351d7ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fec78ebbd765e6f8d91ff70218cfeb45

SHA1
11018ec3fa5d64501496c37f8687b773da21e68e

SHA256
29086aafe3d9aa700651b295c0007d7832d7ac4fca9e02702706566b7d42f20d

SHA512
3534898dc42185a99c3be830121870ab99e9ff1857cb165ce50f45fe205c4f3cef708e42f914fba573d88e31ac9f719d101d4ddd5b94b848440ef2d6dbcf4942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8609c12c59293ee67562f5096525f6f

SHA1
7b89311e1e00dec0658daa7749b6560af217435c

SHA256
9e7a84df1f437f21ceba6e519fbbd333f0bd7721e8e4b0bb963652fb9a1163fa

SHA512
ce6838f441c0954739ec5e03af0726d20b892c4415df3c3ee2010bc6c8f6191ac6717d0e3499ce04a03441b1ad43fc7a2df0de34a1ebd67fbd62cfdf48007b62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
03bf359e51a591074e84e0820b10bf52

SHA1
da92709e5982c7f0ac8a81bcd81ad5f6545ca833

SHA256
a65406c382b444eb625209edce0975ef14eb5c7c12633a52d8f2a77df22f58e8

SHA512
6462a4c24acead3d52faa2e9c5d761d6781822b2f412d35ae1ce00603953a9da5f576e44617b52dcbe21c1280b42b391eae2deb714f3c751a55c8d937cbe934b

Download Submit
C:\Users\Admin\AppData\Local\Temp\14b3bbcd-6eda-4b98-bb24-02f01ad96d8e.vbs

Filesize
711B

MD5
30d005f1495387c1f8e300fae7604037

SHA1
fa4b57258ee46117c5f279deca7decfdda46174c

SHA256
9766d7d9bf06c0a08ac5b3ccd2c4492baf1ba1ad1ef4722af7b5dc65d0488d62

SHA512
400d29383a622f46bf45857a2182ee2563844bfdd8d3e54ec456d2e794b67718859d111bf5f9bd4ec030b715dc091f8e8957ae752e04df0f2b8e34d0d7998e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\37e4cdaf-c3a3-41d0-9aec-aeb0ee84e337.vbs

Filesize
711B

MD5
2c61bfe4470e72a6a713daed3d3757a3

SHA1
671fe819338c093260b8562934f682ac445a9a5c

SHA256
464fec58e62ddc5127667884cb60b71b3537dbeaeb138b4837d96160c27ac4d9

SHA512
5c28e4a86eb05e06ddfeab27715deb5e14b8af92b376e1b21d06038e088c5f3b49b7904a7c15c9c8f6d81f9ef521a1ad3012f182db4330bc1c1b454e6260c523

Download Submit
C:\Users\Admin\AppData\Local\Temp\6854a18b-0f7e-4f87-9349-f116bf9a4900.vbs

Filesize
711B

MD5
c0f361f163da8044f69bb14e9ef50a4d

SHA1
9eb642901a6003812d9ace026b1cdc002e28d494

SHA256
58ced99884f29bc4432d3d52e89f6bee32303b87489d098f74f879eba3f001ed

SHA512
35a7eacd494257108ed5f7ca891c7c7727849830e4bf993ef8a5b81f521eb56222e58d074c666abf883de8ae6fa87519f6ca3df4d92139d0b865f73c31874362

Download Submit
C:\Users\Admin\AppData\Local\Temp\92db1640-2317-4799-b420-a010ce1b1679.vbs

Filesize
487B

MD5
c745c3cd44d0d105fd42742d90cf365a

SHA1
398f3fe6cc85e67caf5c9c056b0d8cf4829a9cdb

SHA256
3a505299fcc8a8476921543ec16cd29f17fa438bcb9ad7f221a2ef4935b03bad

SHA512
6c482a196e465a1df744b64c2a30c5ec16b27b9afce14d781c29c115993bba9205269cea06c2ad4eda127692c69150de5bb770ed06b46c06f064ca55207927ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\CXlRX8JS8j.bat

Filesize
235B

MD5
008a56f1d73925687bbb0e707b580969

SHA1
d4f9ae247c33f625f5e024d387079f099bd0a8cc

SHA256
f2e046b978b9e98519f1d3b6531954bad2b9eedbcf27546cc4a27dfe282bffa6

SHA512
266f6bda04b1ca052eb8579819dea4a8be270564c97dc68e5b114c7d1137d823f3ed418ef2aac1898c90c2313869c9cd702821c8bc579c70ca8609c687566ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0jugtktz.0wu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3e485f5-00fb-4abf-b413-58774eafdf70.vbs

Filesize
711B

MD5
c7a0b91a818736a4d624dbdeaf498dd5

SHA1
ebc6322e1361fa822cd65918282807d0752732b5

SHA256
c5dec157c4e67d9e844626a16a8fc1851a93bf779e5234a79514c864dd4bbada

SHA512
c3fca90586c55110aaff3786b41815a55af88fde2f29bd91f1484fcae20384bd42f70c4a869146c8bbac5cf09abd70e039b4106d210592074a6b0910b724a7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d759860b-47fe-49d9-8209-d8eac7b58ec7.vbs

Filesize
711B

MD5
26e3fb52f1ed4df865cd5697cb34fe70

SHA1
b3247629f59a32da2d65eab3ec3ab7291fc38b6d

SHA256
defe050b463457b44ced6bc1874d086d547309db3c6acfeec5583980986d5ef0

SHA512
170e2e045ba25411283bcb9e0167ed941aeb796d3775c34bfd24f3b392f7aab3ed7aa594e9142673fa6d0f36114f5ec9e3b898858d86d08d2340c9b014a7ea73

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2d0a467-971b-4c27-95d6-1d6592c55bc9.vbs

Filesize
711B

MD5
5b5e79c4ba9b3f65031bf65adf876199

SHA1
7247cf5f274bb589f70985391fa88170f218ce5f

SHA256
80bf509ecbc560d17c0d052eae1a466b9785f2fb187e424834e014669cf216c7

SHA512
134ecd1941a1b50c9a0c1c4999be89d4264f1d71524fd7e4020b333db924b8f646ef53dfa5c24c4570e0e2109e5acd24f9db6407f12d4cf0572c63921901b9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\t6Pc2UWtmx.bat

Filesize
200B

MD5
bb6a0c4fac443c10f47df7ddaa892f1e

SHA1
e5a40def142ba9470ffbdf660f7a08e3e4affc6a

SHA256
a6939614f3aba49e4df152c2c6c28460494a1494a7ac1ae97e2e53ce71fb65f0

SHA512
9ffcfaa28dcbec9028be004fcb3bd594c7dbffc0c6c19e1cab0e262d407fbb2b60d5d70930b63bbd9b4f8ee677d3fcaebc3c4bc53a971510b96b9e3380f8c6e0

Download Submit
C:\a5520cf74cedd2462ce392906afc\sihost.exe

Filesize
1.6MB

MD5
e92ff7a89b9c8bea80a57b179664d4db

SHA1
b81df9c8296a494c99e9286512741df04c2febbf

SHA256
463834e89100d6ea2c5b5af36b83d01bda9b407be22ea2a363d69f5a3fc93ba4

SHA512
ce01fc7926c8532e74a2224d83f9274661b8f0253fc59f023972718624b72ed649c1b57cfc6c2a56bd7ead7173cf95ccbfccb2b3cb955d200cd51e2b81d5ca25

Download Submit
C:\c2c7c62e3dd3bcbd2ee6d4\dllhost.exe

Filesize
1.6MB

MD5
f5a1530c32b562bc1af8874f9669699d

SHA1
dc8d9c6f99b6191ca1dd7174b71fca93c14be39f

SHA256
fc9dc35f3ec92902f9c431d5945b2ab8cc0f23a9af22c25ec7afccff8684cd1e

SHA512
e89c2527dc1d654c9ccb2034775f49679d2a237ed2e25f544a6e4982c19bb3ea1d1407759095a5f126516a61d29a8238be2727148b5e09345aa8bad378ca2551

Download Submit
C:\c2c7c62e3dd3bcbd2ee6d4\fontdrvhost.exe

Filesize
1.6MB

MD5
1f0343adab1970d928320ce2aa587fd3

SHA1
e9ba72eefebbc990b9d87fdc6c900ba0ab4160b8

SHA256
9543bb2076f9b8c0d465689514dfc89f7cddc872620b5158cff2e2fa270963c4

SHA512
c6ae66f4ee2e2307da2176d9ea1e8a57ee96c59a15c633d8ca618cc4c167744063fa189d03eb134e1789ad544cef426e1b6da8c61dd1785888b204f84cdc316c

Download Submit
memory/1244-152-0x000002111B140000-0x000002111B162000-memory.dmp

Filesize
136KB

Download
memory/3680-13-0x000000001B1A0000-0x000000001B1AE000-memory.dmp

Filesize
56KB

Download
memory/3680-3-0x00000000025B0000-0x00000000025CC000-memory.dmp

Filesize
112KB

Download
memory/3680-5-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3680-4-0x000000001B130000-0x000000001B180000-memory.dmp

Filesize
320KB

Download
memory/3680-7-0x00000000025F0000-0x00000000025F8000-memory.dmp

Filesize
32KB

Download
memory/3680-0-0x00007FF82A493000-0x00007FF82A495000-memory.dmp

Filesize
8KB

Download
memory/3680-2-0x00007FF82A490000-0x00007FF82AF51000-memory.dmp

Filesize
10.8MB

Download
memory/3680-9-0x000000001B110000-0x000000001B118000-memory.dmp

Filesize
32KB

Download
memory/3680-10-0x000000001B120000-0x000000001B12C000-memory.dmp

Filesize
48KB

Download
memory/3680-15-0x000000001B1C0000-0x000000001B1C8000-memory.dmp

Filesize
32KB

Download
memory/3680-14-0x000000001B1B0000-0x000000001B1B8000-memory.dmp

Filesize
32KB

Download
memory/3680-17-0x000000001B990000-0x000000001B99C000-memory.dmp

Filesize
48KB

Download
memory/3680-16-0x000000001BA90000-0x000000001BA9A000-memory.dmp

Filesize
40KB

Download
memory/3680-1-0x0000000000300000-0x00000000004A2000-memory.dmp

Filesize
1.6MB

Download
memory/3680-8-0x000000001B100000-0x000000001B110000-memory.dmp

Filesize
64KB

Download
memory/3680-237-0x00007FF82A490000-0x00007FF82AF51000-memory.dmp

Filesize
10.8MB

Download
memory/3680-12-0x000000001B190000-0x000000001B19A000-memory.dmp

Filesize
40KB

Download
memory/3680-11-0x000000001B180000-0x000000001B18C000-memory.dmp

Filesize
48KB

Download
memory/3680-6-0x000000001B0E0000-0x000000001B0F6000-memory.dmp

Filesize
88KB

Download