dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
59s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
Size

1.6MB
MD5

7fbc72dcc67b2b7366c90f81051bd68a
SHA1

bdd22f70686afb5bf32d638eee6fdd0891ec3248
SHA256

1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82
SHA512

e06c18cc9823741d8eea0ff78ad38ae88125fb5c795661107f09aaf977786fe420323d5be0990bc9cb1138e1cbe21d7cb21ce826f6e18df71354e710836b7025
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5724	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6112	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5720	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5464	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5812	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6004	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5804	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5608	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5428	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5352	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	4500	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6124	4500	schtasks.exe	89

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral18/memory/2736-1-0x0000000000F80000-0x0000000001122000-memory.dmp	dcrat
behavioral18/files/0x0007000000024296-26.dat	dcrat
behavioral18/files/0x000700000001e6e0-89.dat	dcrat
behavioral18/files/0x000900000001e6dd-195.dat	dcrat
behavioral18/files/0x000900000002253c-204.dat	dcrat
behavioral18/files/0x000d0000000240c1-241.dat	dcrat
behavioral18/memory/3168-479-0x0000000000110000-0x00000000002B2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2944	powershell.exe
1828	powershell.exe
4676	powershell.exe
4912	powershell.exe
2760	powershell.exe
4684	powershell.exe
4680	powershell.exe
4712	powershell.exe
4380	powershell.exe
4864	powershell.exe
1156	powershell.exe
2908	powershell.exe
4748	powershell.exe
2880	powershell.exe
5296	powershell.exe
6116	powershell.exe
1128	powershell.exe
4540	powershell.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 6 IoCs

pid	Process
3168	fontdrvhost.exe
2332	fontdrvhost.exe
3364	fontdrvhost.exe
3620	fontdrvhost.exe
5312	fontdrvhost.exe
3408	fontdrvhost.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\de-DE\RCX8216.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX841C.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files (x86)\Windows Media Player\StartMenuExperienceHost.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files (x86)\Windows Mail\wininit.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files\Internet Explorer\images\RCX7333.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wininit.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\RCX6E9B.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files\Windows Mail\sihost.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX841B.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCX8DA8.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files\Windows Mail\RCX773D.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files\Internet Explorer\images\5940a34987c991	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCX8DA9.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files\Internet Explorer\de-DE\fontdrvhost.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files\Internet Explorer\de-DE\5b884080fd4f94	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCX7FF0.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\SppExtComObj.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\5b884080fd4f94	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files\Internet Explorer\images\RCX72B5.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files\Windows Mail\RCX773E.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCX7FF1.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\fontdrvhost.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files (x86)\Reference Assemblies\SppExtComObj.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\fontdrvhost.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\fontdrvhost.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files\Windows Mail\66fc9ff0ee96c2	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files (x86)\Windows Media Player\55b276f4edf653	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files (x86)\Reference Assemblies\e1ef82546f0b02	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files\Internet Explorer\images\dllhost.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files\Internet Explorer\images\dllhost.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files\Windows Mail\sihost.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files (x86)\Windows Mail\56085415360792	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\RCX6E9A.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\StartMenuExperienceHost.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\RCX8205.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Speech\Common\fr-FR\RuntimeBroker.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1248	schtasks.exe
1480	schtasks.exe
5608	schtasks.exe
2880	schtasks.exe
4516	schtasks.exe
4612	schtasks.exe
2064	schtasks.exe
3600	schtasks.exe
6004	schtasks.exe
2576	schtasks.exe
5088	schtasks.exe
5804	schtasks.exe
4040	schtasks.exe
4960	schtasks.exe
3744	schtasks.exe
2444	schtasks.exe
3308	schtasks.exe
4684	schtasks.exe
6124	schtasks.exe
4772	schtasks.exe
4784	schtasks.exe
5464	schtasks.exe
4092	schtasks.exe
1028	schtasks.exe
3512	schtasks.exe
4724	schtasks.exe
6112	schtasks.exe
4984	schtasks.exe
4756	schtasks.exe
4672	schtasks.exe
2916	schtasks.exe
4368	schtasks.exe
1156	schtasks.exe
2760	schtasks.exe
2956	schtasks.exe
5724	schtasks.exe
2276	schtasks.exe
4688	schtasks.exe
3608	schtasks.exe
5428	schtasks.exe
1412	schtasks.exe
4712	schtasks.exe
4864	schtasks.exe
4576	schtasks.exe
4716	schtasks.exe
5720	schtasks.exe
5352	schtasks.exe
4636	schtasks.exe
1568	schtasks.exe
3408	schtasks.exe
5812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
5296	powershell.exe
5296	powershell.exe
6116	powershell.exe
6116	powershell.exe
2760	powershell.exe
2760	powershell.exe
4380	powershell.exe
4380	powershell.exe
2944	powershell.exe
2944	powershell.exe
4684	powershell.exe
4684	powershell.exe
2908	powershell.exe
2908	powershell.exe
4912	powershell.exe
4912	powershell.exe
4676	powershell.exe
4676	powershell.exe
4712	powershell.exe
1828	powershell.exe
4712	powershell.exe
1828	powershell.exe
4680	powershell.exe
4680	powershell.exe
4864	powershell.exe
4864	powershell.exe
1156	powershell.exe
1156	powershell.exe
2880	powershell.exe
2880	powershell.exe
4540	powershell.exe
4540	powershell.exe
4748	powershell.exe
4748	powershell.exe
4540	powershell.exe
1128	powershell.exe
1128	powershell.exe
4748	powershell.exe
2760	powershell.exe
2760	powershell.exe
4864	powershell.exe
5296	powershell.exe
5296	powershell.exe
4684	powershell.exe
4680	powershell.exe
2908	powershell.exe
4380	powershell.exe
4380	powershell.exe
4712	powershell.exe
1156	powershell.exe
4676	powershell.exe
6116	powershell.exe
6116	powershell.exe
2944	powershell.exe
2944	powershell.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
Token: SeDebugPrivilege	5296	powershell.exe
Token: SeDebugPrivilege	6116	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	3168	fontdrvhost.exe
Token: SeDebugPrivilege	2332	fontdrvhost.exe
Token: SeDebugPrivilege	3364	fontdrvhost.exe
Token: SeDebugPrivilege	3620	fontdrvhost.exe
Token: SeDebugPrivilege	5312	fontdrvhost.exe
Token: SeDebugPrivilege	3408	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 4748	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	152
PID 2736 wrote to memory of 4748	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	152
PID 2736 wrote to memory of 4864	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	153
PID 2736 wrote to memory of 4864	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	153
PID 2736 wrote to memory of 4676	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	154
PID 2736 wrote to memory of 4676	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	154
PID 2736 wrote to memory of 4380	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	155
PID 2736 wrote to memory of 4380	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	155
PID 2736 wrote to memory of 6116	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	156
PID 2736 wrote to memory of 6116	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	156
PID 2736 wrote to memory of 4712	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	157
PID 2736 wrote to memory of 4712	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	157
PID 2736 wrote to memory of 4680	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	158
PID 2736 wrote to memory of 4680	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	158
PID 2736 wrote to memory of 4684	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	159
PID 2736 wrote to memory of 4684	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	159
PID 2736 wrote to memory of 5296	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	160
PID 2736 wrote to memory of 5296	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	160
PID 2736 wrote to memory of 2760	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	161
PID 2736 wrote to memory of 2760	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	161
PID 2736 wrote to memory of 1828	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	162
PID 2736 wrote to memory of 1828	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	162
PID 2736 wrote to memory of 2908	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	163
PID 2736 wrote to memory of 2908	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	163
PID 2736 wrote to memory of 1156	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	164
PID 2736 wrote to memory of 1156	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	164
PID 2736 wrote to memory of 2944	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	165
PID 2736 wrote to memory of 2944	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	165
PID 2736 wrote to memory of 2880	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	166
PID 2736 wrote to memory of 2880	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	166
PID 2736 wrote to memory of 4540	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	167
PID 2736 wrote to memory of 4540	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	167
PID 2736 wrote to memory of 1128	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	168
PID 2736 wrote to memory of 1128	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	168
PID 2736 wrote to memory of 4912	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	169
PID 2736 wrote to memory of 4912	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	169
PID 2736 wrote to memory of 3168	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	188
PID 2736 wrote to memory of 3168	2736	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	188
PID 3168 wrote to memory of 1420	3168	fontdrvhost.exe	190
PID 3168 wrote to memory of 1420	3168	fontdrvhost.exe	190
PID 3168 wrote to memory of 4832	3168	fontdrvhost.exe	191
PID 3168 wrote to memory of 4832	3168	fontdrvhost.exe	191
PID 1420 wrote to memory of 2332	1420	WScript.exe	192
PID 1420 wrote to memory of 2332	1420	WScript.exe	192
PID 2332 wrote to memory of 4980	2332	fontdrvhost.exe	193
PID 2332 wrote to memory of 4980	2332	fontdrvhost.exe	193
PID 2332 wrote to memory of 3928	2332	fontdrvhost.exe	194
PID 2332 wrote to memory of 3928	2332	fontdrvhost.exe	194
PID 4980 wrote to memory of 3364	4980	WScript.exe	195
PID 4980 wrote to memory of 3364	4980	WScript.exe	195
PID 3364 wrote to memory of 6036	3364	fontdrvhost.exe	197
PID 3364 wrote to memory of 6036	3364	fontdrvhost.exe	197
PID 3364 wrote to memory of 4716	3364	fontdrvhost.exe	198
PID 3364 wrote to memory of 4716	3364	fontdrvhost.exe	198
PID 6036 wrote to memory of 3620	6036	WScript.exe	201
PID 6036 wrote to memory of 3620	6036	WScript.exe	201
PID 3620 wrote to memory of 2012	3620	fontdrvhost.exe	202
PID 3620 wrote to memory of 2012	3620	fontdrvhost.exe	202
PID 3620 wrote to memory of 1372	3620	fontdrvhost.exe	203
PID 3620 wrote to memory of 1372	3620	fontdrvhost.exe	203
PID 2012 wrote to memory of 5312	2012	WScript.exe	204
PID 2012 wrote to memory of 5312	2012	WScript.exe	204
PID 5312 wrote to memory of 4400	5312	fontdrvhost.exe	205
PID 5312 wrote to memory of 4400	5312	fontdrvhost.exe	205

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
"C:\Users\Admin\AppData\Local\Temp\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ebea8a0c5b7ebb8dc5b60da7\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\images\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ebea8a0c5b7ebb8dc5b60da7\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\87efddaf44110a3d80760c508da79ad7\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\de-DE\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ebea8a0c5b7ebb8dc5b60da7\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4912
- C:\Recovery\WindowsRE\fontdrvhost.exe
  "C:\Recovery\WindowsRE\fontdrvhost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65c5417e-62b6-46ff-87c8-ab5f1c661a37.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Recovery\WindowsRE\fontdrvhost.exe
      C:\Recovery\WindowsRE\fontdrvhost.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3dfe4c48-438c-403b-9e52-92749cb3003a.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4980
      - C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\161edb8b-4809-4707-8955-b2303cefae38.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:6036
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0cdf677-bb67-4f86-88f0-1fb8403ca36e.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24f647a4-09c0-4070-ae6c-8eba48ba1c57.vbs"
        11⤵
        
        PID:4400
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e86eae2-c03a-4bc2-8be7-e8ee78921e9b.vbs"
        11⤵
        
        PID:4632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce1dcfdb-3beb-468f-9a60-beb65be98882.vbs"
        9⤵
        
        PID:1372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c12d0f1-c38f-4c06-8a0e-b2ce4b230eb0.vbs"
        7⤵
        
        PID:4716
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ea03e3f-1915-479a-abbc-1af5fe1b2b6d.vbs"
        5⤵
        
        PID:3928
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6afb7c47-2ee1-4c8b-a5c8-aed588c09616.vbs"
    3⤵
    PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\images\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\images\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\87efddaf44110a3d80760c508da79ad7\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\87efddaf44110a3d80760c508da79ad7\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\87efddaf44110a3d80760c508da79ad7\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SendTo\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\SendTo\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\de-DE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Links\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Links\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Links\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Internet Explorer\images\dllhost.exe

Filesize
1.6MB

MD5
55bba875c4aae4f4512eea243b9f117b

SHA1
12e3815a3432935180977ae6b39bf54018f6882a

SHA256
63541935b2a8446f54cc195286c9fec3ec3296d7913ca45a78b89246dac3edf1

SHA512
0297551908d0d3ae96846d954874b26c4f873ca562b2424902a31769dcc4a1af4b85b75de3d9b8d1508ee902b0746e292e3d54e1385104afa2dad02fb0f2c8fa

Download Submit
C:\Program Files\Windows Mail\sihost.exe

Filesize
1.6MB

MD5
7fbc72dcc67b2b7366c90f81051bd68a

SHA1
bdd22f70686afb5bf32d638eee6fdd0891ec3248

SHA256
1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82

SHA512
e06c18cc9823741d8eea0ff78ad38ae88125fb5c795661107f09aaf977786fe420323d5be0990bc9cb1138e1cbe21d7cb21ce826f6e18df71354e710836b7025

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.6MB

MD5
ba0ad5d805aaa2e0ca9ca89e284ce187

SHA1
27210eecee252a74d2bdc2b324bc6871a6fbd5e3

SHA256
77eca6154826282f1e76a5df6f64c58afe201d22affe3a916d9d8075dad9aead

SHA512
40720a5d9af9aec19693c6e1e904e0dc2001c1f917d97d3753c0929839f37318f4a2e542d37b5c343ced9865f222efcce7b4160f236624a100817f7475868199

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
681e61532ff712d8340986e1c9913ef5

SHA1
84a8edb57465d211a98980b5788c18a2584edcdf

SHA256
d6bd79a01f6f2501487a2e7cad738bd2fb6ee772191a79d15cad1b995bcdb66a

SHA512
26822d15d1c676fe6f59470b828b783751187947a22f2e0baded0629473f78e33f3c048e0bc3548e1e4ad817fadac968a91dca1f1231433204df0b5ead03462f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2044ef36c414ed6e6c991e5fbe7d5bf1

SHA1
0dbd4be869af1290a771fa295db969dc14b2a1fc

SHA256
1b508c6beaa65e0936d9b64f352c2fb87392666d3a96e6e67cb2ba162302b6c6

SHA512
304045461390f2c001bd141036f0d195845508d78ddd52c8e0132e625566e2f1dc0ae982b58323ad2f08c4d1f9d1771d19eb50ec9405eb991c485a4ab7d55b32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
efd2dfedf7e67764ce4dc0c1475d5543

SHA1
be775a500ecf6c234153afad0b8ec07e56ad74fa

SHA256
662c4f869810ea7f43ce3ccbeccc5b80c443161c56a346fb9054fb1fa613a7ad

SHA512
b167fa92f6d63b18e6247445b1c532a2a229a0fc6dcd26c9d1526749f80c7ec01524b7ce497ab94a3df814f9ce4b7394d872d85555323ddcd08798d565f3211e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd95e4475b8798a58a9e9d19409c1eac

SHA1
571d070dd6315847c4ba334670beffd245a35c45

SHA256
d33812e9c83075812c904e8ea736f744d614cb597e4c7aa4420021e492390729

SHA512
1ad95b0411ffbdeff090c3c71000377027095ecbc8ad27d9b4c8b7b469e669f7d76cd13f7ab2012779b6ac12c5ff2671f4e44fa8d1f2aefae3824ed74a9fa7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8d7ef90d60b004c1ca554407c4ce6d0f

SHA1
8d57fc1cbb9776bb85c8c740a7ad2bc10c531fb4

SHA256
5a2c61fa1c443a345a6f9961b72b01489f7ceaf7da9af4f9f217ae5e81a8bffb

SHA512
263d0d91a24adbe5e536a48145976876e88d09b57435efcafd622391f8c586c0d282c7cb78275074e039e3108474c1b13199be1adbcbd79990e6e6b3d60f2809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e1c41ab70e6e5907330c398d5789b851

SHA1
39dbfc40fb75793d222369e59ae5d784f5c3b7a3

SHA256
90c7c4c7f4671b52194b8e5d5e43715003581b96ee6418ced8c3bab9329a1fad

SHA512
a5e07a6316a8142a0680d9ae73890daabb18de56540ed1025f1a7a463b7992854b7b31c537d8e1a32deaf8864dfacc88fb2203c22891643f9e1ddc713968c3fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
866b998de2a440675992d5e0b435d66d

SHA1
ce1f8f5a204ae7b3429c743cacb20ed24de54394

SHA256
4e8db49692ec5a2e4a40bee16fb03d703794c31730112b2fbd6c82fb6fd1ad44

SHA512
54d3ee420baca65db4280a78451eba383210c09c941d096f1ffa9176cd60d68b3d650a855a42cd12699003839f4af1847e73802f2b89be44ab3a0037a1d57f16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0f29d4b03e157fa020f2b793683543af

SHA1
1b0603266b02dd38444489e0d5e18ee93b6b766a

SHA256
eec5516679b34fb0efe983a81cc19b0b5cf33fd3191d5d8fd5c3fb082a55d410

SHA512
b0cca3aa1373f813a7a16a1ca94b7e048d83f8875b28949d7ece9668c5cb847250d1468080a85e478833a8876b668a8a6e0ef4df4a289ca66badac3af00dc5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\161edb8b-4809-4707-8955-b2303cefae38.vbs

Filesize
713B

MD5
e3950c34387ffea06a2c0fa0c529b81d

SHA1
3d47829ed9c53f6d5e8e0fc163ec2f08b9017eba

SHA256
2cdb321636f930e3cbb9324459fe11c058c410409e0dc0dd86016928b2858cfa

SHA512
45ee2c0efd854cbff18abc980da241c6d7f8f8559cfd12febff258d1287adb6418f96afd98dcd7b13f39b7a5903214ff507c4758465dc17684ba4bc9f0e1d3d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\24f647a4-09c0-4070-ae6c-8eba48ba1c57.vbs

Filesize
713B

MD5
354c410d5532194601c1b673d0b2009f

SHA1
cabe1c472459d18ee515a15a370d4f928dd951fb

SHA256
875fb28f2f734885f106c3f6b6af4f1d97ff8570d83f32ed17ec5e1b4d362531

SHA512
dfe78157c15ab3783f117e3874d08bd74af566e686113bf06cc93cc3d00222c15211463eb50b7ee2af0730ee66db799cee8be8b1a3f47a6fef0b22ac742d0bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\3dfe4c48-438c-403b-9e52-92749cb3003a.vbs

Filesize
713B

MD5
7c39b76074036c526a1924babd6c010c

SHA1
cfeecbc8dbd41e3d7a72389170fe4482754e9fa0

SHA256
32dc273215c339dca7936f676eab536f5737d106fc8f871c2ea3c37fbc813d42

SHA512
3b695f8a09537e34c49568b47385917a0447953f5f5e78c6f2d3b68d26ce84311ca826b9320244604cac235839c2c0ee2c3fe707940573fc90434acfd57b55c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\65c5417e-62b6-46ff-87c8-ab5f1c661a37.vbs

Filesize
713B

MD5
b146a438184579d2f36d458cb24ff8fa

SHA1
d8216df221e36277e9c91f96ef427d4ce0e6afd3

SHA256
e2397692e6b22529ff03379da8c586501472736feaf3ef80324e26cbc8450ede

SHA512
d103e82742ccad7f267585c7a6e6931996a6abacac6c5c9c03643123e419b752ed056f33e155c6029358d2c72e001b50e2451a3bcdc6f1a50fd6a859f849e752

Download Submit
C:\Users\Admin\AppData\Local\Temp\6afb7c47-2ee1-4c8b-a5c8-aed588c09616.vbs

Filesize
489B

MD5
669097acc04d2bf541ef69f44bca3db9

SHA1
66d4d3482b31c38813778e8dabdf18e7175312a2

SHA256
7e8ec9583f19185f45f532e23a67765c0385f536acf45e60951af094364b444c

SHA512
30cd7d01c06b2f15f13e2924e168ee4699887184377d6810b7f67ab098be1a06f1c1ffe69ecf97a3aea55210f05d170ee15a1f330110fd4d4d67b337be184b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ezet0qky.ofu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0cdf677-bb67-4f86-88f0-1fb8403ca36e.vbs

Filesize
713B

MD5
14508e1f0656e35525343a3591e00c8b

SHA1
ad108d98256ac22c6fcd89a30706ed42f43ab80b

SHA256
4c52aa4b4c49ad4224b6bd3360ede31821aa669a2633b3c994026339c5ed8111

SHA512
0f3b6005e415164cf27a142da6b152f22dc1fd8c18003ad161e2b732bd4394638f4e2618e0f8b1b34e2141da986e797cb4fac7ddafd2908f7f54fb59c2dcb3bd

Download Submit
C:\Users\Default\TextInputHost.exe

Filesize
1.6MB

MD5
b29f04f18a6cca97e193518ff9543b97

SHA1
659e768cfab26a4bb97a193def6bbdb50d1e1661

SHA256
185e050fe5f0b838573ccfff4617cccbf7b864d8c106aaf3dde731cfc0e6b82f

SHA512
26d56680eeafe6d5a08f575bfce39e4c4b4d694c97110c6874b2293d5b20f4dce42114705445963452577e9765ee6617293aaba6e4dba18a4f16910297fae449

Download Submit
C:\ebea8a0c5b7ebb8dc5b60da7\RuntimeBroker.exe

Filesize
1.6MB

MD5
85304d2bdda1ac7a45b5b6d4d06c567e

SHA1
5108c091cb80b205ef0ff48e840b9b5796810949

SHA256
cc5ea6b5bf2853680274e6c4c513802a2dfdff212f286a8244e0ad332e65479f

SHA512
09f460925a4175a7be909931b7a7ce6a05bde5677d2cd4bf42c27208c2508fe156101920d1821f87bd355f3981de3b2143fe1dd40e067801969eba6c934fa6bb

Download Submit
memory/2736-9-0x0000000001BD0000-0x0000000001BD8000-memory.dmp

Filesize
32KB

Download
memory/2736-17-0x000000001C730000-0x000000001C73C000-memory.dmp

Filesize
48KB

Download
memory/2736-205-0x00007FFEAB7A3000-0x00007FFEAB7A5000-memory.dmp

Filesize
8KB

Download
memory/2736-0-0x00007FFEAB7A3000-0x00007FFEAB7A5000-memory.dmp

Filesize
8KB

Download
memory/2736-12-0x0000000003530000-0x000000000353A000-memory.dmp

Filesize
40KB

Download
memory/2736-2-0x00007FFEAB7A0000-0x00007FFEAC261000-memory.dmp

Filesize
10.8MB

Download
memory/2736-480-0x00007FFEAB7A0000-0x00007FFEAC261000-memory.dmp

Filesize
10.8MB

Download
memory/2736-13-0x0000000003540000-0x000000000354E000-memory.dmp

Filesize
56KB

Download
memory/2736-14-0x0000000003550000-0x0000000003558000-memory.dmp

Filesize
32KB

Download
memory/2736-15-0x0000000003560000-0x0000000003568000-memory.dmp

Filesize
32KB

Download
memory/2736-16-0x000000001BFD0000-0x000000001BFDA000-memory.dmp

Filesize
40KB

Download
memory/2736-221-0x00007FFEAB7A0000-0x00007FFEAC261000-memory.dmp

Filesize
10.8MB

Download
memory/2736-1-0x0000000000F80000-0x0000000001122000-memory.dmp

Filesize
1.6MB

Download
memory/2736-10-0x00000000034C0000-0x00000000034CC000-memory.dmp

Filesize
48KB

Download
memory/2736-11-0x00000000034D0000-0x00000000034DC000-memory.dmp

Filesize
48KB

Download
memory/2736-4-0x00000000034E0000-0x0000000003530000-memory.dmp

Filesize
320KB

Download
memory/2736-7-0x0000000001B60000-0x0000000001B68000-memory.dmp

Filesize
32KB

Download
memory/2736-8-0x00000000034B0000-0x00000000034C0000-memory.dmp

Filesize
64KB

Download
memory/2736-6-0x0000000003490000-0x00000000034A6000-memory.dmp

Filesize
88KB

Download
memory/2736-5-0x00000000018D0000-0x00000000018E0000-memory.dmp

Filesize
64KB

Download
memory/2736-3-0x0000000001B40000-0x0000000001B5C000-memory.dmp

Filesize
112KB

Download
memory/2760-310-0x0000016BD5360000-0x0000016BD5382000-memory.dmp

Filesize
136KB

Download
memory/3168-479-0x0000000000110000-0x00000000002B2000-memory.dmp

Filesize
1.6MB

Download